Information for customers with a Data Sharing Agreement (DSA)

At the end of the DARS process, the data access which has been approved is summarised in a document known as a Data Sharing Agreement (DSA). Each DSA has a unique reference number, known as a NIC number, which is allocated during the DARS process.

A DSA is specific to each request for data and must be signed by both the applicant organisation and by NHS England before the approved data can be accessed.

DSA holders should familiarise themselves with important information on this page. This information includes what happens once a DSA is signed and approved data access can begin, audits and reviews which may be undertaken, how information is published on your DSA, how to make a change to your DSA, and what you need to know when a DSA is due to expire. 

Once a signed DSA is in place, arrangements to access data are made to use the services to access data specified in the DSA. 

To access data agreed in your signed DSA you will need to:  

• sign a service agreement for the service to access data you will be using, if applicable. More information on service agreements can be found on contract and agreements required to access data required to access data from NHS England
• if required, promptly send participant (cohort) data to NHS England within the required time scale. Further information can be found in the guidance for submitting participant data (cohort file)

Information from your DSA is added to the Data Uses Register.

This register provides detailed information about DSAs, including:​​

• the organisations involved​
• the legal basis for data release​
• if patient opt outs were applied​
• physical file release details​

The data uses register is available to view as both a PowerBI dashboard or an excel document. 

To access data using a DSA, organisations who are the data controller for the data access must already have in place a Data Sharing Framework Contract (DSFC). This is checked as part of the DARS process. Although not having a current DSFC does not prevent a request for data being started, a DSA cannot be put in place without a DSFC being in place. 

Independent audits are carried out and where necessary post audit follow up reviews to check that our customers are meeting the obligations in their DSFCs and DSAs. This helps to ensure that organisations abide by the terms and conditions set by NHS England and data is kept safe and secure.​

We carry out reviews annually with all customers with DSFCs and DSA’s. This review ensures that the DSFC remains up to date, that data controllers continue to comply with DSA’s, and that DSA’s are being properly managed. We check that any data shared under DSA’s is used lawfully and in line with agreed terms, with no breaches of the data sharing arrangements.

At the end of the DARS process, the data access which has been approved is summarised in a document known as a Data Sharing Agreement (DSA). 

A DSA is specific to each request for data and must be signed by both the applicant organisation and by NHS England before the data approved can be accessed.

To access data using a DSA, organisations who are the data controller for the data access must already have in place a Data Sharing Framework Contract (DSFC). This is checked as part of the DARS process. Although not having a current DSFC does not prevent a request for data being started, a DSA cannot be put in place without a DSFC being in place. 

More information on the contract and agreements required to access data from NHS England and how they are audited and reviewed is available. 

DSFC holders receive an automated notification 3 months before their DSFC is due to expire. This supports organisations who need a DSFC to ensure a valid one is in place.

If you are unsure when the DSFC for your organisation is due to expire, or wish to begin a renewal, contact the DARS team. They will advise you on the appropriate steps you will need to take. In the subject header of your email, please quote the name of your organisation and requirement to renew your DSFC.

Steps to take for data when your DSA expires varies between those who use an Extract Service, and users of other services to access data. 

All customers with extracts are required to delete data when their DSA or DSFC expires and is not extended. ​

Customers should complete the certificate of destruction and refer to the National Cyber Security Centre guidance for more information on the sanitisation, reuse, disposal and destruction of electronic media and the destruction and disposal of sensitive data.​

Further guidance is available in the security notes and in NHS England's data security policies.​

For all other services to access data contact the DARS team on who will advise you on the appropriate steps you will need to take. In the subject header of your email, quote your unique reference (beginning ‘DARS-NIC-…) found on your DSA.

Email contact DARS, who will signpost your question to the relevant subject matter expert for a response

If you have a request going through the DARS process, or if you have an enquiry relating to an existing Data Sharing Agreement, include your NIC reference number in your enquiry to ensure we can signpost it to the relevant expert to provide support