Under the Research framework in the Digital Economy Act 2017, before data can be shared for research purposes, it must be processed by an accredited processor so that the data is ‘de-identified’.
When the data has been de-identified it can be made available to an accredited researcher in a secure environment, and the processor will ensure that any data (or any analysis based on the data) retained by the researcher, or are published, are ‘disclosure controlled’ to minimise the risk of data subjects being re-identified or other misuses of the data.
As the statutory accrediting body, the UK Statistics Authority has established a Research Accreditation Panel to oversee the independent accreditation of processors, researchers and research projects.
The overall accreditation approach for potential data processors, as well as those for researchers and research projects, is set out in the statutory Research Code of Practice and Accreditation Criteria. This sets out that a processor must:
i. Meet appropriate cross-government standards for the secure holding of sensitive data (personal information);
ii. Make use of appropriate technical infrastructure;
iii. Agree to publish and maintain appropriate data policies;
iv. Have appropriate skills and experience; and
v. The processor must agree to its inclusion on a public register
Apply for Digital Economy Act Processor Accreditation
The UK Statistics Authority has developed an accreditation process which assesses potential processors against the security controls required for the security standard of ISO 27001. In addition, potential processors will be routinely assessed against data capability controls and will be expected to demonstrate a level of maturity based on practices they have implemented. Potential data processors will need to complete evidence-based compliance assessments to ensure they can demonstrate sufficient security and technical controls, data capability controls, their staff have the appropriate skills and experience to be accredited as a data processor under the Digital Economy Act, and they are willing to be included on a public register. These assessments are reviewed by the relevant UK Statistics Authority teams who will also undertake a site visit. For further information or to apply to become an accredited processor, please email Research.Accreditation@statistics.gov.uk.
In September 2022, the Research Accreditation Panel approved a revised framework for the data capability accreditation of data processors under the Digital Economy Act 2017. As a result of this change, guidance and application forms are separated for data capability and security. We suggest that the DEA processor guidance is referred to first to offer an overview of accreditation process. The data capability guidance will assist you in navigating the new data capability frameworks which set out the expectations of how each data capability control should be applied, evidenced and assessed using the relevant documents and forms.
Documents for Download
Data Security accreditation
Data Capability accreditation