We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
Data Access Request Service (DARS): pre-application checklist
What you need to consider before applying for data.
Pre-application eligibility criteria
- When applying for any record level dataset, the Data Controller(s) of those data must have a valid, signed Data Sharing Framework Contract in place.
- If you don't have a valid signed Data Sharing Framework Contract in place then please contact the NHS Digital data access and information sharing team.
- If you're applying for a tabulated/aggregated output with small numbers suppressed, that is not available via the Hospital Episode Statistics (HES) publications section of our website, then you don't need a contract in place.
Data Controllers and Data Processors
You must provide evidence of compliance with the minimum-security standards for data processers and data storage locations using one of the Assurances listed below:
1. Data Security and Protection Toolkit (DSPT)
The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.
Further information on the DSPT is available in the help section.
This is the preferred method of assurance for DARS applications because:
- performance is measured against the National Data Guardian’s 10 data security standards
- the DSPT is an annual assessment - as data security standards evolve, the requirements of the Toolkit are reviewed and updated to ensure they are aligned with current best practice
- the DSPT also provides organisations with a means of reporting security incidents and data breaches
- organisations can use the DSPT to develop their Data Security Maturity
Organisation Type: Secondary Use Organisation (SUO)
This is an organisation that processes patient information for secondary purposes.
Large (non-hosted) organisations that make an application under Health and Social Care Act (Section 251) to the Health Research Authority (HRA) Confidentiality Advisory Group (CAG) or via the Data Access Request Service are required to complete a satisfactory DSP Toolkit assessment.
The DSPT standard for a SUO is a subset of the full standard. This set is known as the Category 3 evidence items; these can be found in the DSPT help section.
The DSPT Attainment Levels are
- Standards not Met (with an opportunity to agree an improvement plan)
- Standards Met
- Standards Exceeded
Where an Organisation attains Standards not Met and agrees an improvement plan this will be accepted where the improvement plan covers requirements that are considered low risk. Standards Met and Standards Exceeded are accepted.
All organisations that have access to NHS patient data and systems must use the DSPT to provide assurance that they are practising good data security and that personal information is handled correctly.
2. ISO27001 – Information Security Management System
For organisations that hold a valid ISO27001 certification this may be accepted for security assurance where the Scope and Statement of Applicability (SOA) include all the activity the Organisation will undertake in their role as Data Controller and/or Data Processor.
Where the ISO27001 certification includes a scope that would require reference to other standards in the ISO27k series these must be included in the Scope and SOA, for example Cloud Suppliers would be expected to include controls from:
- ISO27017 Information security controls for cloud computing
- ISO27018 Privacy controls for cloud computing
3. System Level Security Policy (SLSP)
In certain circumstances we may accept an SLSP for security assurance, in these cases the SLSP would be expected to provide a similar level of confidence that the National Data Guardian’s 10 data security standards are met.
You need to know which organisations are going to be acting as the data controller, the data processers, and the data storage locations. They must be based in the UK.
Data items and data flow diagram
- You must complete a data specification sheet for the data which you require.
- Attempt to apply data minimisation to reduce the amount of data you are requesting.
- Provide a data flow diagram showing each of the respective parties involved in the start to end flow of the data.
- If you're requesting sensitive or identifiable data items, do you really need them or would pseudo versions or derivations be acceptable?
- You must provide the necessary evidence to support the legal basis required for your application
- If you're asking for identifiable items, please provide patient consent or Section 251 support.
- If you're asking for Office for National Statistics (ONS) data, please provide Approved Researcher with Microdata Release Panal (MRP) approval or are you relying on Section 42(4) of the Statistics and Registration Act (SRSA) 2007.
- If you're applying for data which involves patient consent and identifiable data, please provide appropriate and up to date fair processing information
- If applying for data under the Care Act 2014 - you must meet the requirements of Section 122.
- Please provide a clear purpose with a clearly defined processing section, outputs and clearly stated benefits, with how those benefits clearly meet the requirements of the Care Act 2014.
- If the purpose is for research, please provide evidence of ethics and protocols required.
Commercial and Funding
- Is the application in anyway commercial? If so, then please clearly demonstrate how this benefits the health and social care system.
- If external funding is provided, your application must show whether the funding organisations receive any outputs and whether the use of those outputs is commercial.
- Please provide evidence for any funding.
Data Protection Act registration
- Your organisation must have a valid Data Protection Act (DPA) registration which clearly shows that any use of data will be used in research relating to health.
- Does the DPA expire within 2 months? If so, then you must have a plan in place to renew.