How RDS works with eDRIS
Discover how we work together with our eDRIS colleagues to provide data access support.
Find out more about information governance for the data access process, including key principles and legal considerations.
Information Governance (IG) is a holistic approach to managing information at an organisation. A range of processes, roles, controls and metrics support the secure treatment of information as a valuable business asset and embed compliance with legislation governing the management of information.
When accessing secure personal data, it is vital to protect the rights and freedoms of those individuals whose data is being accessed and to comply with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.
Robust information governance not only ensures that an organisation is complying with data protection legislation but also engenders trust and confidence in individuals that their personal data is being treated securely and confidentially. IG processes also assist researchers by establishing contractual and technical controls and appropriate risk assessments to support efficient and timely access to data. It is worth noting that there is no “one-size-fits-all" IG approach and processes are determined on a case-by-case basis depending on what kind of data a researcher requests.
The UK GDPR and the Data Protection Act 2018 together determine how, when and why any organisation can process personal data (any information that can identify a living individual). These laws exist to ensure that personal data is managed safely and used responsibly.
The UK GDPR sets out seven key principles governing the processing of personal data.
Following these core principles is crucial when using personal data for research purposes as they help to ensure personal data is processed safely, securely and in compliance with legislation.
Any intended processing of personal data must be lawful, fair and transparent. Researchers must establish a lawful basis for processing the data before a project starts.
The most likely lawful basis for research in UKRI Institutes and in universities (as public authorities) is “task in the public interest”.
Organisations can demonstrate they meet the requirements to use this lawful basis by referring to their legal constitutions, or because they are operating under a relevant statute that specifies research as one of the organisation’s purposes. Examples of relevant university statutes include:
For non-public authorities, such as charities and commercial/independent research organisations, the most likely lawful basis for processing personal data for research purposes is “legitimate interests”.
Data protection legislation allows certain exceptions for research as it recognises not only that any data can be useful for research but also that research can be a long-term undertaking. Specifically, in relation to the UK GDPR principle of “storage limitation”, the Information Commissioner’s Office (ICO) states that data can be stored for research purposes indefinitely, where the data owner has set out a lawful and legitimate justification for its retention.
Another fundamental part of ensuring that the processing of personal data is lawful is completing the necessary risk assessments and establishing contracts that govern the sharing or processing of the data. These contracts are known as Data Sharing Agreements and Data Processing Agreements, which contain the necessary legal clauses to define the roles of the parties and their obligations in relation to the processing of data.
A Data Protection Impact Assessment (DPIA) should also be completed prior to commencing research using personal data. The DPIA will
The completion of a DPIA is a legal requirement dependent upon the volume and sensitivity of the data being processed. The UK GDPR states that a DPIA must be carried out where the processing of data is likely to result in a high risk to the rights and freedoms of individuals. Further guidance on the requirement for a DPIA is available on the ICO’s website.
Under the UK GDPR an organisation undertaking research involving personal data will take on one or more of the undernoted roles, dependent upon their processing activity and the following factors:
A fundamental consideration is establishing who determines the purposes for which the data is processed and the means of processing. In other words, who is the Data Controller and who is the Data Processor?
Most universities and research organisations will have either an information governance or data protection team, a research support office, or a legal practitioner, all of whom are there to assist researchers with their projects (including applications for data) and any aspects of governance or data protection. It is important to engage with your organisation’s information governance/data protection team to not only ensure that the proposed data processing is lawful and secure, but also that any internal processes are followed and signed off by the appropriate member of staff.
The information governance/data protection team will be able to signpost relevant templates, for example DPIAs, data processing agreements, and data sharing agreements. They can also advise if other contracts will be required in relation to the proposed research activity.
Guide to accountability and governance
In addition to the agreements between the researcher’s institution and the data provider, further agreements may be required with the institution or facility which will hold or link the data. For example, for non-health data using the National Safe Haven, a controller/processor contract with eDRIS is required as they will process (i.e., hold and link) the data on the researcher’s behalf. In this case, eDRIS will provide their own standard contract.
If eDRIS are not involved, the researcher may consult their institution’s research support office or data protection team to obtain a relevant controller-processor contract or to arrange specific research contracts to govern the research activity. These would then sit alongside the relevant data sharing/processing agreement.
Discover how we work together with our eDRIS colleagues to provide data access support.
There are a range of trusted research environments (TREs) in Scotland providing access to secure data.
Find help for navigating data security as you work with secure and sensitive data for your research project.
Find details on approved organisations in the UK, mandatory training for researchers and additional requirements.
Learn about the concept of public good and how research projects must deliver clear benefit to the public.
Our list of common terms will help you understand more about how public sector data is used for research.