This page provides the following information:
The Health Research Authority’s Confidentiality Advisory Group (CAG) provides independent expert advice to the HRA and the Secretary of State for Health on whether applications to access confidential patient or service user information without consent should or should not be approved.
CAG's remit extends to:
You should apply to CAG
- England and Wales; and
- Activities that are managed as research and non-research
if you need to access:
- Identifiable patient or service user information relating to people living in, or receiving care in, England and Wales without consent, prior to the disclosure of confidential information; or
- Human Fertilisation and Embryology Authority (HFEA) Research Register Data.
Potential applicants should refer to the guidance provided to identify whether an application to CAG is advised, in particular the pre-application checklist
. You should contact the the Confidentiality Advice Team (CAT)
if you wish to discuss considerations prior to submitting an application.
Please note: Where an applicant intends to link to datasets, such as Hospital Episodes Statistics (HES) and cancer registry data, they will be expected to have contacted the data controllers for the dataset and discussed whether alternative methods which might limit the disclosure of confidential patient information without consent could be used. You will need to provide copies of this correspondence, and any other evidence to show that alternatives to access of confidential patient data without consent have been explored, as part of the supporting information for your application to CAG.
Using patient identifiable information from Scotland or Northern Ireland:
This activity is not within the remit of CAG and you should seek additional guidance from, and make contact with, the relevant privacy committee:
Back to the top
If you need to contact the Confidentiality Advice Team you should:
Back to the top
Research projects, Research Tissue Banks and Research Databases
All research applications should be prepared in IRAS.
***IMPORTANT: At project filter question 4 select the application for the Confidentiality Advisory Group (CAG) and then in the secondary question asking "Will you be seeking data from the Hospital Episodes Statistics (HES) or Secondary Uses Service (SUS)?" you should always select "no". ***
The CAG Form should be electronically authorised prior to creating a final version for submission. The final version for submission is created via the Submission Tab for the CAG Form and you should submit both PDF and XML versions of the CAG Form, plus any supporting documentation, directly to the Confidentiality Advice Team (CAT)
. The booking process must be followed in order to submit an application to the CAG.
Supporting document requirements are set out in the checklist associated with the CAG Form. Please note that all documents should be provided in black and white and labelled with a clear title, version number and date. Application forms should not include embedded documents.
Instructions for the booking and submission of the application are below
All non-research application should complete the Section 251 Form
. The form may be signed electronically or a printed copy signed and scanned to PDF.
The Section 251 Form contains a list of expected supporting documentation. Please note that all supporting documents should be provided in black and white and labelled with a clear title, version number and date. Application forms should not include embedded documents.
Booking and submitting to CAG
Applications to CAG must be booked for review prior to submission. You should only contact the Confidentiality Advice Team (CAT)
to book once an application is ready for submission as the application must be submitted within 24 hours of booking.
- If the application is not submitted within 24 hours the booking will be cancelled.
- The team are unable to reserve spaces for future meetings to prevent delays to applicants who are ready to submit.
The process to book an application is:
- Review the precedent set criteria prior to booking to determine if any apply to your application.
- Check the meeting and cut off dates on the HRA website. The dates advertised specify the date that bookings must be received by to be considered for inclusion onto the scheduled meeting.
- Review the validation criteria and tips for a successful application to ensure that your application meets the necessary standards for acceptance.
- Call the Confidentiality Advice Team (CAT) to
book the application into the next available meeting.
- Email the fully completed application (for research applications please include PDF and XML versions of the form) and all supporting documents to the Confidentiality Advice Team (CAT) within 24 hours of booking. If the application is not submitted within this time period it will automatically be removed from the meeting agenda.
If you have any questions in relation to the process please contact the Confidentiality Advice Team (CAT)
Back to the top
There are a number of errors that are seen in applications to CAG. These usually delay the progress of an application and in some instances may lead to the application being rejected. Below are some tips to avoid some of the common application errors:
- Application Form
- Make sure that you completed all questions in the form. The CAG provides recommendations based upon the written documentation so it is important you fully address the questions
- For research applications you should submit both PDF and XML versions of the form in IRAS.
