This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies.

Find out more here.

Standard conditions of support

Last updated on 17 Aug 2018

Support to process confidential patient information without consent, given by the Health Research Authority (for research purposes) or the Secretary of State for Health and Social Care (for non-research purposes), is subject to the following standard conditions of support.

The applicant and those processing the information will ensure that:

1. The specified confidential patient information is only used for the purpose(s) set out in the application.


2. Confidentiality is preserved and there are no disclosures of information in aggregate or patient level form that may inferentially identify a person, nor will any attempt be made to identify individuals, households or organisations in the data.


3. Requirements of the Statistics and Registration Services Act 2007 are adhered to regarding publication when relevant, in addition to other national guidance.


4. All staff with access to confidential patient information have contractual obligations of confidentiality, enforceable through disciplinary procedures.


5. All staff with access to confidential patient information have received appropriate ongoing training to ensure they are aware of their responsibilities.


6. Activities remain consistent with the General Data Protection Regulation and Data Protection Act 2018.


7. Audit of data processing by a designated agent is facilitated and supported.


8. The wishes of patients who have withheld or withdrawn their consent are respected.


9. Any significant changes (for example, people, purpose, data flows, data items, security arrangements) must be approved via formal amendment prior to changes coming into effect.


10.An annual review report is submitted to the CAG every 12 months from the date of the final support letter, for the duration of the support.


11. Any breaches of confidentiality around the supported flows of information should be reported to CAG within 10 working days of the incident, along with remedial actions taken / to be taken. This does not remove the need to follow national/legal requirements for reporting relevant security breaches. 

Back to guidance for cag applicants