Data sharing standard 1c - Processors

According to Article 4(8) of the General Data Protection Regulation (GDPR), "processor" means:

• a natural or legal person¹, public authority, agency or any other body 
• which processes personal data on behalf of the controller

The definition of processing under Article 4(2) of GDPR is:

A controller determines the purposes and means of processing personal data and a processor is responsible for processing personal data on behalf of a controller.

1. All organisation(s) who is/are Processor(s) must be detailed as such in the application for data.
2. A Processor must meet the definition set out in Article 4(8) of General Data Protection Regulation.
3. Each Processor is required to have:
   • adequate security assurance (see separate standard on security assurance requirements)
   • paid the relevant data protection fee to the Information Commissioner's Office (ICO) - see ICO data protection fee guidance
4. Whilst a Controller may process data themselves, each and every separate legal entity who processes data on behalf of a Controller must only act on the documented instructions of the controller. NHS Digital require confirmation within the application that such documented instructions will be in place prior to processing by a Processor (and remain in place during that processing). 

Processors are subject to a number of additional obligations under Data Protection legislation and parties are advised to consider these duties and responsibilities. For further guidance please see the ICO GDPR guide.

¹ For example, a person or legal entity