Help - Preparing & submitting applications - Confidentiality Advisory Group (CAG)
  • Using IRAS
  • Preparing & submitting applications
    • HRA and HCRW ApprovalHRA and HCRW Approval
    • NHS/HSC R&D PermissionsNHS/HSC R&D Permissions
    • NHS staff as research participantsNHS staff as research participants
    • Ethical review (REC)Ethical review (REC)
    • Confidentiality Advisory Group (CAG)Confidentiality Advisory Group (CAG)
    • MHRA MedicinesMHRA Medicines
    • Site specific informationSite specific information
    • MHRA DevicesMHRA Devices
    • Templates for supporting documentsTemplates for supporting documents
    • HR Good Practice Resource PackHR Good Practice Resource Pack
    • Radiation AssuranceRadiation Assurance
    • Radiation - defining research exposuresRadiation - defining research exposures
    • Radiation - MPE and CRE review proceduresRadiation - MPE and CRE review procedures
    • Pharmacy AssurancePharmacy Assurance
    • Public InvolvementPublic Involvement
    • Interventional ResearchInterventional Research
    • Combined review applicationsCombined review applications
    • IVD ResearchIVD Research
  • Maintaining your approvals
  • End of research
  • FAQs
  • Documentation
  • Reference
Confidentiality Advisory Group (CAG)

Preparing and submitting applications to the Confidentiality Advisory Group (CAG)

This page provides the following information:

What is the Confidentiality Advisory Group (CAG) & do you need to apply to CAG

The Health Research Authority’s Confidentiality Advisory Group (CAG) provides independent expert advice to the HRA and the Secretary of State for Health on whether applications to access confidential patient or service user information without consent should or should not be approved.

CAG's remit extends to:
  • England and Wales; and
  • Activities that are managed as research and non-research

You should apply to CAG if you need to access:
  • Identifiable patient or service user information relating to people living in, or receiving care in, England and Wales without consent, prior to the disclosure of confidential information; or
  • Human Fertilisation and Embryology Authority (HFEA) Research Register Data.

Potential applicants should refer to the guidance provided to identify whether an application to CAG is advised, in particular the pre-application checklist. You should contact the the Confidentiality Advice Team (CAT) if you wish to discuss considerations prior to submitting an application.

Please note: Where an applicant intends to link to datasets, such as Hospital Episodes Statistics (HES) and cancer registry data, they will be expected to have contacted the data controllers for the dataset and discussed whether alternative methods which might limit the disclosure of confidential patient information without consent could be used. You will need to provide copies of this correspondence, and any other evidence to show that alternatives to access of confidential patient data without consent have been explored, as part of the supporting information for your application to CAG.

Using patient identifiable information from Scotland or Northern Ireland: This activity is not within the remit of CAG and you should seek additional guidance from, and make contact with, the relevant privacy committee:

Back to the top

Contacting the Confidentiality Advice Team (CAT)

If you need to contact the Confidentiality Advice Team you should:

Back to the top

How to apply to CAG

Research projects, Research Tissue Banks and Research Databases
All research applications should be prepared in IRAS.

***IMPORTANT: At project filter question 4 select the application for the Confidentiality Advisory Group (CAG) and then in the secondary question asking "Will you be seeking data from the Hospital Episodes Statistics (HES) or Secondary Uses Service (SUS)?" you should always select "no". ***

The CAG Form should be electronically authorised prior to creating a final version for submission. The final version for submission is created via the Submission Tab for the CAG Form and you should submit both PDF and XML versions of the CAG Form, plus any supporting documentation, directly to the Confidentiality Advice Team (CAT). The booking process must be followed in order to submit an application to the CAG.

Supporting document requirements are set out in the checklist associated with the CAG Form. Please note that all documents should be provided in black and white and labelled with a clear title, version number and date. Application forms should not include embedded documents.

Instructions for the booking and submission of the application are below.

Non-research activities
All non-research application should complete the non-research application form The form may be signed electronically or a printed copy signed and scanned to PDF.

The Section 251 Form contains a list of expected supporting documentation. Please note that all supporting documents should be provided in black and white and labelled with a clear title, version number and date. Application forms should not include embedded documents.

Booking and submitting to CAG
You should only contact the Confidentiality Advice Team (CAT) to book once an application is ready for submission as the application must be submitted within 24 hours of booking. Meeting bookings cannot be accepted without the application documents. The team are unable to reserve spaces for future meetings to prevent delays to applicants who are ready to submit.

Before you submit your application you should review the validation criteria and tips for a successful application to ensure that your application meets the necessary standards for acceptance.

The process to book an application is:

  • check the meeting and cut off dates on the HRA website. The dates advertised specify the date that applications must be received by to be considered for inclusion onto the scheduled meeting. Please note that if you are applying via the full review pathway you will be invited to attend the meeting to answer any questions the committee may have. Meetings are held via Zoom.
  • email your application form and any relevant supporting documents to You should also include the following information in your email:
    • confirmation of whether you are applying via the full or precedent set review pathway
    • if you are applying via the precedent set pathway please state which category you are applying under
    • which meeting date you would like to book in to

    If you have any questions in relation to the process please contact the Confidentiality Advice Team (CAT).

