Getting Ready

Before Submitting a Request

Before submitting a request for data access, it will be useful for you to consider the following as you may be asked to discuss some (or all) of the following aspects with the lead data custodian:

  • Approval from Research Ethics Committee

    The Medical Research Council provides a decision tool to determine if your study requires approval from an NHS Research Ethics Committee. To access the tool, click here. Alternatively, you can find this guidance on the HRA website

    Note, University Research Ethics Committee review may still be required for your study, e.g. journal mandate for publication. Contact the appropriate university directly to determine whether this approval is needed.

  • Consent or alternative legal basis

    If access to identifiable information is essential and/or if you need to share identifiable information, for example to perform linkage, you need either explicit consent or an alternative legal basis such as Section 251 approval for these data flows. Further guidance has been produced in this area.

    Please note that interpretation for consent can vary. You may consider you have consent, yet the data custodian may require additional assurance. You should discuss this further with the appropriate data custodian experts.

  • Approval from Health Research Authority (HRA) Research Ethics Committee (REC)

    If you need access and/or share identifiable information, approval from HRA REC is required, which will include a review and approval of your consent process (if applicable).

  • HRA Confidentiality Advisory Group (CAG)

    If you intend to access identifiable information without having gained consent, you need to apply to the HRA CAG, who manages any requests for Section 251 approvals.

  • HRA Approval

    Some studies may be eligible for HRA Approval which is a new process bringing together the assessment of governance and legal compliance.

  • Approved researcher status

    If you require mortality data, you may also need to obtain approved researcher status for accessing ONS data. The data custodian experts can advise you further on this

  • Data Sharing Framework Contract and/or Data Sharing Agreement

    Some Data Custodians require your organisation to sign a Data Sharing Framework Contract (organisation / department level) and Data Sharing Agreement (study / project level). It may be worthwhile confirming whether your organisation has already signed a Data Sharing Framework Contract with the Lead Data Custodian, and whether this includes / covers your Department. Note that only a legal entity can sign a Data Sharing Agreement.

  • Information Governance Toolkit

    Some Data Custodians require completion of the Information Governance (IG) Toolkit. If your organisation has completed the IG Toolkit , it may be useful to confirm with your local Information governance or IT security experts whether the arrangements for your study will be covered in this Toolkit return. If not, it takes about 6-9 months to complete the IG Toolkit as you will need to liaise with others in your organisation. More information is available from a NHS Digital security arrangements publication.

  • Data Protection Act considerations

    The Data Protection Act requires any processing of identifiable data to be conducted using the minimum amount of data necessary to achieve the objective. Consideration would need to be given to how such data minimisation is achieved, as well as the justification for requiring identifiable data.


In regards to the specific governance approach NHS Digital, the Medical Research Council (MRC) has worked with NHS Digital in developing a document outlining how to obtain data from NHS Digital. This document has further useful background information that can help you to get ready before contacting NHS Digital. You can find this document on the MRC website.