Guidance for CAG applicants

Last updated on 19 Mar 2024

Guidance and frequently asked questions on the process for submitting an application to Confidentiality Advisory Group (CAG) for both research and non-research purposes.

Do I need to apply to the Confidentiality Advisory Group (CAG)?

If you intend to access confidential patient information without consent, outside of the direct care team in England and Wales, you should consider whether doing so would be a breach of the common law duty of confidentiality.

The CAG pre-application checklist sets out some key considerations to help you to decide. The data controller is responsible for deciding whether an application to CAG should be made. The Confidentiality Advice Team can advise on the considerations that you should take into account, but the team will not make the decision on behalf of applicants or other data controllers. You should remember that section 251 support through CAG does not give approval to access data from a data controller. The purpose of section 251 support is to give the data controller a legal means of providing access to confidential patient information without consent.

The CAG advises on both research and non-research uses of confidential patient information without consent. If you are unsure if your project should be classified as research, our Is my study research? tool can help.

How do I prepare my CAG application?

The following documents are mandatory and have to be included with your application:

  • authorised CAG application form completed in IRAS (for research) or section 251 form (non-research) - draft versions will not be accepted
  • xml file of the completed IRAS from (research applications only)
  • protocol
  • data flow diagram
  • written recommendation from Caldicott Guardian (or equivalent) of applicant’s organisation.

The following documents are expected if relevant to support the information in your application:

  • template materials to inform the patient population of the activity (patient notification materials)
  • supporting evidence of public involvement
  • participant information sheets and consent forms (where this is relevant to the application)
  • if there has been uncertainty about the need for a CAG application, you should include written confirmation from the local data controller on why the activity will cause a breach in confidentiality.

What information do I need to include in my CAG application?

The CAG expects to see clear information in all applications on the areas outlined below. You should also refer to our validation criteria to ensure that your application will be ready for review by CAG.

Scope of support

You should provide a short, clear overview of what you are requesting Section 251 support for. This should include a brief description of the data flows that support is requested for (including which organisations data will flow between, and what identifiable data items will be accessed). This overview should clearly state any flows/uses that do not required support – for example flows after data has been anonymised.

This description should be understandable to a lay person without knowledge of Information Governance or the study. For example:

Support is requested for the flow of confidential patient information (NHS number and date of birth) from organisation X to organisation Y, for patients seen between 2015 and 2022. This will enable organisation Y to link this data to the data held in their medical records and provide the requested clinical data to the sponsor. The flow of data returned from Organisation Y to the sponsor is anonymised and support is not requested for this flow. Prospective patients, included from 2022 onwards, will be consented and support is not requested for this patient group.

What to do once you've prepared your application is detailed in simple steps here.

Data flow diagram

You should send a simple data flow diagram in your application which clearly shows the flows of data and should include all the information listed below. The Health Data Access Tool Kit has a template data flow diagram for you to use (this toolkit is an external resource not maintained by CAG or the HRA).

  • the organisations (legal entities) between which data will flow
  • for each organisation, the data source being used (for example medical records, or the specific dataset being accessed at NHS England)
  • for each flow, the identifiable data items that will be transferred. Where the flow will be pseudonymised or anonymised, this should be stated.
  • the legal basis for each flow. It should clearly distinguish which flows Section 251 support is requested for, and which flows Section 251 support is not requested for (for example anonymised, or flowing under consent)

Public involvement

Good public involvement helps the CAG consider the public interest and the acceptability of using confidential patient information without consent. There are widely applicable expectations and principles around what good public involvement looks like across all research. You should consider the information about public involvement that Research Ethics Committees (RECs) are looking for to help them with the review of your application by the REC. CAG considers the specific question of the public acceptability of using confidential patient information without consent. So there are also additional specific expectations for CAG around who you should involve and what you need to explore with the people you involve.

Read our new public involvement guidance for CAG applicants.

Patient notification

If your application gains Section 251 support, it is important that the patient population is informed about the use of their information and have the opportunity to opt out. Your application should how you will inform the patient population of the use of their identifiable data without consent (patient notification), with examples of the materials to be used.

The CAG expects that the communication routes will be appropriate to the scale of disclosure. A large-scale national disclosure will need much more extensive communication routes than a local disclosure confined to one Trust. Therefore, patient notification should be specific and proportionate to your project.

