Apply for NHS data from NHS Digital

Apply for data from NHS Digital

In medical research, obtaining patient data as a follow up to studies is often a key stage in translational and epidemiological research. However, it can be a minefield to understand and work with the variety of national data custodians. Here we look at NHS Digital, the custodian for health and social care information from National Health Services in England. 


At a glance

 Know what data you need from NHS Digital 

 Understand who will have the overall responsibility for the research process

 Get in touch with us early so we can support the information governance and security elements of your work study 


DARS application process

For any information other than that accessed via the HES Data Interrogation System (HDIS) NHS Digital requires the researcher’s work to be undertaken in a department, or unit, which has information governance and security assurances in place. Please contact us or your local IG leads, if you would like to apply for data from NHS Digital as early as possible, to enable the department to put in place adequate arrangements for hosting the data. 

Before application

Before applying for identifiable data from NHS Digital, it is helpful to understand what data you will need, and what you will do, with each type of information you are requesting. This enables you to understand the bare minimum data that is necessary for the research, and also draft the response required by NHS Digital for the data minimisation evidence. Practices such as pseudonymisation of identifiable data before analysis can be a great way to minimise the risk to identifiable information reaching the wrong hands. 

A data flow map and data privacy impact assessment (DPIA) can also be useful for both the application, but also for research purposes in planning secure research, one aspect of which will be the systems you will use to store and process information, which will be queried by NHS Digital after submitting the information. 

Application key steps

Requirement Tips
Researcher to register for account with DARS Online Create new application, including information about your research project via Data Access Request Service
Initiate new application Use the reference number that you are given, format DARS-NIC-xxxxxx-xxxxx-xx when speaking to the DARS helpdesk 
Include start and end dates for the duration of your data access request  
Do you need data from specific individuals? If so, you need to select "yes" to providing cohort data
 When providing cohort data  
Indicate if you have a new cohort to provide to NHS Digital Select another existing agreement option if you have previously requested for different datasets from NHS digital for the same cohort of participants

Select the validation fields you'd like to use for linkage of information:

  • Study ID
  • NHS number
  • Date of birth
  • Surname (manual validation only)
  • Forename (manual validation only
  • Gender
  • Postcode

The auto-validation service is cheaper than the manual validation

Auto-validation service links data sets using NHS number, date of birth, postcode and gender, whereas the manual validation includes patient names (but incurs additional costs)

It is worth thinking about the minimum necessary fields you require to confirm identity of your participants for data minimisation purposes

Detail if you need information on your cohort backdated per data request, or only require data following the recruitment date  

Legal basis for identifiable data.

For Common Law:

  • Informed patient consent for the receipt, processing, and release of data by NHS Digital
  • Section 251 approval (or CAG approval) for access to patient data


  • Article 6(1)e. for personal information
  • Article 9(2)j. for special category (sensitive) personal information
NHS Digital needs to know your legal basis under both GDPR (in the public interest) and Common Law Duty of Confidentiality (either consent to participate in the study or section 251)

Select product you want to request. For each product include:

  • Data minimisation evidence (a paragraph or document explaining how you considered the risks to the data you're requesting)
  • Who should have access to the data? (indicate name, role of users within organisation that should be able to access the data)
  • Upload documentation - supporting evidence for the legal basis, for data minimisation (if DPIA exists), and any data flows and/or processing related documents (PDF format, 10MB maximum size limit. Can add an ONS user to the application. Possibly include the University's statutes and regulations to support the legal basis as a charity)
  • Select legal basis for the data flows (in the public interest for identifiable datasets)
  • Fair processing information (for identifiable data, key aspects to include are around the fair and transparent processing of information, which would typically be a published privacy notice)
For medical research projects, NHS Digital recommends MRIS: Personal Demographics service

Upload evidence:

  • Protocol
  • Ethics review
  • Consent form
  • Patient information form
  • Patient / GP letters
  • Section 251 support
  • IRAS application reference
  • ONS
  • Other

After the application

If you have not yet decided upon data storage, or are using MSD IT High Compliance systems, the information security team can provide you with the requirements to work securely in order to comply with NHS Digital’s requirements or help you draft answers that have been approved by NHS Digital If you are using other approved infrastructure, the local IG leads within the unit can support you in the completion of these questions.  Once this stage is complete, NHS Digital will confirm that the unit to which you are attributed has adequate information governance and security arrangements in place (as well as a wider Data Sharing Framework Contract which the University has), and will send the application, along with its conditions, to be reviewed and signed by the University’s signatory for NHS Digital. 

Once a successful contract, or Data Sharing Agreement, has been put in place, then it becomes your responsibility to abide by the conditions stated in the agreement, and ensure that the data is treated as highly protected.  It is also in the agreement that once the Data Sharing Agreement is nearing its expiry date, it is essential that you either renew, extend, or amend the agreement via another application on DARS at least one month before the expiry date, or alternately destroy the data securely, and send confirmation of this to NHS Digital within 14 days of expiry. 


Before starting a data application, it is important to know what information you will require, and who the custodian for that data is. Wherever possible, it is good practice to identify the bare minimum information you may need to answer your research question, as it minimises the risk, and is often easier to have approved as it demonstrates good data management. 

Where are you with your research? 

It is also important to identify when you may need the patient data for follow up, as NHS Digital requires engagement at both the unit level, and at the data application level. Therefore if the data is for a follow-up to a study, you should consider informing the department or unit of your intent well in advance in order to allow for sufficient time to ensure the right information governance and security assurances (typically an NHS Data Security and Protection Toolkit) are in place for you to request the data.

Collaboration with other organisations

If you are collaborating with another university or research institute for the data analysis, it is important to understand who has the overall responsibility for the research, and where they are based (even if no data is ever held, or accessed, by anyone in that institution). Please get in touch if you would like help with understanding who may need to complete the data application. 

Aggregated data

If you only require aggregated data on the Hospital Episode Statistics (HES) that was not included in the annual reports published by NHS Digital, then you can request it via DARS Online application form without needing to have a wider Data Security and Protection Toolkit submission in place. This is because you will be accessing the data, and conducting further statistical analysis, on the secure NHS servers via the online portal.