Applying for UK Hospital Episode Statistics (HES) and Recent History

Hospital Episode Statistics (HES) is a UK dataset managed by NHS Digital derived from UK hospital data. Check out this link for more detailed information. It’s an ongoing real-world database of UK patient’s secondary care data.

Take a look at our previous article on how Hospital Episode Statistics can be used to Enhance Real-World Evidence Studies to understand why you might want to add this into your data collection toolkit.

To utilise the dataset for clinical research a strict application and governance process must be followed. It’s a minefield that requires good knowledge on multiple technical and compliance-based issues.

Sign-up today for all the latest pharma insights!

It has been a long time coming but, with the latest iteration of data application process, NHS Digital finally seems to have hit upon a workable formula that allows for a rigorous process to protect all our data, whilst still enabling better research.

A little bit of recent history

In 2014 the news broke that an organisation called PA Consulting had deposited a rather large volume of this data in the cloud. This led to headlines such as “NHS England patient data ‘uploaded to Google servers’, Tory MP says” and “NHS data sold to consultants and uploaded to Google servers – Twitter explodes”.

At the time, safeguarding of patient data was being debated at length.

If we all cast our minds back, very soon after this we had the debacle. The BMJ article entitled What can we salvage from tells you all you need to know. was a good idea executed badly. In its simplest form it would have created a dataset like Hospital Episode Statistics but in primary-care. From an analytical point of view, this would have been fantastic but, due to multiple reasons far too complex to discuss here, it became a PR disaster.

This was all facilitated by the NHS organisation responsible for managing IT and data within the English health service; the Health and Social Care Information Centre (HSCIC). Before the HSCIC we had NPfIT. A quick google search of NPfIT will give you pages of articles recounting its failings (just look at the auto complete Google results to give you a flavour of opinion!).

Google NPfIT Auto-populate

One thing we can probably all agree on is that the NHS has had a bumpy ride when it comes to IT and data over the last decade.

What’s changed?

The HSCIC has now been rebranded to NHS Digital and it’s not just a simple facelift. The organisation has learnt from the past and developed much stricter governance processes. This has also had to coincide with the advent of GDPR.

To combat past data mishaps and align with GDPR NHS Digital has created “The Independent Group Advising on the Release of Data” (IGARD) that considers all requests for the dissemination of confidential information.

IGARD describes its function as follows:

IGARD independently assesses applications for data. This ensures that the use of patient data within research, academia, the public and private sector is done in controlled environments, where any risks of disclosure are minimised.

This is the independent panel which gives a final view of the release of data for uses such as research. They review the application and ensure everything is as it should be.

The Legality and Governance of a Hospital Episode Statistics Application

Make no mistake, a Hospital Episode Statistics application is full on, and so it should be. It’s our data and it should be protected. This means first and foremost we must have a legal consent and governance by which we can process the data. This extends deeper than you may initially think, it’s both:

  1. The legal right to have the data (i.e. patient consent); and
  2. The governance and right legal consent for the proposed data flows.

If your brain isn’t hurting at this point it should be!

The first part is naturally informed patient consent for clinical research, but this needs to tie back to GDPR and be worded in a very specific way to ensure NHS Digital also has a legal right to process patient identifiable information. Make no mistake this gets complicated and a single error can cost a serious amount of time. Introduce a compulsory ethics committee review every time you make a change, and the delays stack up… need we say more.

Now, without getting too technical, point b) in the “real-world” is complex. A good number of research sponsors are global corporations who don’t run their IT/data storage operation from the UK. This means the data flows are cross-border and IGARD needs to ensure all risks are mitigated. We could write an entire manual on this, it’s complicated and time-consuming.

Everything from point A to Z in the dataflow must be mapped in detail and you’re then accountable for maintaining that exact process once approved. You sign over the right for NHS Digital to audit, this application forms the blueprint which must be followed. Come audit day, if you’re not processing as described or you forgot to mention the weekly back-up to India, you have a problem.


NHS Digital has had to change and adapt over the last decade. It has also had to deal with some negative press at points, often for projects which from a scientific and technical view would have been fantastic to have (maybe not NPfIT!).

Sadly, these were not realised for numerous reasons, but what we have now is a robust application process. NHS Digital wants to work with sponsors as there is so much opportunity to enhance Real-World Evidence studies and produce better outcomes for patients in the UK.

Contact Ignite Data if you’re thinking about enhancing your Real-World data collection with Hospital Episode Statistics to de-risk your next project.

By Richard Yeatman, Chief Operations Officer, Ignite Data