We have detected that you are using Internet Explorer to visit this website. Internet Explorer is now being phased out by Microsoft. As a result, NHS Digital no longer supports any version of Internet Explorer for our web-based products, as it involves considerable extra effort and expense, which cannot be justified from public funds. Some features on this site will not work. You should use a modern browser such as Edge, Chrome, Firefox, or Safari. If you have difficulty installing or accessing a different browser, contact your IT support team.
Pre-application eligibility criteria
- When applying for any record level dataset, the Data Controller(s) of those data must have a valid, signed Data Sharing Framework Contract in place.
- If you don't have a valid signed Data Sharing Framework Contract in place then please contact the NHS Digital data access and information sharing team.
- If you're applying for a tabulated/aggregated output with small numbers suppressed, that is not available via the Hospital Episode Statistics (HES) publications section of our website, then you don't need a contract in place.
Addresses and security
- You need to know which organisations are going to be acting as the data controller, the data processers and the data storage locations. They must be based in the UK.
- You must provide evidence of the minimum security standards for data processers and data storage locations
- An up to date reviewed Information Governance (IG) Toolkit score or ISO27001:2013 are acceptable. Where ISO27001 is stated, please also provide evidence of ISO27002 and ISO27018
- We currently accept System Level Security Policy (SLSP) as a valid means of security certification but this is due to be phased out.
Data items and data flow diagram
- You must complete a data specification sheet for the data which you require.
- Attempt to apply data minimisation to reduce the amount of data you are requesting.
- Provide a data flow diagram showing each of the respective parties involved in the start to end flow of the data.
- If you're requesting sensitive or identifiable data items, do you really need them or would pseudo versions or derivations be acceptable?
- You must provide the necessary evidence to support the legal basis required for your application
- If you're asking for identifiable items, please provide patient consent or Section 251 support.
- If you're asking for Office for National Statistics (ONS) data, please provide Approved Researcher with Microdata Release Panal (MRP) approval or are you relying on Section 42(4) of the Statistics and Registration Act (SRSA) 2007.
- If you're applying for data which involves patient consent and identifiable data, please provide appropriate and up to date fair processing information
- If applying for data under the Care Act 2014 - you must meet the requirements of Section 122.
- Please provide a clear purpose with a clearly defined processing section, outputs and clearly stated benefits, with how those benefits clearly meet the requirements of the Care Act 2014.
- If the purpose is for research, please provide evidence of ethics and protocols required.
Commercial and Funding
- Is the application in anyway commercial? If so, then please clearly demonstrate how this benefits the health and social care system.
- If external funding is provided, your application must show whether the funding organisations receive any outputs and whether the use of those outputs is commercial.
- Please provide evidence for any funding.
Data Protection Act registration
- Your organisation must have a valid Data Protection Act (DPA) registration which clearly shows that any use of data will be used in research relating to health.
- Does the DPA expire within 2 months? If so, then you must have a plan in place to renew.
Last edited: 13 October 2020 11:49 am