Data Access Request Service (DARS): pre-application checklist

Contract

1. When applying for any record level dataset, the Data Controller(s) of those data must have a valid, signed Data Sharing Framework Contract in place.
2. If you don't have a valid signed Data Sharing Framework Contract in place then please contact the Data dissemination - the Data Access Request Service team - NHS Digital.
3. If you're applying for a tabulated/aggregated output with small numbers suppressed, that is not available via the Hospital Episode Statistics (HES) publications section of our website, then you don't need a contract in place.

Data Controllers and Data Processors

You must provide evidence of compliance with the minimum-security standards for data processors and data storage locations using one of the Assurances listed below:

1. Data Security and Protection Toolkit (DSPT)

The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards.

Further information on the DSPT is available in the help section.

This is the preferred method of assurance for DARS applications because:

• performance is measured against the National Data Guardian’s 10 data security standards
• the DSPT is an annual assessment -  as data security standards evolve, the requirements of the Toolkit are reviewed and updated to ensure they are aligned with current best practice
• the DSPT also provides organisations with a means of reporting security incidents and data breaches
• organisations can use the DSPT to develop their Data Security Maturity

Organisation Type: Secondary Use Organisation (SUO)

This is an organisation that processes patient information for secondary purposes.

Large (non-hosted) organisations that make an application under Health and Social Care Act (Section 251) to the Health Research Authority (HRA) Confidentiality Advisory Group (CAG) or via the Data Access Request Service are required to complete a satisfactory DSP Toolkit assessment.

The DSPT standard for a SUO is a subset of the full standard. This set is known as the Category 3 evidence items; these can be found in the DSPT help section.

Attainment

The DSPT Attainment Levels are

• Standards not Met (with an opportunity to agree an improvement plan)
• Standards Met
• Standards Exceeded

Where an Organisation attains Standards not Met and agrees an improvement plan this will be accepted where the improvement plan covers requirements that are considered low risk. Standards Met and Standards Exceeded are accepted.

Policy

All organisations that have access to NHS patient data and systems must use the DSPT to provide assurance that they are practising good data security and that personal information is handled correctly.

2. ISO27001 – Information Security Management System

For organisations that hold a valid ISO27001 certification this may be accepted for security assurance where the Scope and Statement of Applicability (SOA) include all the activity the Organisation will undertake in their role as Data Controller and/or Data Processor.

Where the ISO27001 certification includes a scope that would require reference to other standards in the ISO27k series these must be included in the Scope and SOA, for example Cloud Suppliers would be expected to include controls from:

• ISO27017             Information security controls for cloud computing
• ISO27018             Privacy controls for cloud computing   

3. System Level Security Policy (SLSP)

In certain circumstances we may accept an SLSP for security assurance, in these cases the SLSP would be expected to provide a similar level of confidence that the National Data Guardian’s 10 data security standards are met.

1. Data minimisation must be applied as part of GDPR.
2. Provide a data flow diagram to show a) each of the respective parties involved in the start to end flow of the data and b) the legal basis for each flow.
3. If you're requesting sensitive or identifiable data items, do you really need them or would pseudo versions or derivations be acceptable?
4. If you’re supplying a cohort (such as a list of identified individuals) to NHS England, please note that the cohort will be submitted via an automated cohort submission system in a designated format. Further guidance on the format can be found in the cohort submitter guidance.

1. You must provide the necessary evidence to support the legal basis required for your application.
2. If you're asking for identifiable items, please provide patient consent or Section 251 support as well as the initial application and subsequent approval letters.
3. If you're applying for data which involves patient consent and identifiable data, please provide appropriate and up-to-date fair processing information.
4. If applying for data under the Care Act 2014 - you must meet the requirements of Section 122.
5. You will need to provide your choice of a valid legal basis for processing personal data and your choice will depend on the purpose of your data processing.

1. Please provide a clear purpose with a clearly defined processing section, outputs and clearly stated benefits, with how those benefits clearly meet the requirements of the Care Act 2014.
2. The purpose section will need to show which of the NHSD Standards applies to their application and how the Standard is met.
3. If the purpose is for research, please provide evidence of ethics and protocols required.

1. Is the application in anyway commercial? If so, then please clearly demonstrate how this benefits the health and social care system.
2. If external funding is provided, your application must show whether the funding organisations receive any outputs and whether the use of those outputs is commercial.
3. Please provide evidence for any funding.

1. Your organisation must have a valid Data Protection Act (DPA) registration which clearly shows that any use of data will be used in research relating to health.
2. Does the DPA expire within 2 months? If so, then you must have a plan in place to renew.

1. You need to know which organisations are going to be acting as the data controller, the data processers, and the data storage locations.
2. NHS Digital should only share data processed within the UK unless there is a good reason for it to be shared wider.
3. If the data is being processed within the EU or a country where there is an adequacy Decision put in place, then these countries, territories, sectors or international organisations have been deemed (the adequacy Decision) to provide an ‘essentially equivalent’ level of data protection to that which exists within the UK, that is, protection of individuals rights and freedoms in respect of their personal data. 
4.  For the current list of countries or territories that are covered by adequacy regulations check the ICO website: International transfers after the UK exit from the EU Implementation Period | ICO