Guidance for researchers

You would like to do some research with public sector data, but where do you start?

Accessing data can be complex and confusing if it’s new to you or been a while since you last did it. There are express legal requirements that need to be met when you access certain types of data or if you want to do specific things to the data - linking different datasets together, for example.
We have set out below the steps you should take to plan your research appropriately.

First steps:

• Start planning your research. This can take up to 12 months so remember to factor that into your planning and schedule;
• Think about what your research question(s) is(are);
• Start drafting a Data Protection Impact Assessment. Your organisation’s data protection team should be able to help you with this; and
• Check what data is available and whether there are any special requirements needed for access.

Turning to the data:

• Think about the type of data to you will need to answer your question(s);
• Consider what variables will you need and if they are available;
• Find out who holds the data;
• Assess if you actually need all the data you think you do and at the level you are requesting? Will all the variables be used to answer your research question(s)?;  
• Have you checked the open data platforms for published data that can be downloaded immediately?; and
• Decide what your outputs will be and consider whether these could potentially disclose personal information.

Turning next to the legal requirements:

• Find out if your organisation can legally process the data you are requesting;
• Check your data protection requirements;
• Check you understand the definitions of personal data and special category data and what that means for your project;
• Plan out how your project complies with the data protection principles (with the help of your data protection impact assessment);
• Ensure you can justify every variable being requested; and
• Check whether the data has any legal restrictions on what it can be used for, this can be found in the data controller’s privacy notices. 

Your organisation’s data protection and legal teams should be able to assist you with the data protection and legal requirements involved in your research.  
Once you have a plan for what you would like to do, the next steps will depend on the data being requested.

• Data from the open data platforms can be downloaded
or
• A formal request for an organisation’s data will be needed

Next steps:

• Consult the data controller guidance on accessing their data (link to SG and PHS pages);
• Consider the information needed and consult your legal and data protection teams;
• Engage with the data controller on the technical requirements of their data and how that fits with your research question. Also discuss the legal terms and conditions they will use to share data to ensure it is suitable to your organisation’s requirements;
• Take the appropriate training required for the data you are requesting;
• Complete the application for the data using your planning, flow diagrams and DPIA as assistance;
• Complete the data controller’s checklists to ensure all materials and information is present and correct; and
• Submit the application form to the data controller data access panel

Applications for bespoke data requests can take up to 5 weeks to progress to make a decision and you may be asked to provide further information. Check out the data controller’s web pages for more details on timings and outcomes.