Data Management Plan

You should incorporate a Data Management Plan into your research protocol. This should describe the data processing and management activities throughout the lifecycle of a research study. When preparing for data access, writing a Data Management Plan will help to identify and address potential issues at the earliest stages.

Data management plan template – UKRI

DMPonline ( - DMP online helps you to create, review, and share data management plans that meet institutional and funder requirements. It is provided by the Digital Curation Centre (DCC).

Consider a Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) is a process designed to help you systematically analyse, identify, and minimise the data protection risks of a project or plan. If your organisation undertakes research regularly, then there should already be a DPIA that covers the range of research that your organisation undertakes. However, you should consider with your organisation whether your activities are not covered within existing arrangements and if you need to undertake a project-specific DPIA.

Doing DPIAs is a key part of your accountability obligations under the UK GDPR, and when done properly helps you assess and demonstrate how you comply with all of your data protection obligations.

Further detail on how to complete a DPIA can be found here: Data protection impact assessments | ICO; What is a DPIA? | ICO

Data Management Plan and DPIA

Both the Data Management Plan and the DPIA should be considered as ‘live’ documents and updated regularly in line with your project.

Data Flow Diagram

A data flow map or diagram is a helpful tool to show and help describe the flows of data and controllership at each stage of your study. Consider designing one for your project. Not only is it useful, but it will support your applications for research approvals if you provide one (e.g. if you are applying under Regulation 5 of COPI Regulations to CAG for section 251 support). There are currently no templates that are agreed as a sector standard. However, guidance can be downloaded from the ‘DFD download’ heading on the Health Data Access Tool Kit toolbar. If designing your own, remember to keep it simple for others to interpret. For example, making it clear which data flows are identifiable (and therefore require a legal basis), and which are not, will be a helpful addition.

Data Sharing Agreement

A Data Sharing Agreement (DSA) is a written agreement put in place to govern the sharing of personal data between two or more independent data controllers. It can help organisations demonstrate compliance with data protection law.

Data obtained from NHS Digital is subject to entering into the NHS Digital standard Data Sharing Framework Contract and project specific Data Sharing Agreements. Checklists of what needs to be provided when applying to access data are on the NHSD DARS application process website Data Access Request Service (DARS): process - NHS Digital.

Research using data received direct from NHS organisations should use one of the standard template agreements published by the Health Research Authority - IRAS Help - Preparing & submitting applications - Templates for supporting documents (

If you are using data from other sources, use the Data Sharing Checklist to complete your DSA Data sharing checklist | ICO

Additionally, a template DSA has been developed by the Health and Care IG Panel.

ICO: Data sharing: a code of practice

It is good practice to have a data sharing agreement. It sets out the purpose of the data sharing, covers what is to happen to the data at each stage, sets standards and helps all the parties to be clear about their respective roles. It helps you to demonstrate your accountability under the UK GDPR.

ICO: Data sharing: a code of practice

Controller-Processor Contract

If a controller uses a processor to carry out a particular processing activity, a written contract (agreement) must be in place. Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data.

Where NHS organisations will be the processors you should use one of the standard template agreements published by the Health Research Authority - IRAS Help - Preparing & submitting applications - Templates for supporting documents (

Some national NHS organisations, notably NHS Digital, also have their own standard processing agreements.

If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes. Further guidance on Controllers and processors can be found here: Controllers and processors | ICO. It also includes a checklist to verify roles. Also see Guidance on Current thinking on controllers and processors in health research.

ICO Contracts: The contract is important so that both parties understand their responsibilities. The UK GDPR sets out what needs to be included in the contract. If a processor uses another organisation (i.e. a sub-processor) to assist in its processing of personal data for a controller, it needs to have a written contract in place with that sub-processor.

Data Controllers and Data Processors

A ‘controller’ determines the purposes and means of processing personal data. A ‘processor’ is responsible for processing personal data on behalf of a controller.

HRA Definitions - Health Research Authority (

Data Security

You also need to consider obligations to ensure the security of your processing (such as under UK GDPR), which also apply to any data processors you use, and evidence satisfaction of compliance regarding the same.

One key example is compliance with the Data Security and Protection Toolkit (DSPT). DPST is an online self-assessment tool that all organisations accessing NHS patient data must complete annually to demonstrate that they meet the minimum required standards. This provides assurance that they are practising good data security and that personal information is handled correctly.

Further guidance on security and UK GDPR can be found here: Security | ICO.

Back to accessing health and care data: step by step guide and glossary