Apply for NHS data from NHS Digital

Apply for data from NHS Digital

In medical research, obtaining patient data as a follow up to studies is often a key stage in translational and epidemiological research. However, it can be a minefield to understand and work with the variety of national data custodians. Here we look at NHS Digital, the custodian for health and social care information from National Health Services in England. Read on to find out more.


At a glance

  • Know what data you need from NHS Digital 
  • Understand who will have the overall responsibility for the research process
  • Get in touch with us early so we can support the information governance and security elements of your work study 

DARS Application process

For any information other than that accessed via the HES Data Interrogation System (HDIS) NHS Digital requires the researcher’s work to be undertaken in a department, or unit, which has information governance and security assurances in place. Please contact us or your local IG leads, if you would like to apply for data from NHS Digital as early as possible, to enable the department to put in place adequate arrangements for hosting the data. 

Before Application

Before applying for identifiable data from NHS Digital, it is helpful to understand what data you will need, and what you will do, with each type of information you are requesting. This enables you to understand the bare minimum data that is necessary for the research, and also draft the response required by NHS Digital for the data minimisation evidence. Practices such as pseudonymisation of identifiable data before analysis can be a great way to minimise the risk to identifiable information reaching the wrong hands. 

A data flow map and data privacy impact assessment (DPIA) can also be useful for both the application, but also for research purposes in planning secure research, one aspect of which will be the systems you will use to store and process information, which will be queried by NHS Digital after submitting the information. 

Application key steps




Researcher to register for an account with DARS Online.    

You will be able to create a new application, including information about your research project via


Initiate a new application. 

You will be given a reference number, in the format DARS-NIC-xxxxxx-xxxxx-xx. Use this when talking to the DARS helpdesk about your application.

Include start and end dates for the duration of your data access request.


Do you need data from specific individuals?   

If so, you will need to select 'yes' to providing cohort data.

If yes, provide cohort details including: 


Indicate whether you have a new cohort to provide to NHS Digital.

You can select another existing agreement option if you have previously requested for different dataset from NHS digital for the same cohort of participants.

Select the validation fields you'd like to use for the linkage of information:
 Study ID
 NHS Number
 Date of Birth
 Surname- manual validation only
 Forename- manual validation only

The auto validation service is cheaper than the manual validation. 

Auto-validation service links data sets using NHS Number, Date of Birth, Post Code and Gender; whereas the manual validation includes patient names (but incurs additional costs).

However, it is worth thinking about the minimum necessary fields you require to confirm identity of your participants for data minimisation purposes. 

Include details of whether you need information on your cohort backdated per data request; or only require data following the recruitment date. 


Legal Basis for identifiable data: 
For Common Law: Informed patient consent for the receipt, processing, and release of data by NHS Digital;
Section 251 Approval (or CAG approval) for access to patient data
For GDPR: Article 6(1)e. for personal information, and Article 9(2)j. for special category (sensitive) personal information. 

NHS Digital needs to know your legal basis under both GDPR (which should be task in public interest), and Common Law Duty of Confidentiality (which is either consent to participate in the study, or section 251). 

Select the product you wish to request. For each product, include the following:

For medical research projects, NHS Digital recommends MRIS: Personal Demographics Service.

Data minimisation evidence

It can be a paragraph, or other document explaining how you considered the risks to the data you're requesting. 

Who should have access to the data?

Indicate the name and role of users within your organisation who should be able to access the data.

Upload documentations:
Supporting evidence for the legal basis
Supporting evidence for data minimisation (if DPIA exists)
Any data flows and or processing related documents

The documentations need to be in PDF format, with maximum size limit of 10MB. You may also add an ONS user to the application.  Other application evidence may include the University’s statutes and regulations to support the legal basis as a charity.

Select legal basis for the data flows.

This would be task in the public interest for identifiable datasets

Fair processing information

For identifiable data, key aspects to include around the fair and transparent processing of information would be typically a published privacy notice.

Upload evidence:
Ethics review
Consent form
Patient information form
Patient/ GP letters
Section 251 support
IRAS application reference

The documentations need to be in PDF format, with maximum size limit of 10MB. You may also add an ONS user to the application.

After the application

If you have not yet decided upon data storage, or are using MSD IT High Compliance systems, the information security team can provide you with the requirements to work securely in order to comply with NHS Digital’s requirements or help you draft answers that have been approved by the NHS Digital If you are using other approved infrastructure, the local IG leads within the unit can support you in the completion of these questions.  Once this stage is complete, NHS Digital will confirm that the unit to which you are attributed has adequate information governance and security arrangements in place (as well as a wider Data Sharing Framework Contract which the University has), and will send the application, along with its conditions, to be reviewed and signed by the University’s signatory for NHS Digital. 

Once a successful contract, or Data Sharing Agreement, has been put in place, then it becomes your responsibility to abide by the conditions stated in the agreement, and ensure that the data is treated as highly protected.  It is also in the agreement that once the Data Sharing Agreement is nearing its expiry date, it is essential that you either renew, extend, or amend the agreement via another application on DARS at least one month before the expiry date, or alternately destroy the data securely, and send confirmation of this to NHS Digital within 14 days of expiry. 


Before starting a data application, it is important to know what information you will require, and who the custodian for that data is. Wherever possible, it is good practice to identify the bare minimum information you may need to answer your research question, as it minimises the risk, and is often easier to have approved as it demonstrates good data management. 

Where are you with your research? 

It is also important to identify when you may need the patient data for follow up, as NHS Digital requires engagement at both the unit level, and at the data application level. Therefore if the data is for a follow-up to a study, you should consider informing the department or unit of your intent well in advance in order to allow for sufficient time to ensure the right information governance and security assurances (typically a NHS Data Security and Protection Toolkit) are in place for you to request the data.

Collaboration with other organisations

If you are collaborating with another university or research institute for the data analysis, it is important to understand who has the overall responsibility for the research, and where they are based (even if no data is ever held, or accessed, by anyone in that institution). Please get in touch if you would like help with understanding who may need to complete the data application. 

Aggregated data

If you only require aggregated data on the Hospital Episode Statistics (HES) that was not included in the annual reports published by NHS Digital, then you can request it via DARS Online application form without needing to have a wider Data Security and Protection Toolkit submission in place. This is because you will be accessing the data, and conducting further statistical analysis, on the secure NHS servers via the online portal.