This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies.

Guidance for CAG applicants

Last updated on 3 Feb 2023

Guidance and frequently asked questions on the process for submitting an application to Confidentiality Advisory Group (CAG) for both research and non-research purposes.

Do I need to apply to the Confidentiality Advisory Group (CAG)?

If you intend to access confidential patient information without consent, outside of the direct care team in England and Wales, you should consider whether doing so would be a breach of the common law duty of confidentiality.

The CAG pre-application checklist sets out some key considerations to help you to decide. The data controller is responsible for deciding whether an application to CAG should be made. The Confidentiality Advice Team can advise on the considerations that you should take into account, but the team will not make the decision on behalf of applicants or other data controllers. You should remember that section 251 support through CAG does not give approval to access data from a data controller. The purpose of section 251 support is to give the data controller a legal means of providing access to confidential patient information without consent.

The CAG advises on both research and non-research uses of confidential patient information without consent. If you are unsure of your project should be classified as research, our Is my study research? tool can help.

How do I prepare my CAG application?

The following documents are mandatory and have to be included with your application:

  • authorised CAG application form completed in IRAS (for research) or section 251 form (non-research) - draft versions will not be accepted
  • protocol
  • data flow diagram
  • written recommendation from Caldicott Guardian (or equivalent) of applicant’s organisation.

The following documents are expected if relevant to support the information in your application:

  • template materials to inform the patient population of the activity (patient notification materials)
  • supporting evidence of public involvement
  • participant information sheets and consent forms (where this is relevant to the application)
  • if there has been uncertainty about the need for a CAG application, you should include written confirmation from the local data controller on why the activity will cause a breach in confidentiality.

What information do I need to include in my CAG application?

The CAG expects to see clear information in all applications on the areas outlined below. You should also refer to our validation criteria to ensure that your application will be ready for review by CAG.

Scope of support

You should provide a short, clear overview of what you are requesting Section 251 support for. This should include a brief description of the data flows that support is requested for (including which organisations data will flow between, and what identifiable data items will be accessed). This overview should clearly state any flows/uses that do not required support – for example flows after data has been anonymised.

This description should be understandable to a lay person without knowledge of Information Governance or the study. For example:

Support is requested for the flow of confidential patient information (NHS number and date of birth) from organisation X to organisation Y, for patients seen between 2015 and 2022. This will enable organisation Y to link this data to the data held in their medical records and provide the requested clinical data to the sponsor. The flow of data returned from Organisation Y to the sponsor is anonymised and support is not requested for this flow. Prospective patients, included from 2022 onwards, will be consented and support is not requested for this patient group.

Data flow diagram

You should send a simple data flow diagram in your application which clearly shows the flows of data and should include all the information listed below. The Health Data Access Tool Kit has a template data flow diagram for you to use (this toolkit is an external resource not maintained by CAG or the HRA).

  • the organisations (legal entities) between which data will flow
  • for each organisation, the data source being used (for example medical records, or the specific dataset being accessed at NHS England)
  • for each flow, the identifiable data items that will be transferred. Where the flow will be pseudonymised or anonymised, this should be stated.
  • the legal basis for each flow. It should clearly distinguish which flows Section 251 support is requested for, and which flows Section 251 support is not requested for (for example anonymised, or flowing under consent)

Public involvement

The CAG expects to see evidence of public involvement that specifically tests the acceptability of using confidential patient information without consent for the purpose of your activity. This evidence will be used by CAG to understand public support for the use of confidential patient information in the application and can contribute to wider CAG considerations that the activity is in the public interest.

You should follow the HRA principles of public involvement when undertaking this work and clearly detail how you have met these along with the outputs in your application form. You can also provide supporting documentation detailing areas such as questions you have used, the responses you received as well as demonstrating it was undertaken with people with relevant lived experience of the health condition or social care situation on your activity.

Patient notification

If your application gains Section 251 support, it is important that the patient population is informed about the use of their information and have the opportunity to opt out. Your application should how you will inform the patient population of the use of their identifiable data without consent (patient notification), with examples of the materials to be used.

The CAG expects that the communication routes will be appropriate to the scale of disclosure. A large-scale national disclosure will need much more extensive communication routes than a local disclosure confined to one Trust. Therefore, patient notification should be specific and proportionate to your project.

