Key questions to ask are:
Are all data flows detailed (such as what organisation will transfer data to what other organisations)?
Is the level of data involved in each data flow clarified (meaning - identifiable, pseudonymised, aggregated)?
Note: If any pseudonymous data or data being described by the applicant as 'anonymous' will be shared with third parties, the fields to be shared should be clarified.
Is it clear (in cross-check with section 3) what legal basis relates to what data flows? For complex applications, note that it is worth including a data flow diagram, and matching on the diagram the legal basis against each data flow.
Has a legal basis been evidenced for all data flows?
If data will be accessed outside the UK, are the details, including how data will be transferred, explained?
If anyone who is not a direct employee of the organisation requesting data (such as users working on honorary contracts, charity staff helping with analysis) will be accessing data, are details given?
Does it explain what will be done with the data NHS Digital supplies? for example, will there be trend analysis? Will the data be linked or compared (matched) with other data sets (if so, at what level and what will be used to link them)? Will there be benchmarking against peer groups?
If sensitive data, national data or data over a long period is requested, does it justify why that data is needed? Is that justification proportionate to the risk of releasing this data?
Is there a clear and logical link between the above and the specific outputs mentioned?
Are any organisation names or locations mentioned in this section consistent (a) throughout this section, (b) with the dataflow diagram, (c) with the names/addresses used elsewhere in this form including sections 1 and 7.
Useful phrases (where applicable): "No data will be linked to record patient level data."