    Back to the top

    Tips for successful application:

    There are a number of errors that are seen in applications to CAG. These usually delay the progress of an application and in some instances may lead to the application being rejected. Below are some tips to avoid some of the common application errors:
    1. Application Form
      • Make sure that you completed all questions in the form. The CAG provides recommendations based upon the written documentation so it is important you fully address the questions
      • For research applications you should email both PDF and XML versions of the form in IRAS to
    2. Supporting documents
      • Make sure that you provide all necessary supporting documentation
      • For research applications the checklist tab associated with the CAG Form in IRAS provides a list of the documents that are normally expected to support the application. Use this as a guide to the documents you should include although those that are marked as mandatory are expected in all cases.
      • For non-research applications refer to the documents list in the form for a list of documents that are normally expected to support the application
      • Make sure you enter the correct file title, version number and date.
    3. Authorisations
      • For research applications in IRAS, make sure you have electronic authorisations in place for all declarations in the form and that they are shown as valid. Do not add electronic authorisations until you are certain the application is complete. Any changes made to the will invalidate any authorisations that are already in place. If your form requires multiple authorisations be aware that if one of the authorisers changes the form before they authorise it then any authorisations that were already in place will be invalidated and will need to be sought again.
      • For non-research applications you may use an electronic signature.
    4. Submitting the application
      • Ensure you or someone else familiar with the research is available to be contacted in the days after submission. This will enable quicker resolution of any queries about the application.

    In addition to the tips above we recommend that you check whether your application is likely to meet the relevant validation criteria.

    Back to the top

    After you have submitted your application

    All applications, except those reviewed via the Precedent Set process are considered at a full CAG meeting.


    Validation criteria

    Your CAG application will be checked by a Confidentiality Advisor and accepted for review if it meets the following criteria. If your application does not meet these criteria a CAG advisor will contact you to request further information. This request will provide a deadline date for response. If you do not respond by the deadline date, your application will be invalidated.

    • has the application form been signed by CI/sponsor (research) or controller (non-research)?
    • have all sections and questions in the application form been completed and is the text in Plain English?
    • have all relevant documents been submitted and marked with version numbers and dates?
    • does the application clearly detail the scope of support requested, including:
      • organisations between which data under support will flow (or where data under support will be processed)
      • the identifiable data items that will be processed
      • clarity on the common law legal basis for any existing data sources, where it may be uncertain
      • data flows/aspects of the application which do not require support
    • does the application include detail on the medical purpose?
    • does the application provide a justification for why there are no practicable alternatives to using confidential patient information?
    • if the application is a resubmission, is the previous CAG reference number included, and has documentation been submitted fully explaining how the new application addresses and resolves the previous advice outcome from CAG?


    CAG review and outcome

    If your application requires full CAG review then it will be considered at a monthly CAG meeting. You will be invited to attend the meeting to answer any queries the committee may have about your application. Where applications are reviewed at a CAG meeting applicants can expect to receive a decision with 60 days.

    If your application is being reviewed via the Precedent Set process then it will be reviewed by a sub-committee. Where applications are reviewed via precedent set applicants can expect to receive a decision within 30 days. In some cases this review may refer the application to a full CAG review.

    After CAG review
    You will receive an outcome letter via email by the date specified within the specified timelines. The letter will inform you of the outcome of the CAG meeting and the next steps you need to take. Your application will receive one of the following outcomes:

    • Supported – your application has a legal basis to access identifiable patient information within the boundaries of your application. Your application will be subject to standard conditions of support and may also be subject to some specific conditions which will need to be actioned within the timeframe provided in your outcome letter
    • Provisional – further clarification or information is required before CAG can advise support
    • Deferred – your application does not contain enough information for the CAG to advise. You may submit a new application for CAG to consider
    • Rejected – your application contains insufficient information and CAG have advised that the activity should not be supported

    All supported applications are subject to the standard conditions of support including submitting an annual review report. You should submit a report to the CAG every 12 months from the date of the final support letter, for the duration of the support. If you make any changes to the information provided and supported in your original CAG application you may need to submit an amendment.

    If your application is not approved and you can address the reasons given for this that were set out in the outcome letter from CAG then you may resubmit your application. In this situation, you should follow the advice provided in the outcome letter and submit the application with a covering letter detailing the amendments made and how these address the issues raised. The normal booking and submission process should be followed when resubmitting the application for review.

    Back to the top

    Page last updated: 18 December 2023

IRAS Integrated Research Application System, version 6.3.6, 09/01/2024, IRAS Dataset version 3.5.
The Health Research Authority (HRA) acknowledges the Integrated Research Application System (IRAS) partners in developing IRAS content. © Health Research Authority 2024.
Copyright and other intellectual property rights in the content of the Integrated Research Application System (IRAS) belong to the HRA and all rights are reserved. Terms & Conditions, Privacy Policy. APP-N