DARS application process
For any information other than that accessed via the HES Data Interrogation System (HDIS) NHS Digital requires the researcher’s work to be undertaken in a department, or unit, which has information governance and security assurances in place. Please contact us or your local IG leads, if you would like to apply for data from NHS Digital as early as possible, to enable the department to put in place adequate arrangements for hosting the data.
Before applying for identifiable data from NHS Digital, it is helpful to understand what data you will need, and what you will do, with each type of information you are requesting. This enables you to understand the bare minimum data that is necessary for the research, and also draft the response required by NHS Digital for the data minimisation evidence. Practices such as pseudonymisation of identifiable data before analysis can be a great way to minimise the risk to identifiable information reaching the wrong hands.
A data flow map and data privacy impact assessment (DPIA) can also be useful for both the application, but also for research purposes in planning secure research, one aspect of which will be the systems you will use to store and process information, which will be queried by NHS Digital after submitting the information.
Application key steps
|Researcher to register for account with DARS Online
||Create new application, including information about your research project via Data Access Request Service
|Initiate new application
||Use the reference number that you are given, format DARS-NIC-xxxxxx-xxxxx-xx when speaking to the DARS helpdesk
|Include start and end dates for the duration of your data access request
|Do you need data from specific individuals?
||If so, you need to select "yes" to providing cohort data
| When providing cohort data
|Indicate if you have a new cohort to provide to NHS Digital
||Select another existing agreement option if you have previously requested for different datasets from NHS digital for the same cohort of participants
Select the validation fields you'd like to use for linkage of information:
- Study ID
- NHS number
- Date of birth
- Surname (manual validation only)
- Forename (manual validation only
The auto-validation service is cheaper than the manual validation
Auto-validation service links data sets using NHS number, date of birth, postcode and gender, whereas the manual validation includes patient names (but incurs additional costs)
It is worth thinking about the minimum necessary fields you require to confirm identity of your participants for data minimisation purposes
|Detail if you need information on your cohort backdated per data request, or only require data following the recruitment date
Legal basis for identifiable data.
For Common Law:
- Informed patient consent for the receipt, processing, and release of data by NHS Digital
- Section 251 approval (or CAG approval) for access to patient data
- Article 6(1)e. for personal information
- Article 9(2)j. for special category (sensitive) personal information
|NHS Digital needs to know your legal basis under both GDPR (in the public interest) and Common Law Duty of Confidentiality (either consent to participate in the study or section 251)
Select product you want to request. For each product include:
- Data minimisation evidence (a paragraph or document explaining how you considered the risks to the data you're requesting)
- Who should have access to the data? (indicate name, role of users within organisation that should be able to access the data)
- Upload documentation - supporting evidence for the legal basis, for data minimisation (if DPIA exists), and any data flows and/or processing related documents (PDF format, 10MB maximum size limit. Can add an ONS user to the application. Possibly include the University's statutes and regulations to support the legal basis as a charity)
- Select legal basis for the data flows (in the public interest for identifiable datasets)
- Fair processing information (for identifiable data, key aspects to include are around the fair and transparent processing of information, which would typically be a published privacy notice)
|For medical research projects, NHS Digital recommends MRIS: Personal Demographics service
- Ethics review
- Consent form
- Patient information form
- Patient / GP letters
- Section 251 support
- IRAS application reference
After the application
If you have not yet decided upon data storage, or are using MSD IT High Compliance systems, the information security team can provide you with the requirements to work securely in order to comply with NHS Digital’s requirements or help you draft answers that have been approved by NHS Digital If you are using other approved infrastructure, the local IG leads within the unit can support you in the completion of these questions. Once this stage is complete, NHS Digital will confirm that the unit to which you are attributed has adequate information governance and security arrangements in place (as well as a wider Data Sharing Framework Contract which the University has), and will send the application, along with its conditions, to be reviewed and signed by the University’s signatory for NHS Digital.
Once a successful contract, or Data Sharing Agreement, has been put in place, then it becomes your responsibility to abide by the conditions stated in the agreement, and ensure that the data is treated as highly protected. It is also in the agreement that once the Data Sharing Agreement is nearing its expiry date, it is essential that you either renew, extend, or amend the agreement via another application on DARS at least one month before the expiry date, or alternately destroy the data securely, and send confirmation of this to NHS Digital within 14 days of expiry.