How RDS works with eDRIS
Discover how we work together with our eDRIS colleagues to provide data access support.
Find details on key security considerations for research and guidance on how to comply.
Research Data Scotland (RDS) is committed to the highest standards of data security. Our processes and services, including the Researcher Access Service (RAS), have been designed with the utmost consideration for information governance (IG) standards and are underpinned by the Five Safes Framework.
RDS has an Information Sharing Agreement in place with Public Health Scotland (PHS), which makes RDS a joint data controller for specific sets of PHS controlled data. This enables RDS to make improvements in data provisioning for research. RDS will take on responsibility, as data controller, for creating new streamlined approval processes, including the RAS Approval Pathway.
The following information sheds light on our IG underpinnings while helping researchers understand data security. Together, we will facilitate high quality research that is safe, transparent and meets ethical standards.
RDS is committed to protecting people’s personal data and ensuring that research for the public good is carried out transparently. All research requests submitted to RDS follow a strict process to ensure data is kept secure and can only be accessed for research that will deliver public benefit.
UK GDPR requires organisations to establish appropriate technical measures to implement data protection principles and safeguard individuals’ rights. This is known as “data protection by design and by default.” Accordingly, organisations must embed data protection into processing activities and business practices, from the design stage onwards.
Previously, this concept was known as “privacy by design,” meaning it has always been part of data protection law. Since the implementation of UK GDPR, “data protection by design and by default” is now the legal requirement.
The Information Commissioner’s Office (ICO) provides guidance on its website on integrating data protection by design into all processes involving personal data.
The ICO also explains how data protection applies when sharing personal data and provides guidance on compliance. This guidance applies to all organisations, whether public, private or third sector, and covers the systematic sharing of personal data in addition to ad-hoc or one-off requests to share personal data.
The Scottish Government has published guidance around data linkage to support the safe and appropriate use of public sector data for research and statistical purposes. This guidance ensures that data linkage takes place within a controlled environment, and that the research carried out is legal, ethical, secure and efficient.
Importantly, the Scottish Government’s guidance requires that the linkage of data is performed for research and statistical purposes only, where there is no direct impact on, or risk to, an individual because of information about them being linked.
EPCC, which operates the Scottish National Safe Haven (NSH), has been accredited for the provision of public sector data. This accreditation comes under the Digital Economy Act 2017, which facilitates the linking and sharing of datasets held by public authorities for approved research in the public good.
Research can only be conducted if the proposed outcomes contribute to the public good, for example, research that is in support of the National Performance Framework. This framework for all of Scotland aims to:
The Five Safes framework is a set of principles designed to ensure safe and secure access to confidential or sensitive data. Originally developed by the Office for National Statistics and other data providers in the 2010s, the framework enables data providers to deliver controlled access to data while fulfilling the requirements of open research and transparency.
Our Researcher Access Service was designed on the basis of the Five Safes Framework to ensure the utmost attention to data security.
A range of Trusted Research Environments (TREs) across the UK have adopted the Five Safes framework to guide their data security processes. The Five Safes comprise:
Researchers requiring access to secure datasets will work with Research Coordinators from eDRIS, the electronic Data Research and Innovation Service within Public Health Scotland (PHS). To ensure data security and confidentiality, eDRIS follows the Scottish Government’s Guiding Principles for Data Linkage and adopts international best practice standards, including the following:
These measures aim to ensure data providers are confident of the security of their data. Researchers can request more detailed information from their eDRIS Research Coordinators.
Secure access to national administrative and health data is provided through the Scottish National Safe Haven (NSH), a trusted research environment (TRE) provided by the EPCC at the University of Edinburgh and operated by eDRIS. The NSH is one of five TREs set up as collaborations between academia and NHS Scotland boards as part of the Charter for Safe Havens in Scotland (2015).
The NSH meets several national and international security standards (ISO 27001:2013, Cyber Essentials, NHS England’s Digital Security Protection Toolkit and is Digital Economy Act (2017) accredited) and penetration testing is performed on an annual basis. Penetration testing is where an external company is contracted to fully test the security of a system by simulating a cyberattack. This helps discover potential points that could be exploited and ensures the systems in place to deal with breaches operate accordingly.
Approved researchers are provided with study-specific logins designed to prevent cross access and only the data required for their study. Remote access to the data in the NSH requires two-factor authentication and only authorised IP ranges are allowed to connect. Furthermore, study areas within the NSH have restricted permissions regarding what can be accessed and edited, and there is no ability for users to connect to the internet or make external connections.
All transfer of data into the National Safe Haven is performed by eDRIS staff via a secure file transfer process. Any outputs requested by researchers are subject to strict statistical checking and disclosure assessment to ensure that no individuals can be identified and that the outputs meet the highest confidentiality standards.
Research Data Scotland (RDS) and its partners are focussed on preventing misuse of data rather than issuing penalties. Furthermore, we believe that sanctions for misusing data will only be an effective deterrent if they are fully understood.
Before data access is provided, each approved researcher must sign the eDRIS User Agreement. This Agreement outlines sanctions and penalties which may be applied in cases of non-compliance.
An example offence is transferring login details to any other user. In this case, a first offence would result in a one-year access suspension, while a second offence would result in permanent suspension.
Discover how we work together with our eDRIS colleagues to provide data access support.
Discover key principles and legal considerations of information governance (IG) when accessing data.
There are a range of trusted research environments (TREs) in Scotland providing access to secure data.
Find details on approved organisations in the UK, mandatory training for researchers and additional requirements.
Learn about the concept of public good and how research projects must deliver clear benefit to the public.
Our list of common terms will help you understand more about how public sector data is used for research.