DARS Application process
For any information other than that accessed via the HES Data Interrogation System (HDIS) NHS Digital requires the researcher’s work to be undertaken in a department, or unit, which has information governance and security assurances in place. Please contact us or your local IG leads, if you would like to apply for data from NHS Digital as early as possible, to enable the department to put in place adequate arrangements for hosting the data.
Before applying for identifiable data from NHS Digital, it is helpful to understand what data you will need, and what you will do, with each type of information you are requesting. This enables you to understand the bare minimum data that is necessary for the research, and also draft the response required by NHS Digital for the data minimisation evidence. Practices such as pseudonymisation of identifiable data before analysis can be a great way to minimise the risk to identifiable information reaching the wrong hands.
A data flow map and data privacy impact assessment (DPIA) can also be useful for both the application, but also for research purposes in planning secure research, one aspect of which will be the systems you will use to store and process information, which will be queried by NHS Digital after submitting the information.
Application key steps
Researcher to register for an account with DARS Online.
Initiate a new application.
You will be given a reference number, in the format DARS-NIC-xxxxxx-xxxxx-xx. Use this when talking to the DARS helpdesk about your application.
Include start and end dates for the duration of your data access request.
Do you need data from specific individuals?
If so, you will need to select 'yes' to providing cohort data.
If yes, provide cohort details including:
Indicate whether you have a new cohort to provide to NHS Digital.
You can select another existing agreement option if you have previously requested for different dataset from NHS digital for the same cohort of participants.
Select the validation fields you'd like to use for the linkage of information:
Date of Birth
Surname- manual validation only
Forename- manual validation only
The auto validation service is cheaper than the manual validation.
Auto-validation service links data sets using NHS Number, Date of Birth, Post Code and Gender; whereas the manual validation includes patient names (but incurs additional costs).
However, it is worth thinking about the minimum necessary fields you require to confirm identity of your participants for data minimisation purposes.
Include details of whether you need information on your cohort backdated per data request; or only require data following the recruitment date.
Legal Basis for identifiable data:
For Common Law: Informed patient consent for the receipt, processing, and release of data by NHS Digital;
Section 251 Approval (or CAG approval) for access to patient data
For GDPR: Article 6(1)e. for personal information, and Article 9(2)j. for special category (sensitive) personal information.
NHS Digital needs to know your legal basis under both GDPR (which should be task in public interest), and Common Law Duty of Confidentiality (which is either consent to participate in the study, or section 251).
Select the product you wish to request. For each product, include the following:
For medical research projects, NHS Digital recommends MRIS: Personal Demographics Service.
Data minimisation evidence
It can be a paragraph, or other document explaining how you considered the risks to the data you're requesting.
Who should have access to the data?
Indicate the name and role of users within your organisation who should be able to access the data.
Supporting evidence for the legal basis
Supporting evidence for data minimisation (if DPIA exists)
Any data flows and or processing related documents
The documentations need to be in PDF format, with maximum size limit of 10MB. You may also add an ONS user to the application. Other application evidence may include the University’s statutes and regulations to support the legal basis as a charity.
Select legal basis for the data flows.
Fair processing information
For identifiable data, key aspects to include around the fair and transparent processing of information would be typically a published privacy notice.
Patient information form
Patient/ GP letters
Section 251 support
IRAS application reference
The documentations need to be in PDF format, with maximum size limit of 10MB. You may also add an ONS user to the application.
After the application
NHS Digital staff will review the application and typically tend to respond with further questions on the physical storage and security of the systems being used for the data.
If you have not yet decided upon data storage, or are using MSD IT High Compliance systems, the information security team can provide you with the requirements to work securely in order to comply with NHS Digital’s requirements or help you draft answers that have been approved by the NHS Digital If you are using other approved infrastructure, the local IG leads within the unit can support you in the completion of these questions. Once this stage is complete, NHS Digital will confirm that the unit to which you are attributed has adequate information governance and security arrangements in place (as well as a wider Data Sharing Framework Contract which the University has), and will send the application, along with its conditions, to be reviewed and signed by the University’s signatory for NHS Digital.
Once a successful contract, or Data Sharing Agreement, has been put in place, then it becomes your responsibility to abide by the conditions stated in the agreement, and ensure that the data is treated as highly protected. It is also in the agreement that once the Data Sharing Agreement is nearing its expiry date, it is essential that you either renew, extend, or amend the agreement via another application on DARS atleast one month before the expiry date, or alternately destroy the data securely, and send confirmation of this to NHS Digital within 14 days of expiry.