Skip to main content

Guidance on applying for identifiable data

We offer safe, secure access to patient data and provide one-to-one support to help your trial run smoothly and efficiently. Our services can support you at every stage of the clinical trial process.  

Page contents

Things to do at your planning stage

How to get ahead with your application for identifiable data. Offering step-by-step guidance for applicants. 

Your checklist
  • 1. Contact NHS DigiTrials
  • 2. Understand and document how data will flow between organisations
  • 3. Consider data security requirements, including data destruction
  • 4. Prove the benefit to health or care in England or Wales
  • 5. Know which organisations are your controllers or processors
  • 6. Show your proposed data processing is lawful, fair and transparent
  • 7. Consider contracts

1. Contact NHS DigiTrials

It's best to send us an email at an early stage, while you're designing your trial.

We can help you decide which of our routinely-collected data from electronic health records is the best data collection method for your clinical trial.

We can work with you to check if the data we hold can meet your trial requirements and establish an early outline of:

  • which of our services would be appropriate for your trial
  • the dataset field variables that are accessible to you and fit your trial's purpose
  • how timelines for the release of data fit with your trial timelines
  • if you have sufficient funds to receive and retain the data in an agreement
  • if you have the time and resource to work through our application process

Email us

[email protected]

Please label your email 'NHS DigiTrials' to help us direct your email to the correct team as quickly as possible. 

2. Understand and document how data will flow between organisations

It's good to start work at an early stage on researching and understanding how data will flow between organisations, with the aim of eventually documenting this in a data-flow diagram. 

Your data-flow diagram should show:

  • the data (identifiable, personal or confidential) that flows between organisations - also consider any specific data needed for your trial that you will be sharing
  • the relevant legal basis for each data flow between organisations
  • what you plan to do with the data

Your data-flow diagram needs to include the flow of data to, and from, NHS Digital, and how you plan to link with any trial-specific datasets.

This will help identify the approvals you need and, ultimately, show you have them.

3. Consider data security requirements, including data destruction

You will need to prove that data will be processed and stored safely and securely, by showing that minimum security standards are in place.

You will also need to prove how you will destroy data (including cloud data) on expiry of your contract or agreement. 

This includes arrangements for:

  • data storage and processing locations, including those in the cloud
  • data access, including remote access and permission control
  • data back-ups and disaster recovery, including third-party server and geographically remote back-up locations
  • data destruction, including cloud data destruction

Security Assurance evidence should be provided as one of the following: 

  • valid current Data Security and Protection Toolkit (DSPT) entry
  • current ISO27001
  • a valid System Level Security Processes (SLSP)

Different areas or departments within one organisation may be covered by different DSPT or ISO standards, so it's important to understand the flow of data between them and the security assurances for each of them.

The NHS Digital security team review each application before data is released. 

Include your organisation's information security lead in your application and this review to minimise any potential delays in release of data.

4. Prove the benefit to health or care in England or Wales

NHS DigiTrials can only share data to benefit health and care in England or Wales, so you need to make the benefits of your trial clear in your application.

Include details of patient and public involvement, and the potential benefit to patients.

You should also include planned outputs and their approximate timescales, including any:

  • academic publications
  • conference presentations
  • clinical guidelines
  • tailored summaries for stakeholders such as charities or trial participants

5. Know which organisations are your controllers or processors

Individual patient record data is considered personal data. Organisations that process this data need to be identified as data controllers, and/or data processors.

Who is a controller?

An organisation which decides why and how the personal data is processed is a data controller, even if the processing itself takes place outside the organisation.

The data controller is likely to be the organisation who sponsors the research and employs the staff who design and develop the protocol, and analyse the results. 

Who are joint controllers?

Organisations that jointly decide why and how the personal data is processed, for shared purposes, are joint data controllers.

This relationship is common where sponsors and Clinical Trial Units (CTUs) are based in different organisations. 

Who is a processor?

An organisation that processes the personal data on behalf of and under the authority of a data controller is a data processor.

There may also be a number of joint data processors in one Data Sharing Agreement (DSA). 

Defining roles

Collaborative research may involve several controllers and processors. You must be clear on the role of each organisation or department, in your application, to show you comply with the General Data Protection Regulation (GDPR).

Where collaborative organisations are not considered a controller or processor, their role should also be clearly defined. This may include co-applicant organisations, where they are not involved in decisions relating to how data will be processed in your study, or the actual processing.

More information on the definition of a data controller or data processor is available on the Information Commissioner's Office (ICO) website. 

