Skip to content

Research data security: frameworks, compliance and best practice

Find details on key security considerations for research and guidance on how to comply.

Introduction

Research Data Scotland (RDS) is committed to the highest standards of data security. Our processes and services, including the Researcher Access Service (RAS), have been designed with the utmost consideration for information governance (IG) standards and are underpinned by the Five Safes Framework.

RDS has an Information Sharing Agreement in place with Public Health Scotland (PHS), which makes RDS a joint data controller for specific sets of PHS controlled data. This enables RDS to make improvements in data provisioning for research. RDS will take on responsibility, as data controller, for creating new streamlined approval processes, including the RAS Approval Pathway. 

The following information sheds light on our IG underpinnings while helping researchers understand data security. Together, we will facilitate high quality research that is safe, transparent and meets ethical standards.

Security and privacy by design

RDS is committed to protecting people’s personal data and ensuring that research for the public good is carried out transparently. All research requests submitted to RDS follow a strict process to ensure data is kept secure and can only be accessed for research that will deliver public benefit.  

Applying data protection principles

UK GDPR requires organisations to establish appropriate technical measures to implement data protection principles and safeguard individuals’ rights. This is known as “data protection by design and by default.” Accordingly, organisations must embed data protection into processing activities and business practices, from the design stage onwards.  

Previously, this concept was known as “privacy by design,” meaning it has always been part of data protection law. Since the implementation of UK GDPR, “data protection by design and by default” is now the legal requirement. 

ICO guidance on data protection and sharing

The Information Commissioner’s Office (ICO) provides guidance on its website on integrating data protection by design into all processes involving personal data. 

The ICO also explains how data protection applies when sharing personal data and provides guidance on compliance. This guidance applies to all organisations, whether public, private or third sector, and covers the systematic sharing of personal data in addition to ad-hoc or one-off requests to share personal data. 

Scottish Government guiding principles for data linkage

The Scottish Government has published guidance around data linkage to support the safe and appropriate use of public sector data for research and statistical purposes. This guidance ensures that data linkage takes place within a controlled environment, and that the research carried out is legal, ethical, secure and efficient.  

Importantly, the Scottish Government’s guidance requires that the linkage of data is performed for research and statistical purposes only, where there is no direct impact on, or risk to, an individual because of information about them being linked. 

EPCC, which operates the Scottish National Safe Haven (NSH), has been accredited for the provision of public sector data. This accreditation comes under the Digital Economy Act 2017, which facilitates the linking and sharing of datasets held by public authorities for approved research in the public good. 

National Performance Framework

Research can only be conducted if the proposed outcomes contribute to the public good, for example, research that is in support of the National Performance Framework. This framework for all of Scotland aims to:  

  • create a more successful country 
  • give opportunities to all people living in Scotland 
  • increase the wellbeing of people living in Scotland 
  • create sustainable and inclusive growth 
  • reduce inequalities and give equal importance to economic, environmental and social progress. 

The Five Safes

The Five Safes framework is a set of principles designed to ensure safe and secure access to confidential or sensitive data. Originally developed by the Office for National Statistics and other data providers in the 2010s, the framework enables data providers to deliver controlled access to data while fulfilling the requirements of open research and transparency.

Our Researcher Access Service was designed on the basis of the Five Safes Framework to ensure the utmost attention to data security.

Icons representing the Five Safes: People, Projects, Settings, Data, and Outputs
The Five Safes

A range of Trusted Research Environments (TREs) across the UK have adopted the Five Safes framework to guide their data security processes. The Five Safes comprise: 

  • Safe people: All researchers who require access to secure data for their projects are subject to an application process and must be approved by the data provider. Researchers must also undergo appropriate information governance and data protection training, as well as demonstrate that they have the necessary technical skills to use the data, usually through academic qualifications or practical research experience. 
  • Safe projects: Access to data is only granted for research in the public good. As part of the application process, researchers are required to demonstrate that their projects will use data appropriately and ethically, deliver clear public benefit, and that they will publish their results to enable use, scrutiny and further research.   
  • Safe settings: Data can only be retrieved and analysed within a secure analytical environment such as a trusted research environment (TRE), which provides controlled access to secure datasets. Access to TREs may be remote or physical depending on the nature of the data requested. Read more about safe settings on our Trusted Research Environments and data access page.  
  • Safe data: Data providers ensure that researchers are only able to access data that’s required in order to answer the project’s research questions. One way to achieve this is de-identification, in which any details that could potentially identify an individual, such as names, addresses and identification numbers, are removed or pseudonymised before data is made available for analysis.
  • Safe outputs: All research outputs undergo disclosure assessment and statistical checking performed by one or two trained professionals to ensure outputs meet strict confidentiality standards before aggregated data can be released from the TRE. During this process, any potentially re-identifiable outliers are removed. 

