Skip to main content

Data Access Request Service (DARS): guidance notes on security

This security guidance is for organisations applying for data from NHS Digital. It advises how to supply the data security information we need to process your application.


This security guidance provides information on the controls that your organisation needs to have in place to be able to engage in a Data Sharing Agreement with NHS Digital. 

If you have an enquiry, or would like to give us feedback on the application form, guidance or web pages, call 0300 303 5678 or email

Data security

The key to good data security is defence in depth, such as, having multi-layered security using differing tools and techniques. That way, if one level is compromised, further layers are in place to minimise further damage.

The following, standards and tools can be used to aid the development of security policies and processes:

Security requirements

To complete the security assurance in a timely manner it is recommended that you engage with your IT and IT Governance departments. Before submitting your security assurance

1. NHS Digital Data Security and Protection Toolkit 

The Data Security and Protection Toolkit is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.

All organisations that have access to NHS patient data and systems should use this toolkit to provide assurance that they are practising good data security and that personal information is handled correctly.

This is the preferred method of assurance.

The aim of the DSPT is to develop the Data Security maturity of Organisations. 

Approval is based on meeting the standard see table below:

Standards Exceeded


Standards Met 


Standards Not Met (Improvement Plan Agreed)

Can be approved may include special conditions

2. International Organisation for Standardisation (ISO) 

ISO27001 - Information Security Management System (ISMS)

ISO is a recognised international standard providing requirements for an information security management system (ISMS), there are more than a dozen standards in the ISO/IEC 27000 family. 

Organisations using a current ISO27001 certification must confirm that the Scope and the Statement of Applicability (SOA), includes the relevant standards from the ISO27000 family and is aligned to their role in the application.

3. System Level Security Policy (SLSP)

A System Level Security Policy (SLSP) can be provided as assurance this can either be a stand-alone document or be supported by the relevant policies within the Organisation.

The SLSP should be used as a transitional assurance that enables the organisation to increase the maturity of their Data Security so that they are able to complete the preferred DSPT.

A guidance document will be available soon to help you construct an SLSP that can be used to help your organisation develop towards the preferred option of a DSPT. The SLSP needs to provide the same level of assurance that a DSPT would, to ensure that organisations are aligned to standards. 

If further guidance is required please refer to: 
All topics – NCSC.GOV.UK

NHS Digital follows the security guidance and best practice published by the National Cyber Security Centre (NCSC); this is aimed at assisting all types of Organisations in different sectors with Data Security concerns. The NCSC guidance should be referred for any Data Security support you may need.

In addition to the NCSC Guidance other recommended sources are:

  1. National Institute of Standards and Technology (NIST).
    This is a valuable source of Cyber Security information and standards. 
  2. Cloud Security Alliance (CSA)
    CSA is the world’s leading organisation dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.

Privacy guidance

Information Commissioner’s Office (ICO)

The ICO publishes guidance on how to meet relevant data protection and privacy legislation including the UK General Data Protection Regulation (UKGDPR).

Cloud hosting

In January 2018 NHS Digital published guidance that enables health and social care organisations to use cloud services and/or store patient data offshore.

Organisations that include the use of cloud services and/or store patient data offshore in their DARS applications will need to provide evidence that they have undertaken the steps described in the guidance for their application to progress.

NHS and social care data: off-shoring and the use of public cloud services provides an overview of the requirements. The Health and social care cloud security – good practice guide provides greater detail and a 4 step method to understand the risk of the data that needs to be stored and processed and the safeguards that must be put in place to do so, securely.

Step 1 - Understand the data you are dealing with
Step 2 – Assess the risks associated with the data
Step 3 – Implement appropriate controls
Step 4 – Monitor the implementation and ongoing risks

The Health and social care cloud security one page overview is as described a single page version of the 4 steps above to provide support to data controllers.

The Health and social care cloud risk framework should be used to assess and manage the risks associated with the use of public cloud services.

The Health and social care data risk model should be used to assess and record the details of any proposed use of cloud services, by producing a risk class indication which is used to define the required controls.

Specific DARS requirements 

Whilst the controls below should be identified in your risk assessment to meet your contractual obligations and data protection legislation (DPA/GDPR),  they are listed here as requirements:

Data destruction – an NHS Digital approved method to prevent the recovery of any data that is no longer required (Principle 5) at the end of the DARS Agreement, at the retention period or on the issue of a Data Destruction Notice (DDN). 

Encryption at rest – encryption of data in cloud storage.

Encryption in transit – encryption of data in transit between the cloud provider and the end user.

