Introduction

The United Kingdom’s National Health Service generates one of the richest longitudinal health datasets in the world. Decades of electronic records, spanning primary care consultations, hospital episodes, prescriptions, pathology results, and imaging, are held across a patchwork of NHS trusts, primary care networks, commissioning support units, and specialised registries.

For research organisations seeking access to this data — whether for clinical trials, epidemiological studies, or AI model development — understanding the governance landscape is not optional. It is a prerequisite.

The Core Frameworks

NHS Data Security and Protection Toolkit (DSPT)

The DSPT is the NHS’s self-assessment framework for data security and protection. Organisations that handle NHS patient data must achieve at least “Standards Met” status annually. The DSPT covers ten standards including data security training, asset and information risk management, and cyber security.

Research organisations accessing NHS data for the first time are frequently surprised by the depth of the DSPT. It is not a box-ticking exercise; the NHS takes DSPT compliance seriously and data controllers will verify your status before agreeing to share data.

Key point: Achieving DSPT compliance takes time — typically 3–6 months for organisations starting from scratch. Build this into your project timeline.

Section 251 of the NHS Act 2006

Where research requires identifiable patient data (or data that cannot be fully anonymised without compromising scientific value), organisations may apply to the Health Research Authority (HRA) for a Section 251 support notice. This allows the legal basis for processing to be established where individual consent is not practicable.

Section 251 applications are reviewed by the Confidentiality Advisory Group (CAG) and typically take 3–6 months. They require a detailed justification for why consent cannot be obtained, a description of the data and its proposed use, and evidence of appropriate safeguards.

UK GDPR and the Data Protection Act 2018

All health data processing must comply with UK GDPR. Health data is special category data under Article 9, meaning additional legal bases must be established. For research, this is typically Article 9(2)(j) — processing for scientific or historical research purposes — subject to appropriate safeguards under Article 89.

Data Access Mechanisms

NHS England Data Access Request Service (DARS)

DARS is the primary mechanism for accessing NHS national datasets, including Hospital Episode Statistics (HES), the Mental Health Services Dataset, and the Improving Access to Psychological Therapies (IAPT) dataset. Applications are reviewed by NHS England’s Data Access Request Service and require a data sharing agreement, DSPT compliance evidence, and a detailed description of the intended use.

Clinical Practice Research Datalink (CPRD)

CPRD holds primary care data from approximately 60 million patients across participating GP practices. It operates its own protocol review process and is one of the most widely used sources for pharmacoepidemiology and real-world evidence research.

Practical Steps for Research Organisations

  1. Assess your DSPT status — If you don’t have an active DSPT submission, start this immediately.
  2. Complete a DPIA — A Data Protection Impact Assessment is required for high-risk processing and is expected by most data controllers regardless.
  3. Identify the appropriate data controller — NHS data is held by many different organisations. Identify who controls the specific data you need.
  4. Engage a specialist intermediary — For organisations without in-house NHS data expertise, working with an accredited data broker significantly accelerates the process.

Common Pitfalls

The most common mistakes we see from organisations entering the NHS data ecosystem for the first time include: underestimating DSPT compliance timelines, failing to engage the DPO at the correct stage, requesting more data than is scientifically necessary (the minimisation principle will result in your request being scaled back), and not having a clear data destruction or return plan.

Conclusion

NHS data governance is demanding, but navigable. Organisations that invest in compliance infrastructure upfront — or partner with specialists who have already done so — find that the access they gain is transformative. The scientific and commercial value locked in UK health records is enormous; the governance framework exists to protect it, not to prevent legitimate access.