- Supporting documents
- Make sure that you provide all necessary supporting documentation
- For research applications the checklist tab associated with the CAG Form in IRAS provides a list of the documents that are normally expected to support the application. Use this as a guide to the documents you should include although those that are marked as mandatory are expected in all cases.
- For non-research applications refer to the documents list in the form for a list of documents that are normally expected to support the application
- Make sure you enter the correct file title, version number and date.
- For research applications in IRAS, make sure you have electronic authorisations in place for all declarations in the form and that they are shown as valid. Do not add electronic authorisations until you are certain the application is complete. Any changes made to the will invalidate any authorisations that are already in place. If your form requires multiple authorisations be aware that if one of the authorisers changes the form before they authorise it then any authorisations that were already in place will be invalidated and will need to be sought again.
- For non-research applications you may use an electronic signature.
- Submitting the application
- You must book your application before you submit it by email. If you do not book the application, or you do not submit it within 24 hours of booking, the booking will be cancelled.
- Ensure you or someone else familiar with the research is available to be contacted in the days after submission. This will enable quicker resolution of any queries about the application.
In addition to the tips above we recommend that you check whether your application is likely to meet the relevant validation criteria.
Back to the top
All applications, except those reviewed via the Precedent Set process are considered at a full CAG meeting.
Your CAG application will be checked by a Confidentiality Advisor and accepted for review if it meets the following criteria. If your application does not meet these criteria a CAG advisor will contact you to request further information. This request will provide a deadline date for response. If you do not respond by the deadline date, your application will be invalidated.
- has the application form been signed by CI/sponsor (research) or controller (non-research)?
- have all sections and questions in the application form been completed and is the text in Plain English?
- have all relevant documents been submitted and marked with version numbers and dates?
- does the application clearly detail the scope of support requested, including:
- organisations between which data under support will flow (or where data under support will be processed)
- the identifiable data items that will be processed
- clarity on the common law legal basis for any existing data sources, where it may be uncertain
- data flows/aspects of the application which do not require support
- does the application include detail on the medical purpose?
- does the application provide a justification for why there are no practicable alternatives to using confidential patient information?
- if the application is a resubmission, is the previous CAG reference number included, and has documentation been submitted fully explaining how the new application addresses and resolves the previous advice outcome from CAG?
If your application requires full CAG review then it will be considered at a monthly CAG meeting. In some circumstances you may be advised to attend the meeting. Where applications are reviewed at a CAG meeting applicants can expect to receive a decision with 60 days.
If your application is being reviewed via the Precedent Set process then it will be reviewed by a sub-committee. Where applications are reviewed via precedent set applicants can expect to receive a decision within 30 days. In some cases this review may refer the application to a full CAG review.
After CAG review
You will receive an outcome letter via email by the date specified within the specified timelines. The letter will inform you of the outcome of the CAG meeting and the next steps you need to take. Your application will receive one of the following outcomes:
- Supported – your application has a legal basis to access identifiable patient information within the boundaries of your application. Your application will be subject to standard conditions of support and may also be subject to some specific conditions which will need to be actioned within the timeframe provided in your outcome letter
- Provisional – further clarification or information is required before CAG can advise support
- Deferred – your application does not contain enough information for the CAG to advise. You may submit a new application for CAG to consider
- Rejected – your application contains sufficient information and CAG have advised that the activity should not be supported
All supported applications are subject to the standard conditions of support including submitting an annual review report
. You should submit a report to the CAG every 12 months from the date of the final support letter, for the duration of the support. If you make any changes to the information provided and supported in your original CAG application you may need to submit an amendment
If your application is not approved and you can address the reasons given for this that were set out in the outcome letter from CAG then you may resubmit your application. In this situation, you should follow the advice provided in the outcome letter and submit the application with a covering letter detailing the amendments made and how these address the issues raised. The normal booking and submission process should be followed when resubmitting the application for review.
Back to the top
Page last updated: 31 January 2023