Skip to content

Researcher privacy policy

This policy explains how we comply with legislation and protect the privacy of researchers applying for data access.

Why we may process your data

In some cases, we need to process data to ensure that we are complying with our legal obligations in so far as it is authorised by UK law or a collective agreement pursuant to UK law providing for appropriate safeguards for the fundamental rights and the interests of the data subject. We may also need to process your data to confirm your identity if you are a researcher.

RDS may also process pseudonymised research datasets which have been shared by other third parties, in the process of provisioning data for research, where data will be stored the Scottish National Safe Haven. RDS may also process data on behalf of other data controllers in the event where we are acting as a processor.

Researchers enquiring about data access

When you fill out the enquiry form on our website, your data will be temporarily held in Umbraco and passed on to the responsible parties at eDRIS. Umbraco is a data collection tool where we hold information which comes in via the Enquiry Form and the website Contact Form. This is a temporary solution which will evolve to facilitate sharing directly from the RDS website to the Appian platform. 

Researchers applying through the Researcher Access Service

If you are a researcher applying to access data held in the National Safe Haven, we will use the information that you have given us to process data as part of the assessment process for granting access. For example, we need to confirm that the request to access data is legal and in compliance with the objectives of public benefit.

In the event that your research request requires further authoritative sign-off, we will be processing your data in the action of sharing your application and details to the Public Benefit and Privacy Panels.

Where you have successfully accessed the National Safe Haven for research purposes, RDS will publish details (researcher name and organisation affiliation) as part of our values around being open and transparent as an organisation.

Your data may also be collected through our website forms and processed for the purposes of consented user engagement opportunities.

RDS uses platform solutions designed and delivered by Appian. This platform may process personal data and uploaded information in order to enable functionality and successful application progression. This includes the tracking of your application progression, processing supporting documentation required for authentication and case support purposes, and the processing of names and contact details in order to relay details on application progression.

By completing details in the enquiry form, your details will be captured for the triage process to confirm if your application can proceed through the RAS. In the event that your application is unsuccessful, ‘We will then review your information after on an annual basis and assess against a specific criteria if it is necessary and lawful to retain it for longer, if not your information will be securely deleted/destroyed.’

Our lawful basis for processing your data

Under the UK General Data Protection Regulation (UK GDPR (General Data Protection Regulation) article 6(f)), the lawful basis which we rely on for processing this information is that we have a legitimate interest. For more information, please visit the Information Commissioner’s Office website.

For more information regarding our lawful basis, please contact our Data Protection Officer at dataprotection@researchdata.scot. Further data regarding lawful bases for processing can be found on the ICO website.

The types of personal information we collect

Researchers applying through the Researcher Access Service

We collect a range of information about researchers and research bodies during initial enquiries regarding data access. This may include:

  • Personal identifiers, contacts, and characteristics (for example, name and contact details) relating to researchers and research establishments wishing to access data sets for research purposes.
    • ‘Personal information’ means any information which relates to or identifies you as an individual. This includes any information provided to us by or on behalf of you via current (or potential) research establishments, current or future public bodies, reference agencies or former employers.
  • Your name, address and contact details, including email address and telephone number;

During your application process using the Researcher Access Service, we will collect the following information in the form of application form content and supporting documentation:

  • Details of your research qualifications, skills, and experience;
  • Information about your present and previous research activities;
  • Your training, and particularly training associated with research activities;
  • Information about your entitlement to carry out research on behalf of a research establishment or public body;
  • In processing your application for research, your justification for performing the research and;
  • Any sensitive information provided by you which details a disability for which RDS needs to make reasonable adjustments during the process of providing access to research data. Any information of this sensitivity will be kept confidential.

Methods of data collection

Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • Data may be collected from online data access application tools.
  • Data may be obtained from identity documents or collected through other forms of assessment and certification.

We also receive personal information indirectly, from the following sources in the following scenarios:

  • Data may be collected from references supplied by former research bodies.
  • We will seek information from third parties only once you have been made aware and will inform you that we are doing so.
  • RDS also retains information about the organisations that provide research data to RDS and processes data that it receives from data controllers of research datasets.
  • Data collected from the website forms will be held in Umbraco, a data collection tool used to temporarily process and share information which comes in via the Enquiry Form and the website’s Contact Form to the responsible parties within these processes.

How your data may be shared

During the enquiry process to access the RAS, your information will be collected and shared through Umbraco and passed on to the responsible parties at eDRIS. This is a temporary solution which will evolve to facilitate sharing directly from the RDS website to the Appian platform. Any information also submitted through RDS website’s Contact Form shall be shared with relevant parties within RDS.

In the process of developing and reviewing your application through the Researcher Access Service, your information may be shared to parties who aid in the facilitation of the service and support any application issues. This includes Appian’s customer support team, relevant (authenticated) individuals who comprise the application review panel, and eDRIS employees.

In line with their responsibilities as an organisation and as frontline operators of the Researcher Access Service, eDRIS staff will share specific details of projects and researchers’ Information Governance training to their ServiceNow platform; for the purposes of keeping on top of researcher training, time logging and auditing as a Trusted Research Environment. More information around this process and how your data is being handled can be found in the Public Health Scotland privacy notice.

In the event that your research request requires further authoritative sign-off, your application and contact details will be shared to the Public Benefit and Privacy Panels for their concluding review.

Following a successful application (where data access has been granted), relevant application details may be collected and stored by RDS for platform audit, review and development purposes. In the process of facilitating data access, we may share this information internally or with partner organisations such as the Electronic Data Research and Innovation Service (eDRIS), Edinburgh Parallel Computing Centre (EPCC), Scottish Government and data controllers such as Public Health Scotland for the purposes of the managing access to research data.

We will not share your data with third parties unless your application for access to research data requires us to validate your details. We will then share your data with these third parties as part of the researcher screening process. We will always ask for your consent before processing this type of data as part of our researcher screening.

If your application for access to research data is unsuccessful, RDS may keep your personal data on file in case there are requests from you that are to be considered in the future. We will ask for your consent before we keep your data for this purpose, and you are free to withdraw your consent at any time. 

How your personal information is stored

During your use of the Researcher Access Service, your contact information, application details, and RAS progression information will primarily be stored on the cloud-based Appian platform. However, Appian may process data outside of the EEA in order to aid customer support functions. For more information, please refer to Appian’s data processing terms.

Following a successful application (where data access has been granted), relevant application details may be collected and stored by RDS for platform audit, review and development purposes. Following this collection, we will then review your information on an annual basis and assess against a specific criteria if it is necessary and lawful to retain it for longer, if not your information will be securely deleted/destroyed.

In line with their responsibilities as an organisation and as frontline operators of the Researcher Access Service, eDRIS staff will store specific details of projects and researchers’ Information Governance training on their ServiceNow platform; for the purposes of keeping on top of researcher training, time logging and auditing as a Trusted Research Environment. More information around this process can be found in the Public Health Scotland privacy notice.

Last Updated 22 Jul 2024