Skip to main content

How NHS Digital makes decisions about data access

We have a strict and well-established process for providing access to data for external organisations such as charities, academic institutions, and medical research companies. This ensures that the data we collect is used to benefit health and social care in a legal, ethical and transparent manner.

All external requests for data are considered in detail to ensure they meet the required standards. Applications undergo stringent review by our staff and by independent groups against published criteria. Applicants are required to demonstrate that they meet security standards and sign contracts that control how the data they access is used. We publish details of the data that we release and minutes from the meetings of our independent advisory group. And we commission audits to check that the data is managed and used appropriately.

We plan to reduce the amount of data being processed outside central secure data environments and increase the data we make available to be accessed via our secure data access environment.

Where there is a benefit to health and social care, we do allow access to data by commercial organisations. Commercial organisations conduct research, run clinical trials, develop products and services to meet clinical or patient needs, and support the planning and improvement of NHS services. Any application that has a commercial purpose must clearly demonstrate that there is a benefit to health and social care in England and Wales before its approval and this is reviewed carefully during the application process.

Data Sharing Agreements restrict the use of data to approved purposes. Our audits include checks that data being used in accordance with the agreed purpose and that the declared benefits are being achieved. When an agreement expires and is not renewed then all data must be securely destroyed and confirmation provided to NHS Digital.

We will not approve requests for data where the purpose is for marketing, including promoting or selling products or services, market research or advertising. And information is never passed to insurance companies without patient consent. We would reject an application from an insurance company to help set their premiums or for other commercial gain.

NHS Digital’s data access process

Data released by NHS Digital is subject to an overlapping series of safeguards. This process is managed by the Data Access Request Service (DARS) and is regularly reviewed to ensure it remains robust and transparent.

Full details of the DARS process are available here Data Access Request Service (DARS) guidance - NHS Digital.

1. NHS Digital review of application

All applications are reviewed by NHS Digital staff against our published standards for data access.

2. Independent review of application

An independent review of applications is carried out by the Independent Group Advising on the Release of Data (IGARD) All minutes from IGARD meetings are published including their recommendations, and details of data releases through our Data Uses Register.

IGARD provide independent scrutiny of NHS Digital data distributions, as well as providing a voice for stakeholders and the public. The panel consists of independent specialist and lay members recruited through an open and transparent recruitment process. Find full details of the role of IGARD.

If GP data is included in the application an additional review is also completed by the Professional Advisory Group (PAG). PAG consists of members from RCGP and BMA and our Caldicott Guardian, Dr Arjun Dhillon.

3. Approval of applications

Applications that meet the standards and where IGARD’s recommendations have been addressed are reviewed and approved by senior staff. Depending on the type of application it may require approval from the Head of Data Access, Director of Data Access, or Senior Information Risk Owner.

4. Contractual controls

Data is never provided without a contract. The contract is critical in controlling the purposes for which data can be used.

The process of review and approval described above is key to the development of a legal contract.

All releases through the DARS process are covered by two contracts:

Data Sharing Framework Contract with NHS Digital which creates a framework of legally binding terms and conditions that applies to each and every agreement with NHS Digital to share data with the data recipient. A data application cannot be progressed until an organisation has signed a contractually binding Data Sharing Framework Contract.  

A Data Sharing Agreement relating to the specific use of data covering the data required, minimisation, purpose, funding, any commercial element, processing activities, outputs, benefits and transparency and legal basis. Once all reviews of a data application are completed satisfactorily then a contractual Data Sharing Agreement is issued.

These two contracts provide safeguards by specifying how data may be used, the security and other controls that must be in place and the action that would be taken if the contracts are broken.

5. Data sharing audits

We commission independent data sharing audits to check that data recipients are meeting the obligations in their Data Sharing Framework Contracts and Data Sharing Agreements. This helps to ensure that organisations abide by the terms and conditions set by NHS Digital, the data supplied is kept safe and secure and is being used for the agreed purposes.

All the audit reports are in the public domain to ensure that the public can have full visibility. 

Examples of use by commercial organisations

Data from NHS Digital is used by public sector bodies, charities and commercial organisations. All must have a legal basis and legitimate need to use the data, which will only be used for health and care planning and research purposes.

Examples of data from NHS Digital being used by commercial organisations to benefit health and social care include:

Harvey Walsh Ltd

Harvey Walsh Ltd hold a range of data about hospital activity. Among other benefits, this data has been used to:

  • provide NHS England & Imperial College Health Partners with a Suspicion of Sepsis interactive data dashboard to support clinicians in recognising the suspected symptoms of sepsis resulting in faster diagnosis and treatment.
  • provide the Royal National Institute of Blind People with a five-year overview of ophthalmology services across England to identify areas where there may be unwarranted variation in or access to services.

McKinsey & Company

McKinsey & Company use hospital data from NHS Digital to support its work with NHS clients. For example:

  • helping a leading hospital to transform its services, increasing the efficiency of services and reducing patients' time in hospital while maintaining or improving quality of care.
  • supporting a UK Clinical Commissioning Group to identify a sustainable model for one of England’s smallest hospitals. Hospital data was used to show why change was needed and design a proposal for the future ahead of public consultation.

IQVIA Technology Services Ltd

IQVIA Technology Services Ltd receive hospital data for identifying sites for clinical research trials.

Hospital data from NHS Digital was used to increase recruitment, resulting in a 25% improvement. It also sped up the process by reducing the time taken to identify trial sites by 31%.

Speeding up recruitment means trials of treatments can report results more quickly, and so inform patient care faster.

Examples of uses that we would reject (or have rejected)

Information is never passed to marketing or insurance companies without patient consent.

Requests we would reject
  • requests for data where the purpose is marketing, promoting, or selling
  • requests for data for market research, or advertising
  • requests by insurance companies, such as to help them set premiums or for other commercial gain, unless patients consent

Last edited: 12 May 2022 5:07 pm