Does this apply to me?
It is really important that you familiarise yourself with the NHS code of practice in order to remain compliant and keep you in line with the guidance on confidential information.
The principles apply to anyone developing anything that involves the collection, use, sharing and storage of information and data.
If you are working on anything related to data, you will also need to complete a Data Processing Impact Assessment (DPIA) and, if you are hosting in the Cloud, a Cloud Risk score.
TRG Applications - pre-requisite for data
NHS England's Register of Data Processing (Unified Register) and Information Asset Records.
The Data Protection Act 2018 (GDPR Article 30) requires Controller organisations to demonstrate accountability. This includes maintaining a register of the processing of personal data and stipulates the contents of the register e.g. purpose of the processing, categories of data subjects etc.
For other (non-personal) data there are also valid business reasons for a complete and comprehensive record of all processing that supports key business functions. GDPR does not require the business function to be registered but in order to have a logical structure useful to NHS Digital, data processing should be grouped under distinct business functions e.g. HR.
To meet the legal obligation, NHS England has developed the Unified Register (UR). The UR is also the repository for supporting documentation (also required by GDPR) such as Data Protection Impact Assessments (DPIA), System Level Security Policies (SLSP) and other documents. Existing and new information assets which include processing of personal data (or sensitive personal data) must be entered on the UR.
A clear statement must be included on documentation submitted to TRG that the status of the UR entry and associated documentation has been completed (or reasons why not, e.g. already registered and no change to existing documentation). This will avoid delay in approval.