Securing research data: eDRIS and the Scottish National Safe Haven

eDRIS data security provisions

Researchers requiring access to secure datasets will work with Research Coordinators from eDRIS, the electronic Data Research and Innovation Service within Public Health Scotland (PHS). To ensure data security and confidentiality, eDRIS follows the Scottish Government’s Guiding Principles for Data Linkage and adopts international best practice standards, including the following: 

  • Secure data provisioning and backup delivered through state-of-the-art secure data technology within the Scottish National Safe Haven. 
  • Robust information governance procedures that balance data protection and privacy with the need to support research that delivers public benefit. Data will only be accessed by researchers affiliated with approved organisations within TREs.  
  • Secure file transfer protocols to support the transmission of data between data providers and TREs. 
  • Strict data de-identification methods wherein separation of roles and robust indexing procedures are designed to minimise the risk of breaching individuals' privacy when using confidential, sensitive data. Personal identifiers are kept separate from the attribute/content data. 
  • Controlled data linkages created and maintained using rigorous, internationally accepted privacy preserving protocols, direct or probabilistic matching, with clerical review available to increase matching accuracy where required. Any data can be requested for ethically approved research which aims to benefit the public in Scotland. Completion of missing data to improve quality and allow linkage between datasets can also be provided. 
  • Secure environments (TREs/safe havens) provided for researchers to analyse de-identified individual level or summarised records. TRE access is dependent upon the nature of the data requested for a research project. 
  • Confidentiality guaranteed through restricted access to securely stored confidential data. eDRIS uses statistical disclosure control methods on statistical outputs, such as graphics, tables or regression analyses, prior to release to ensure disclosure agreements are supported. 

These measures aim to ensure data providers are confident of the security of their data. Researchers can request more detailed information from their eDRIS Research Coordinators. 

Data security within the Scottish National Safe Haven

Secure access to national administrative and health data is provided through the Scottish National Safe Haven (NSH), a trusted research environment (TRE) provided by the EPCC at the University of Edinburgh and operated by eDRIS. The NSH is one of five TREs set up as collaborations between academia and NHS Scotland boards as part of the Charter for Safe Havens in Scotland (2015).  

The NSH meets several national and international security standards (ISO 27001:2013, Cyber Essentials, NHS England’s Digital Security Protection Toolkit and is Digital Economy Act (2017) accredited) and penetration testing is performed on an annual basis. Penetration testing is where an external company is contracted to fully test the security of a system by simulating a cyberattack. This helps discover potential points that could be exploited and ensures the systems in place to deal with breaches operate accordingly.  

Approved researchers are provided with study-specific logins designed to prevent cross access and only the data required for their study. Remote access to the data in the NSH requires two-factor authentication and only authorised IP ranges are allowed to connect. Furthermore, study areas within the NSH have restricted permissions regarding what can be accessed and edited, and there is no ability for users to connect to the internet or make external connections.    

All transfer of data into the National Safe Haven is performed by eDRIS staff via a secure file transfer process. Any outputs requested by researchers are subject to strict statistical checking and disclosure assessment to ensure that no individuals can be identified and that the outputs meet the highest confidentiality standards. 

Sanctions for misusing data

Research Data Scotland (RDS) and its partners are focussed on preventing misuse of data rather than issuing penalties. Furthermore, we believe that sanctions for misusing data will only be an effective deterrent if they are fully understood.  

Before data access is provided, each approved researcher must sign the eDRIS User Agreement. This Agreement outlines sanctions and penalties which may be applied in cases of non-compliance.  

An example offence is transferring login details to any other user. In this case, a first offence would result in a one-year access suspension, while a second offence would result in permanent suspension. 

More resources

Information governance for researchers

Discover key principles and legal considerations of information governance (IG) when accessing data.

Learn about IG

Trusted Research Environments

There are a range of trusted research environments (TREs) in Scotland providing access to secure data. 

Find out more about TREs

Researcher approvals and training

Find details on approved organisations in the UK, mandatory training for researchers and additional requirements.

 

Find more details

Research for public good

Learn about the concept of public good and how research projects must deliver clear benefit to the public.

Learn about public good

Terminology for researchers

Our list of common terms will help you understand more about how public sector data is used for research.

Learn the terminology

Was this information helpful?