Guidance to support the DARS preliminary assessment

During the preliminary assessment stage we will work with you to determine:

• the most suitable services to access data based on your data needs
• how organisations involved in data access will meet any ethical, legal and security requirements, and the evidence you will need to provide
• any preparations needed for data access, for example, submitting details of a participant cohort to NHS England
• the relevant agreements needed for your data access request. This will ensure you can identify and prepare who ever needs to sign the agreements in line with any delegated authorities processes your organisation has in place
• how organisations involved in data access will meet any security requirements including cloud storage
• an indication of how long data access may take for your request
• the estimated cost to meet your needs both of making an application, and of the service to access data this enables you to confirm the source of funding, and provide payment details when needed 

We will discuss with you your data needs and services to access data which can best meet your needs.  

If your proposed use of the data is novel or potentially contentious, we may use our assurance process during the preliminary assessment. This provides an early indication of if your request is likely to be supported, and of the actions necessary before you can make a formal application. 

The preliminary assessment will discuss the data you require.  

This will include:  

• the name of data set(s)
• date range including historic year, latest available or future drops
• data fields  

Learn more about which data available from the DARS service. 

The preliminary assessment will also discuss the level of data you wish to access. NHS England has a responsibility to ensure there is a legal valid basis supporting a data access request.

If your project involves personal data, you will require a data protection legal basis. 

If your project involves processing confidential information, then we will discuss the appropriate common law legal basis with you, for example consent or Section 251.  

Where access to data requires the disclosure of identifiable information, such as a date or birth or NHS number, you will need to provide evidence of participant consent or section 251.  

There are other scenarios where disclosures required by law override the duty of confidentiality, for example compliance with a court order or a statutory requirement. If you are relying on one of these, this can be discussed during the preliminary assessment.

Where your application involves personal data (identifiable data), then it is a legal requirement under the Data Protection Act (first principle) that personal data must be processed fairly and lawfully. Read more about DARS online fair processing.   

If you are relying on informed consent to access people’s data, you must provide copies of all materials used to obtain consent from the relevant groups that make up your study cohort, including copies of all versions of participant information sheets and consent forms used indicating the time periods they cover.  

You will also need to provide details on the ways in which you keep contact with your cohort, for example, through a website or newsletters. 

If you are relying on support under section 251 of the NHS Act 2006 to access confidential participant information without consent you must provide the following documents and information: 

• a copy of the application for section 251 support (and any amendments made such that the scope of section 251 support can be clearly identified) 
• a copy of the section 251 support approval letters, for example the relevant version of the protocol 
• copies of documents reviewed by CAG, as listed in section 251 support approval letters 
• confirmation of current section 251 support (for example presence on CAG register, the applicant’s latest annual review submission) 

During the DARS process, the documents described above will be assessed to ensure the scope of the section 251 Support approval is aligned as follows: 

• to the receipt, linkage, and/or dissemination of confidential patient information by NHS England

• to the purpose set out in the application 

• to any amendment to the purpose or data receipt, linkage or dissemination of a DARS application, to ensure continued alignment 

The preliminary assessment will discuss:

Data minimisation

Data minimisation is an important requirement under UK data protection legislation. When requesting data from NHS England, applicants must clearly explain how they have ensured that the information they are asking for is limited to what is necessary to achieve their stated purpose 

Patient objections  

NHS England is required to apply the National Data Opt-Out (NDOO) whenever confidential patient information (CPI) is used or disclosed for purposes beyond an individual’s direct care and where the legal basis for using that data relies on the Common Law Duty of Confidentiality (CLDC) being set aside. This normally occurs through Section 251 approval under the Health Service (Control of Patient Information) Regulations 2002.  

Before NHS England shares any CPI with applicants, it checks whether the opt-out must be applied in line with national policy. Data sharing standard 3c patient objections provides further information provides further information.  

Linking to a cohort

If you want the NHS England data you’re requesting to be linked to a cohort you supply (such as a list of identified individuals) you will need to review the cohort submitter guidance provided.  

NHS England is only able to share data for the purposes of health care or adult social care or for the promotion of health related to the Care Act 2014. This enables data to be made available for a wide range of health and care purposes, including for the commissioning of those services and the epidemiological research that is needed at the earlier stages of developing new treatments. 

The DARS team will discuss your purposes for requesting data, your expected outputs, outcomes and benefits ensuring you are able to clearly demonstrate that there is a benefit to health and social care in England and Wales.   

NHS England is unable to share data solely for commercial purposes. Where there is commercial involvement, applicants must clearly explain the commercial purpose for which the data is requested and demonstrate the public benefit that will result from this use. 

If you are requesting data access to undertake research you will need to ensure that: 

• you have considered if you require Research Ethics Committee support and you are able to evidence this
• you can confirm how your research study is funded  

The DARS team will also discuss further your expected outputs, outcomes and benefits as you must be able to clearly demonstrate that there is a benefit to health and social care in England and Wales.   

During the preliminary assessment, the DARS team will work with you to establish the roles which organisations are playing in data access. The roles of data controller and data processor must be established. Further guidance about data controllers and data processors is provided by the ICO

You will need to be able to confirm how the data will be processed, organisations who will process the data, and the location (s) of where the processing will happen.

You will also need to confirm if you intend to use honorary contracts.

The DARS team will check with you that:

• all data controllers in respect of the purpose(s) for the proposed data access have been appropriately determined    

• all data controllers are legal entities with a signed contract with NHS England for data sharing known as a Data Sharing Framework Contract (DSFC)

• all data controllers and data processors can meet security requirements to access data and provide evidence of how the requirements are met

Territory of use is the geographical location from which the data is accessed to carry out data processing; it needs to be permitted under the data sharing agreement. All data sharing agreements must state the territory of use, which will be one of the following: 

• England/Wales 

• UK 

• UK and EEA 

• Worldwide 

If you have a reason for NHS England data to be accessed outside the UK, you will be required to submit additional assurance information, including a Transfer Risk Assessment where data is accessed from countries without an adequacy decision. 

If the data is being processed within the EU or a country where there is an adequacy decision, put in place, then these countries, territories, sectors or international organisations have been deemed (the adequacy decision) to provide an ‘essentially equivalent’ level of data protection to that which exists within the UK, that is, protection of individuals rights and freedoms in respect of their personal data. The ICO provide a current list of countries or territories covered by adequacy regulations. 

If you want to link NHS England data to data you hold, and make available to third parties, you will need to enter into a sub-licence agreement. In these scenarios, applicants must clearly demonstrate why the requested sub‑licence is necessary, including explaining why the data cannot be supplied directly by NHS England and how the applicant has added value to the data before sub‑licensing.