Knowledge Base Section 2:Organisations and Bodies

Organisation needs to be recognised by ICO – From 25 May 2018, the Data Protection (Charges and Information) Regulations 2018 requires every organisation or sole trader who processes personal information to pay a data protection fee to the ICO, unless they are exempt.

Section 2 summarises the various organisations which have a stake in your project. This should include your home institution, any partner organisations or collaborators, including those who host or process the data, and the body funding your proposal.  It is assumed that your organisation will be one with oversight and responsibility for the data, its safe processing and storage, and, if you receive the data will become the joint data controller.

Commercial organisations and organisations outwith the UK, will be required to partner with an UK-based public sector organisation for access to and processing of NHS Scotland data.

2.1 Organisation or Body Leading Proposal

  • Usually the organisation of the applicant
  • Takes responsibility for the correct handling of the data
  • Will be the organisation sued by ICO for any data breach

2.2 Main contact for lead organisation

  • Holds applicant and team accountable for the data
  • Cannot be the applicant or anyone in section 1

2.3 Funding organisation(s)

  • Is funding in place?
  • Potential conflicts of interest?

Note: Increasing use of collaborations between commercial organisations and researchers

Things to consider:
      • Needs a NHS / University partner
      • What level of access will the organisation have to the data requested?
      • Will the data be transferred outside of EU/EEA?
      • Will the data be stored / transferred to a Cloud?
      • What does the commercial partner bring that cannot be done by public sector partners?
      • Why should someone else make money out of your health data that was given freely?

Links to the other sections

Section 1: People Involved

Section 3: Overview

Section 4: Data, Data Subjects and Methodology 

Section 5: Safe Data Processing and Security

Section 6: Outputs and Dissemination 

Section 7: Declaration

Here is an example of a completed HSC-PBPP Application using fictional data.

Back to How to Apply

Contact eDRIS Team phs.edris@phs.scot

Full details of how we use your information, and how we maintain your right to privacy, can be found on the Public Health Scotland Privacy and Cookies page.