Examples of acceptable patient notification methods may be:

  • poster/leaflet in relevant departments on NHS premises
  • letter to patients
  • information on the Trust and/or data controller website
  • local and/or national press (TV, website or print)
  • through relevant charities or support groups
  • use of relevant social media platforms.

Provision of GDPR privacy notices are not considered to be appropriate routes for patient notification but may be provided as part of a layered approach.

Notification materials should include:

  • a simple, clear description of the activity that includes details of the patient information to be used.
  • details of a project specific mechanism for patients to opt out. This should include various routes to contact (e.g. email, phone, postal address) and align with the details provided in your application.
  • a statement to confirm that the HRA (for research) or Secretary of State for Health and Social Care (for non-research) has given Section 251 support for the activity following advice from the Confidentiality Advisory Group.

CAG encourages the use of a layered approach to patient notification. That is, the initial notification materials provide a high-level overview of the activity, in line with the principles above, that also provides a link to provide further detailed information for those that wish to learn more e.g. through use of a QR code and/or link to a website.

Patient objection

The National Data Opt-Out policy applies to applications that work under Section 251 support. It is expected that all applications will apply the national data opt out and this should be confirmed in your application. Further information specific to research organisations can be found on our website.

In addition, CAG expects a project specific opt out mechanism to be used to enable the patient population to opt out of their data being used for this specific activity. You should include details in your application on how the project specific mechanism will operate such as who patients should contact to opt out of their data being used and how. Note that this should align with the detail in your patient notification materials.

Security Assurances

Department of Health and Social Care policy says that all organisations accessing confidential patient information in England under a CAG application have their Data Security and Protection Toolkit (DSPT) self-assessment submission reviewed by NHS England, to provide assurances that the organisation has achieved the appropriate ‘standards met’ status.

You should ensure that the organisations accessing confidential patient information for your application have an appropriate DSPT in place. Further information on how to check this can be found here.

I’ve prepared my CAG application – what do I do next?

  1. Review the precedent set criteria to determine if any categories/exclusions apply to your application.
  2. Check the CAG meeting and cut off dates for scheduled meetings and the corresponding dates by which valid applications must be received to be considered for that meeting.
  3. Call the confidentiality advice team (0207 104 8100 – available 9am-5pm) to book your application into the next available meeting. If your application falls into one of the precedent set categories you should state which category is relevant for your application.
  4. Within 24 hours of making your booking phone call you should email the fully completed application (for research applications please include .pdf and .xml versions of the IRAS form) and all supporting documents to If the application is not submitted within this time period it will automatically be removed from the booked meeting slot.
  5. A confidentiality advisor will review your application to check it meets our validation criteria. The confidentiality advisor may email you with queries during the validation process. You should respond to queries within the specified timeframe stated in the email to ensure your application will be ready for review by CAG at your booked meeting date.
  6. Your application will be reviewed by CAG at your booked meeting date.
  7. You will receive an outcome letter via email by the date specified within our timelines here. The letter will inform you of the outcome of the CAG meeting and the next steps you need to take.

Your application will receive one of the following outcomes:

  • Supported – your application has a legal basis to access identifiable patient information within the boundaries of your application. Your application will be subject to standard conditions of support and may also be subject to some specific conditions which will need to be actioned within the timeframe provided in your outcome letter
  • Provisional – further clarification or information is required before CAG can advise support
  • Deferred – your application does not contain enough information for the CAG to advise the decision maker. You may submit a new application for CAG to consider
  • Rejected – your application contains sufficient information and CAG have advised that the activity should not be supported

I have Section 251 support for my application – what else do I need to know?

Once you have Section 251 support a common law legal basis for access to confidential patient information without consent is in place. For non-research activities you may begin, but for research activities you will be able to start once you have HRA Approval. It should be noted that section 251 support resulting from a CAG application is permissive and does not require data controllers to provide information to the applicant. Your application will be added to a register of all supported applications, which can be found here. You can also find CAG meeting minutes here

All supported applications are subject to the standard conditions of support including submitting an annual review report. You should submit a report to the CAG every 12 months from the date of the final support letter, for the duration of the support. If you make any changes to the information provided and supported in your original CAG application you may need to submit an amendment.

Once you have completed accessing confidential patient information without consent for your application you should submit an end closure report.

If you have any questions about CAG, please contact the confidentiality advice team.

Back to confidentiality advisory group

Shape the future of the HRA website.