Approval standards and guidelines: data protection registration
Updated 2 August 2024
© Crown copyright 2024
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/accessing-ukhsa-protected-data/approval-standards-and-guidelines-data-protection-registration
Approval standard: data protection registration
When must this standard be met
This standard must be met for all applications to access UKHSA data classified as ‘Protected’.
Standard
All applications must demonstrate that each named applicant and appointed data processor has met their obligations under the Data Protection (Charges and Information) Regulations 2018 (unless exempt) to maintain a valid ICO data protection fee payer’s registration. The details of each registration must be documented in the UKHSA data application form.
Guidelines
Data protection registration
The Data Protection (Charges and Information) Regulations 2018 require every UK-based organisation or sole trader that processes personal information to pay a data protection fee to the Information Commissioner’s Office (ICO).
The information provided to the ICO is published on a register.
All UK-based applicants, as well as the data processors they appoint, must have registered with the ICO and paid the applicable fee. The UKHSA data application form and its annexes must detail the registration information to be valid.