When using personal data, even when it has undergone pseudonymisation, it carries some risk of inadvertent or malicious re-identification. Organisations must be able to provide assurance to their care system and other data controllers that they have sufficient controls in place to protect the data they require to undertake in respect of any secondary use activities. 

In addition, if an organisation intends to sub-contract activities to other organisations, the organisation sub-contracting is responsible for ensuring that the sub-contracted organisation(s) has the necessary controls in place to protect personal data.

It is also key that a Care System agrees the appropriate standards which it requires organisations to have in place if they are participating in the processing of personal data at any part in the support of care system wide secondary use activities. The SUDGT provides a checklist tool to support the review of organisational data controls within organisations across your care system. Alternatively, a Care System can consider a range of other standards and assessments such as the Data Security and Protection Toolkit, Cyber Essentials & ISO 27001:2013, but must ensure that any alternative has a suitable scope.

Ensuring that organisations possess sufficient technical and organisational controls to effectively protect personal data against malicious or accidental harm is an underpinning principal of GDPR and the Data Protection Act 2018. Demonstrating these protections are also required in DPIAs and national DARS applications.


You should now determine and record:

  • the compliance of each organisation that will be receiving, storing, accessing or otherwise processing patient data to support integrated activities 

This information can be recorded in the SUDGT input tool and/or the organisational protections checklist.


  • Risks to personal data could include, but is not limited to:
    • Re-identification of de-identified data through linkage of multiple de-identified data sets
    • Malicious re-identification of data
  • Organisations must have in place sufficient controls to mitigate these risks, and the tool recommends a list of controls that are in line with the Information Commissioner's Office (ICO) Anonymisation Code of Practice available here
  • If organisations intend to sub-contract any of their activities, they should take steps to assure the levels of control in third party organisations are equal to their own and sufficient to protect the data
  • Once assurances have been sought, care systems and data controllers should be satisfied and have a high level of confidence in organisations to safely process data