Examples of acceptable patient notification methods may be:

  • poster/leaflet in relevant departments on NHS premises
  • letter to patients
  • information on the Trust and/or data controller website
  • local and/or national press (TV, website or print)
  • through relevant charities or support groups
  • use of relevant social media platforms.

Provision of GDPR privacy notices are not considered to be appropriate routes for patient notification but may be provided as part of a layered approach.

Notification materials should include:

  • a simple, clear description of the activity that includes details of the patient information to be used.
  • details of a project specific mechanism for patients to opt out. This should include various routes to contact (e.g. email, phone, postal address) and align with the details provided in your application.
  • a statement to confirm that the HRA (for research) or Secretary of State for Health and Social Care (for non-research) has given Section 251 support for the activity following advice from the Confidentiality Advisory Group.

CAG encourages the use of a layered approach to patient notification. That is, the initial notification materials provide a high-level overview of the activity, in line with the principles above, that also provides a link to provide further detailed information for those that wish to learn more e.g. through use of a QR code and/or link to a website.

Patient objection

The National Data Opt-Out policy applies to applications that work under Section 251 support. It is expected that all applications will apply the national data opt out and this should be confirmed in your application. Further information specific to research organisations can be found on our website.

In addition, CAG expects a project specific opt out mechanism to be used to enable the patient population to opt out of their data being used for this specific activity. You should include details in your application on how the project specific mechanism will operate such as who patients should contact to opt out of their data being used and how. Note that this should align with the detail in your patient notification materials.

Security Assurances

Department of Health and Social Care policy says that all organisations accessing confidential patient information in England under a CAG application have their Data Security and Protection Toolkit (DSPT) self-assessment submission reviewed by NHS England, to provide assurances that the organisation has achieved the appropriate ‘standards met’ status.

You should ensure that the organisations accessing confidential patient information for your application have an appropriate DSPT in place. Further information on how to check this can be found here.

I’ve prepared my CAG application – what do I do next?

  1. Review the precedent set criteria to determine if any categories/exclusions apply to your application.
  2. Check the CAG meeting and cut off dates for scheduled meetings and the corresponding dates by which applications must be received to be considered for that meeting. If you are applying via the full review pathway you will be invited to attend the meeting to answer any questions the committee may have. Meetings are held via Zoom. Further information on what to expect at a CAG meeting can be found here.
  3. Email the mandatory documents and any relevant supporting documents to cag@hra.nhs.uk. You should also include the following in your email:
  • Confirmation of whether you are applying via the full or precedent set review pathway
  • If you are applying via the precedent set pathway please state which category you are applying under
  • Which meeting date you would like to book on to

4. A confidentiality advisor will review your application to check it meets our validation criteria. The confidentiality advisor may email you with queries during the validation process. You should respond to queries within the specified timeframe stated in the email to ensure your application will be ready for review by CAG at your booked meeting date.

5. If you application is being reviewed via the full review pathway, the confidentiality advisor will confirm your time slot at the meeting once your application is deemed valid.

6. Your application will be reviewed by CAG at your booked meeting date.

7. You will receive an outcome via email by the date specified within our timelines here. The outcome will inform you of the outcome of the CAG meeting and the next steps you need to take.

Your application will receive one of the following outcomes:

  • Supported – your application has a legal basis to access identifiable patient information within the boundaries of your application. Your application will be subject to standard conditions of support and may also be subject to some specific conditions which will need to be actioned within the timeframe provided in your outcome letter
  • Provisional – further clarification or information is required before CAG can advise support
  • Deferred – your application does not contain enough information for the CAG to advise the decision maker. You may submit a new application for CAG to consider
  • Rejected – your application contains sufficient information and CAG have advised that the activity should not be supported

I have Section 251 support for my application – what else do I need to know?

Once you have Section 251 support a common law legal basis for access to confidential patient information without consent is in place. For non-research activities you may begin, but for research activities you will be able to start once you have HRA Approval. It should be noted that section 251 support resulting from a CAG application is permissive and does not require data controllers to provide information to the applicant. Your application will be added to a register of all supported applications, which can be found here. You can also find CAG meeting minutes here

All supported applications are subject to the standard conditions of support including submitting an annual review report. You should submit a report to the CAG every 12 months from the date of the final support letter, for the duration of the support. If you make any changes to the information provided and supported in your original CAG application you may need to submit an amendment.

Once you have completed accessing confidential patient information without consent for your application you should submit an end closure report.

If you have any questions about CAG, please contact the confidentiality advice team.

Back to confidentiality advisory group