Information Services Division


Getting data from NHS Digital, PHE, NatCen without consent

This page outlines the process for gaining access to data using Section 251 of the NHS Act 2006.

There are cases where researchers can obtain a legal basis for processing personal data from healthcare records and from the Office for National Statistics' (ONS) mortality data without direct consent from data subjects in circumstances where it would not be possible to gain consent for the study. This page outlines the process for gaining access to such data using Section 251 of the NHS Act 2006.

To begin with, you will need Confidentiality Advisory Group (CAG) support so you should try to learn as much as possible about that process through the Health Research Authority here.

The CAG application will form part of IRAS (which is the integrated research application system for applying for Health Research Authority approval). Studies begin using IRAS once they have contacted the UCL Joint Research Office who provide support.

It is important to decipher early on which organisation will lead the application to CAG. If all of the people who access patient data without consent would otherwise have legitimate access to that patient data anyway then UCL will not be the lead applicant. Where UCL are directing staff or third parties to access patient data without consent who would not otherwise have legitimate access to that patient data, UCL will be the lead applicant. SLMS Information Governance Services can provide appropriate technical responses for the IRAS form that relate to handling data within the Data Safe Haven once we have appropriate assurance that the data will be held within the secure environment and in accordance with SLMS policies and procedures. Appropriate assurance in this case will start with an information asset owner taking the lead in registering and outlining the project with SLMS Information Governance services here.

For ONS Special License data, researchers are required to provide assurances around their network security and physical security in place for a designated IP address and workstation. For detailed advice on ONS requirements read here (missing link).

The NHS IG Toolkit Level 2 is a minimum standard security model for all CAG approvals, NHS Digital data, PHE and NatCen applications. Before you use the IG Toolkit from the UCL School of Life and Medical Sciences in your application, we need appropriate assurance through the SLMS IG Framework. This is managed through the SLMS Information Governance Advisory service.

Sufficient evidence of information governance gathered through the SLMS IG Framework will also assist us in requesting a letter of recommendation from the Senior Information Risk Owner for UCL SLMS (needed for CAG approval although the form uses the phrase ‘Data Custodian’ here). For the letter, we will also need a piece of text from you that explains the reasons for applying to CAG and what makes it an important piece of research for the purposes of improving public health. We have a template for this as well so just ask when you need to see that.

Once CAG approval is in place you will then start applying for a set of data from one of the public health bodies (NHS Digital, PHE or NatCen). You should expect to justify any database fields you intend to use, who will have access and how long you intend to manage the data for. This information will be captured in an agreement (called a Data Sharing Agreement). The UCL Research Contracts office will help you to sign a Data Sharing Agreement.

The SLMS Information Governance Advisory service manages UCL's relationship with NHS Digital. Once you have a signed agreement with NHS Digital we will need to know the details and we have provided a space for you to upload contracts covering any transfers of data on the IG Advisory SharePoint service. Please ensure you upload a copy of any data sharing agreements and notify us once they have been signed off.