Being able to demonstrate your legal responsibility to access data is important to ensure that privacy, transparency and accountability are upheld.
This is known as Information Governance (IG) and as a researcher it is your responsibility on behalf of your organisation to ensure that your project meets the necessary legal requirements.
There are two key pieces of IG that you must have in place to access data for research:
1. An up-to-date Data Protection Impact Assessment
2. Data Sharing Agreement with the Data Controller
These should be in place and provided as support when you apply for access to the data.
Your organisation will have standard documents in place for you to meet these requirements. RDS may be able to supply templates, where applicable.
It is the responsibility of the Data Controller to prepare the Data Sharing Agreement for the data you are requesting. You must understand and agree the terms and conditions that the Data Controller will require when sharing data with you. This will require you to engage with your organisation’s legal teams to ensure they are content to accept the terms of the data share.
There may be occasions where you are not doing the analysis yourself and have contracted another organisation to do this for you. In this instance you will require some additional documentation. This will be known as a Controller Processor Contract and is between your organisation and the one you have contracted to do the work.
To help demonstrate your compliance with data protection legislation, you will need to identify the lawful basis your organisation uses to process data. This will be different to the lawful basis that the data controller uses.
You should also consider what legal gateway is gateway available for your research project and detail this within your DPIA. You should speak to your organisation’s legal team on this if you are unsure.
Different data controllers have different ways to demonstrate data protection accountability, this is covered in the respective information on how to apply to access data.
If you require indexing, you should engage with the relevant National Records of Scotland (NRS) team to ensure all relevant IG related to this process is completed.