Geography/jurisdiction – a risk assessment that can support the storage location or storage locations.

Evidence to support a DARS application

For applications that include the use of cloud services, the following documentation should be provided to support the application:

  1. The type of cloud service(s) that you are using to confirm that you have considered the risks associated with each service. Examples of cloud services include cloud storage, Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).
  2. A completed Health and social care data risk model, to confirm that the data class has been assessed.
  3. A cloud risk assessment to confirm that an appropriate risk assessment has been undertaken and that the applicant has considered all risks associated with the use of cloud.

General guidance

Data on the move

Many data security breaches arise from the theft or loss of laptops, mobile phones or USBs. The same level of security should therefore be applied to devices being used away from the office as those used in the office. Personally identifiable, sensitive and confidential data must not be stored on mobile devices unless by exceptional circumstance and has been authorised by your organisation with a business case to do so. In any event, any data held on a mobile device must be secured by using data encryption (minimum AES-256) so that it cannot be accessed by unauthorised persons and must only be held temporarily on the device. We would advocate the implementation of remote wiping technologies. You should also consider the security of data if being sent by email or post.


You should use encryption (minimum AES-256) to make sure data can only be accessed by authorised users. Typically, this means a password is required to 'unlock' the data.

Your encryption should include:

  • full disk encryption so that all data is encrypted
  • file encryption so that individual files can be encrypted
  • an encryption password that is a mix of upper and lower case, numbers and special characters (i.e. #, &, !) and is kept secret
  • (where possible) password protection to stop people making changes to data

Where an approved business case applies you should only transfer personal data to mobile devices as a temporary measure if you actually need it and securely remove it when you have finished - in line with your data deletion and disposal policy. Some mobile devices can be disabled or wiped remotely. If they're stolen this means you can send a signal to locate and, if necessary, securely delete all data. You will need to pre-register for this service.

Always make sure you know exactly what protection you are applying to your data.

Security software

Computer equipment and software needs to be regularly maintained in order to keep it running smoothly and to fix any security vulnerabilities. Security software, such as anti-virus and anti-malware, needs to be regularly updated so that it continues to provide adequate protection. Attacks can go unnoticed and many people only find out they have been attacked when it is too late.

To maintain data security effectively you need to ensure that:

  • security software is kept switched on and monitoring the files it should be
  • software is updated regularly (most can be set to do this automatically)
  • security software messages, control logs and other reporting systems are checked regularly
  • you check what software or services are running on your network and identify if there is something there which should not be
  • you run regular vulnerability scans and penetration tests to scan your systems for known vulnerabilities - and address them

Review, update, mitigate

Make sure you're correctly using your security systems and that people can spot when there is a problem. Make sure users and/or employees are aware of their roles and responsibilities and clear when action needs to be taken. You should also put in place plans for a data breach.

To help make sure you're using your security correctly, you should:

  • review what personally identifiable data or patient identifiable data you currently have and what protection you have in place
  • make sure you are compliant with any industry guidance and legal requirements
  • document the controls you have in place and identify where you need to make improvements
  • (once any improvements are in place) continue to monitor the controls and update them where necessary
  • consider the risks for each type of personal data you hold and how you would manage a data breach, so you can reduce the impact
  • have an acceptable-use policy and training materials in place for staff so they know their data protection and data handling responsibilities - this should also cover for non-personal data handling where the data protection act doesn't apply
  • get a security expert to review your systems and highlight where your security vulnerabilities are and how best to address them
  • make regular encrypted back-ups, keep them secure and delete them properly when no longer required, in line with your disposals policy

Third parties

If you outsource IT systems to a third party you should make sure they treat your data with the same level of security as you do.

To check the security of third party suppliers you should:

  • make sure data is not stored outside the United Kingdom unless by specific agreement
  • ask for a security audit of the systems containing your data to identify and address any vulnerability
  • review copies of their security assessments
  • if appropriate, visit their premises to make sure they're as you would expect
  • check that contracts are in writing and require your supplier to act only on your instructions and comply with certain obligations of the Data Protection Act
  • make sure you have a contract for any data to be erased and equipment disposed of or recycled - also that you receive a notice of certification for destruction that complies with your policy and that this is done adequately (you may be held responsible)
  • ensure that you are aware and can provide evidence of the location of the processing servers, the location of any backups and provide evidence of any cross border data transfers that may take place
  • confirm that the supplier does not outsource any admin tasks or services outside of the United Kingdom (such as database maintenance and configurations)
  • confirm and request evidence of their certifications if available

Last edited: 10 January 2022 6:53 pm