Skip to main content

Advice supporting data access from NHS Digital in respect of GDPR

This is the content of the letter sent to DARS customers on 7th February 2018.

Download the original letter - Advice supporting data access from NHS Digital in respect of GDPR

As a researcher and customer of NHS Digital this letter is to try and help you get the data you require from NHS Digital in the most effective way.

As you know the General Data Protection Regulation applies from 25th May 2018 and the data management of your research must conform to this and the Data Protection Act 2018. Many of you will have attended the recent researcher roadshows carried out jointly by NHS Digital and the MRC that gave more detail (presentations shortly available at the DARS web page). This letter sets out some advice which we hope you find helpful.

The most important piece of information is that you have until the 25th May 2018 to address any shortfalls in your current lawful basis for processing personal data or special category personal data under GDPR, particularly if that lawful basis relies on consent. More detail on this is provided by the European Commission's Article 29 Data Protection Working Party which has published its position on consent: Guidelines on Consent under Regulation 2016/679 adopted 28 November 2017 at:

To help explain how data protection legislation applies to health and social care research, the HRA has published a suite of four high-level briefing documents aimed at those working in research in the NHS, universities, research council and charity institutes and commercial companies. Supported by a UK-wide GDPR working group with representation from a wide range of expert bodies, including the Information Commissioner's Office, these four high-level briefing documents have been adopted by NHS Digital as our research procedure for GDPR:

  1. A Lawful Basis for Health Research under Data Protection Legislation
  2. Transparency, Health Research and the Data Protection Law
  3. Data Protection Safeguards: 'appropriate safeguards' when processing personal data for purposes of health or social care research
  4. Data Subject Rights and Research Exemptions: Understanding the exemptions to application of the right to access, to portability, to rectification, to erasure, and to object, in the context of Health and Social Care Research 

The four documents, along with further detailed guidance from the HRA about operational arrangements that researchers and organisations may need to put in place for researchers and their organisations, are available at the Health Research Authority pages on GDPR.


Last edited: 30 November 2021 4:45 pm