Approval standards and guidelines: onward sharing and sub-licensing
Updated 2 August 2024
When must this standard be met
This Standard must be met for all applications requesting to allow third parties (who are not party to the data sharing agreement between UK Health Security Agency (UKHSA) and the Applicant) to process UKHSA protected data through sub-licensing, such as when operating a research database. It does not include data that is effectively anonymised to the ISB1523: Anonymisation Standard for Publishing Health and Social Care Data and transformed to open data.
Standard
1. Where an application requests to sub-license UKHSA data, alone or in combination with other data in controllership of the Applicant, the application must include the relevant access policies, standard operating procedures (SOPs) or effective business rules and a sub-licence or agreement template to:
- demonstrate that any sub-licensing could not be supported by UKHSA directly – for example, the data is enriched by linking it with data UKHSA does not hold
- demonstrate that sub-licensing will be in the public interest and is part of the project’s pathway to impact
- demonstrate how sub-licensing will be governed and the controls that will be put in place on any organisations that will process the data – this must include the assessment criteria that it will use in determining who to grant sub-licences to and for what purpose, what due diligence is undertaken, the terms of reference and composition of membership of any approval group
- demonstrate that non-medical purposes such as marketing, sales or insurance will be prohibited
- demonstrate effective due diligence will be undertaken to ensure that every organisation that will process protected data will have in place appropriate technical and organisational measures to protect the data against any unlawful or unauthorised processing and any accidental loss or destruction or damage to the same security requirements, as set out in Approval standards and guidelines: data security
- demonstrate that the territory of processing will be the same or narrower than the territory permitted by the project’s data sharing contract with UKHSA – see Approval standards and guidelines: processing location
- demonstrate compliance with Approval standards and guidelines: lawful basis (UK GDPR) when sub-licensing personal data (where applicable), including processes for exercising data subject’s rights as set out in Article 13 to Article 22 of the UK GDPR, without undue delay
- demonstrate how the duty of confidentiality is addressed when sub-licensing confidential patient information – see Approval standards and guidelines: confidential patient information
- demonstrate there are procedures in place to terminate any sub-licence in the event of termination or expiry of the contract between UKHSA and the Applicant
2. The provisions (terms) within any sub-licence must:
- be consistent with the terms that the Applicant will enter into with UKHSA
- restrict any further sub-licensing of UKHSA protected data, alone or in combination with other data, by any third party
3. The application must describe how uses of the data, supported through sub-licensing, will be communicated to the public in an open and transparent way. It is recommended this is in the form of a release or approvals register that details the purpose of any onward sharing and names the organisation that is party to any sub-licence. It is expected that transparency is included in the project’s pathway to impact.
Guidelines
Sub-licensing is defined as a process in which rights of use and/or permission to use the licensed content to a person, company or third-party that is not the primary holder of such rights.
Sub-licensing UKHSA data
Unless UKHSA has given its permission, any data, or the licence to process it, provided by UKHSA on approval of a data application cannot be assigned, transferred or subcontracted to another organisation or person. This means that when organisations wish to share the data they receive from UKHSA with any other organisation, UKHSA must provide its consent. Consent from UKHSA is not required for data rendered anonymous to ISB1523: Anonymisation Standard for Publishing Health and Social Care Data and effectively transformed to be open data.
UKHSA accepts that there are specific circumstances where it is in the public interest for an applicant to sub-licence UKHSA data, for example where data is being processed with the specific aim of facilitating a research database for ethically approved medically research (see the Approval standards and guidelines: ethical assessment).
The intention to and impact of sub-licensing the data must be unambiguously described in the scientific protocol, data flow diagram and as prompted in the data application form.
Alongside a description of how sub-licensing will be managed, the application must also detail how value is added to the data by the applicant prior to sub-licensing. UKHSA will not support requests to sub-licence where the data can be supplied by UKHSA directly.
The application must be accompanied by relevant access policies, SOPs or effective business rules descriptive of:
- the data management plan
- the access and assessment process, including risk assessment and criteria that will be used to determine the acceptability of the processing, users and settings the data will be processed within
- the contractual controls that will be used
- the communication processes that will be used to demonstrate the uses of the data to the public (such as a data uses register)
The application must also be accompanied by a blank copy of the sub-licence (a model contractual agreement) that will be put in place with any third party.
Together, these documents must explain the assessment criteria that it will use in determining who to grant sub-licences to and for what purpose, what due diligence is undertaken (including making sure the data will be processed in safe settings), the terms of reference and composition of membership of any approval group.
It is important to also note that applications to onwardly share personal data must demonstrate the data will be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’ – see Approval standards and guidelines: lawful processing (UK GDPR)). Due regard should be given to ensuring that onward sharing is compatible with the lawful basis held for processing the data (refer to Article 6 and, if applicable, Article 9 of the UK GDPR) and any processes in place effectively uphold the rights of the individual (refer to Article 12 to Article 23 of the UK GDPR), including the right to object (Article 21).
Transparency
Fairness and transparency are fundamental when sharing data under the UK GDPR, and they are closely linked. It is expected that when UKHSA consents to sub-licensing arrangements of protected data, there are mechanisms in place to inform the public about how their data will be processed, in a way that is accessible and easy to understand.
UKHSA does not prescribe the exact format or mode of any communications that are used to communicate the sub-licence arrangements being entered into but recommends, at a minimum, a public register of information about the type of data to be shared, the purpose, date of approval, and name of the sub-licensee.
A description of the approach to communicating who and for what purpose a sub-licence is entered into should be framed in the project’s pathway to impact, alongside justification for onward sharing the data.
Auditing
UKHSA will require the ability to audit the sub-licence arrangements that are entered into to ensure users of UKHSA data abide by the terms and conditions of their licence and the processing is compliant with the obligations entered into through the Data Sharing Contract.
Data processors
It is important to note that ‘sub-licensing’ and ‘sub-processing’ are not the same.
Sub-processing is when a person or organisation, instructed by a Data Processor who has or will process data, instructs another organisation to process Personal Data in the provision of the Services to the Controller.
When a processor is to be engaged, the application must demonstrate that the Approval standards and guidelines: engaging a data processor is met, including executing a contract with the processor that meets the requirements of Article 28(3) of the UK GDPR.