Read the information provided by the ICO

6. Show your proposed data processing is lawful, fair and transparent

You need to show your proposed use of data is legal under the laws covering data processing in the UK, the Common Law Duty of Confidentiality (CLDC) and the General Data Protection Regulation (GDPR).

About the Common Law Duty of Confidentiality (CLDC)

The CLDC applies to confidential information (including health-related data) which is not in the public domain. It applies to living and deceased individuals.

Consent from individual research participants is one method used to demonstrate compliance with the CLDC.

Your application should include the description you have given to the research participants to make them aware that their confidential data is being shared – applying a principle of 'no surprises'.

Where consent is not in place, not adequate, or not possible to obtain, a Section 251 approval from the Confidentiality Advisory Group (CAG) is needed to access confidential patient information without consent.

Find out more about the Confidentiality Advisory Group (CAG)

About the General Data Protection Regulation (GDPR)

You need to show that your proposed use (processing) of data complies with the GDPR.

About the need for a legal basis

Organisations processing personal data need a legal basis for that processing activity – for example for your organisation to share, and receive data from NHS Digital.

Under Article 6 of GDPR, there are six legal bases for processing of personal data. 

Additionally, because the data NHS Digital holds is health data, it is classed as a Special Category of Personal Data. Therefore, under Article 9 of GDPR, a further ten available legal bases should be considered. 

You will need to select one of each and, while we can provide you with advice, you should discuss this with your Information Governance (IG) department to establish the correct basis for your agreement. 

About fairness and transparency requirements

Transparency is a legal requirement under GDPR. It is the controller's responsibility to ensure that research participants are informed about how their personal data is being collected and used.

This is usually undertaken through an organisation or trial-specific Privacy Notice or Transparency Notice, which should be provided to research participants before processing their personal data. 

It should be transparent, accessible and use plain language. It should include information on: 

  • The purpose for which a participant's personal data will be used
  • how long personal data will be retained
  • what a participant's rights are in terms of the processing their personal data
  • where the data will be stored
  • who will have access to the personal data and in what form, including whether it will be shared with other organisations and if these organisations are in the UK, EU or worldwide

 Clinical trials will also provide privacy information in, for example: 

  • participant information sheets
  • informed consent forms
  • consultee advice forms
  • study websites
  • newsletters
  • social media
  • any other information provided by health care professionals at relevant study visits

It's good practice to keep participants informed about what is happening with their data, and plan for this at start of your study.   

You should review the data flow and processing for your application and make sure that it matches the information provided to the participant.

If your privacy and/or patient information does not match the actual processing and flow of your data, your application may be rejected until you can provide a suitable legal basis for processing under GDPR and CLDC.

About data minimisation requirements

It's a legal requirement under GDPR to ensure that you only use the least possible amount of personal data to achieve your project's goals.

You must show that the personal data requested is adequate, relevant and limited to the purpose of the research. You should include a justification as to why the data cannot be obtained in another way.

7. Consider contracts

Contracts will be put in place to allow data to be shared and processed between different organisations involved in the trial.

Before a Data Sharing Agreement (DSA) can be started, a valid Data Sharing Framework Contract (DSFC) between NHS Digital and each data controller must be in place, signed at the organisational level.

Then each data access request will have a separate DSA, which will refer back to the organisational DSFC. This can be signed at a local faculty or departmental level.

The DSFC and DSA need to be maintained to provide assurance that your organisation meets the standards outlined in the DSFC and any related DSA. It is worth checking if the terms of employment for anyone accessing data meet the required standards, especially if they are a contingent (contract) worker. 

Failure to comply with contractual requirements may put future data access requests at risk.

Depending on how you are working with us, and the level and type of service you are receiving from NHS DigiTrials, you (and/or your data processor where appropriate) may also be required to sign additional agreements between your organisation and the relevant NHS DigiTrials service area(s), such as a Service Agreement or Data Processing Agreement, for example.

Next steps

One of our case officers will contact you to further understand your requirements and ensure you have all the paperwork in place to support your application for data.

The application is made via an online portal managed by the Data Access Request Service (DARS). Our case officer will support you through the application process. . 

Contact us

Email: [email protected] 

Phone: 0300 3035678

Label your email 'NHS DigiTrials' to help us direct your email to the correct team as quickly as possible.

If you are contacting us about an existing enquiry or application, include your NIC number when you get in touch.

Further reading

Last edited: 23 January 2025 4:06 pm