Guidance

Approval standards and guidelines: processing location

Updated 2 August 2024

Approval standard: processing locations

When must this standard be met

This standard must be met for all applications to access UK Health Security Agency (UKHSA) data classified as ‘Protected’.

Standard

1. The application must be descriptive of all processing locations to be used by the applicant or their engaged data processor. It must include:

  • the postal address of each processing location, taking account of if the data will be shared or isolated to specific users, processed in several locations simultaneously, system architecture, and the difference between legal address and processing locations
  • describe each processing location in the data flow diagram

2. The application must explain why each processing location is required for the project’s success in the scientific protocol.

3. The application must specify whether users of the data will be permitted remote access as well as the locations from which remote access is intended to take place. Where remote access will be granted to a user at their home address, the application does not need to include the home addresses of individuals but the mode and country of access.

4. Should the application include engaging one or more data processors, the application must:

5. Should the application include the use of a public or private cloud processing, the application must:

Guidelines

The definition of ‘processing’ appears at Article 4(2) of UK GDPR:

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means […]

This definition is intentionally broad, and it is followed by a non-exhaustive list of examples:

collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

In making a data application, this standard requires you to provide each location where protected data will be processed and assure UKHSA that these locations are within the boundaries of the EEA.

Where data processing will be distributed across multiple locations or users in different organisations, each processing location must be documented and justified. It is expected that if remote data access is to be granted, the locations of the end users of the data are known. This does not need to include the home addresses of individuals but the mode and country of access.

In addition to specifying the location, each processing location must have appropriate technical and organisational measures in place to protect the confidentiality, integrity, and availability of the data, as required by the Approval standards and guidelines: data security.

Countries in the EEA

All data must be restricted to being processed within the EEA. At the time of publication, the EEA countries consist of the European Union (EU) member states and the European Free Trade Association (EFTA) states:

  • the EU member states are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, the EU Institutions, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden
  • the EFTA member states are the United Kingdom, Iceland, Liechtenstein, Norway and Switzerland

Processing location changes

Please keep in mind that any proposed changes to the organisations and/or locations that will be used for processing must be approved in advance by UKHSA.

Informing UKHSA after the change has been made, or failing to inform UKHSA at all, may be considered a breach of the data sharing contract and may necessitate the suspension of access to the data (if granted) or resubmission of your application (if under review).