Information Services Division


Applying for data

UK law permits the secondary use of personal data collected routinely for the purpose of providing services such as health, education and policing where there is a public interest for research.

Additionally, some anonymised data sets held by government departments that can be used for research have restricted access. The process of applying for those data sets varies according to which department you are applying to.

Applying for health and social care data

The Department of Health uses the Confidentiality Advisory Group (CAG) to determine which applications are valid for secondary use of health and social care data. The CAG application forms part of the Integrated Research Application System (IRAS). Currently, CAG applicants are expected to fulfill the requirements of the NHS IG Toolkit which is a set of requirements managed by NHS Digital which covers management, confidentiality/data protection and information security.

Applying for other administrative data

Department for Education are the custodians of the UK's schools data. They determine access to the National Pupil Database via the Information Security Questionnaire which requires assurances broadly in line with the ISO 27001 standard.

Meeting the requirements

UCL School of Life and Medical Sciences (SLMS) have completed some of the work necessary to both the NHS IG Toolkit and the ISO 27001 standard. The remainder needs to be completed via the SLMS Information Governance Framework. Studies will need to carry out risk assessments, ensure adequate contracts with third parties are in place and take training annually. The SLMS will audit studies against the IG Toolkit requirements and ISO 27001 standard. An audit report will be produced and, where there are recommendations, studies will be expected to write and implement an improvement plan.

Non-UK data applications

Researchers applying for sensitive data outside of the UK will be expected to comply with the legal requirements of those jurisdictions. It is common for custodians of sensitive data to gain assurances through a contract which will set out specific requirements. Before entering into such contracts, studies should check that they have evidence of working in line with those requirements.