Skip to content
St George's and City have merged. Find out more.

Having ethical approval for a study is not sufficient to start collecting personal identifiable data, generally. In some cases you will need to gain participant consent however permission maybe regulated under further permissions guidelines like the HRA, ONS or Dept of Health. When accessing data collected by another organisation most will have an approval procedure to follow e.g. NHS Digital use their own Data Access Request Service (DARS).

The University has policies and procedures for maintaining confidentiality which researchers should refer to.  The University also maintains compliance with the NHS Digital Data Security and Protection Toolkit (DSPT) which is submitted annually.  The DSPT and University Policies can be used when a data provider asks for a level of assurance in how the data will be handled.

If your research involves personal identifiable data then you will need to complete a research specific Data Protection Impact Assessment, details of which can be provided by the JRES.

The Data Security and Protection Toolkit (DSPT)

The DSPT is the way in which the Department for Health seeks assurance that Patient Information is managed and treated securely.  An organisation is required to have a toolkit in the following instances:

  • Access to confidential information without consent (section 251)
  • Obtaining data from NHS Digital through the Data Access Request Service (DARS)
  • Obtaining data from an organisation that has data covered by section 251 or data that originates from NHS Digital
  • NHS and non-NHS organisations may require a toolkit as part of a Data Sharing Agreement or when you are carrying out work on behalf of an NHS organisation eg Clinical Trial or performing testing.

 If you have a project which involves the above then please contact the Head of Information Governance.

University's Data Safe Haven (DASH)

The DASH provides a secure location for research data.  The DASH must be used for any data provided by NHS Digital, through their Data Access Request service, or research projects requiring Section 251 approval, any exceptions to this must have documented agreement by the relevant Institute Director and the Head of Information Governance informed. 

The DASH can also be used by non NHS Digital data users where the data is highly sensitive and their security requirements can only be met by the use of a DASH.

Research Information Governance Audit (RIGA)

Information governance audits are carried out randomly on research projects within the University so as to provide assurance to the University on compliance of research projects with the University 's information governance policies and procedures:

Guidance links

IG Guidance on DARS application can be found here DARS IG: Questions & Guidance.

Research Data Management guidance can be found here: Research Data Management.

Clinical research guidance can be found here: Standard Operating Procedures and Templates.

Guidance on the collection and storage of research data can be found here: Databases for Research Projects.

Find a profileSearch by A-Z