Knowledge Base Section 3:Overview

Information about the project

Background / Aims / Methods / Study design

  • Clear description and objectives in lay terms
  • Tier 1 reviewers are not researchers
  • HSC-PBPP scrutinise applications across every discipline

Will data requested fulfil the objectives?

  • Be clear about data requested
  • Data requested can only be provided for processing data for specific purposes (GDPR Article 5.1.b purpose limitation) and limited to what is necessary for the purpose (GDPR Article 5.1.c data minimisation).
  • Justify why you need all variables
  • Don’t request everything possible and then decide what you need; that’s a breach of data protection law.

Section 3 is the part of the application which explains your project and justifies the need for it.  Focus on clearly and concisely completing these sections in language that is understandable to a lay person, as the Tier 1 panel are Information Governance experts, not scientists or clinicians. Therefore, avoid technical, subject-specific language and explain  acronyms.

3.1.06-3.1.09 –Use these sections to give the background and justification of your proposal, to demonstrate how your project will benefit the public, as well as show your understanding of the Information Governance issues specific and inherent to your project. Please show that you have considered how to balance the privacy risks and public benefits when designing the study.  The requirement for the datasets requested should be fully justified in the light of the aims and objectives of the proposal.

3.1.11A data flow diagram is required as these are very helpful in showing clearly  how data will move through the project, whether the data are identifiable or pseudonymised, who has access to and who is responsible for the data at any point and how it will be kept secure at every stage.

3.1.17 Providing completed Information Commissioner’s Office (ICO) screening questions for a Data Protection Impact Assessment (DPIA) as a supporting document is good practice and an appropriate way to demonstrate that you have thought about and addressed any privacy risks. Completing a full DPIA may also be a legal obligation, depending on the type and extent of data processing in your proposal, so we advise very strongly that you work through the screening questions and discuss the outcomes with your organisation’s Data Protection Officer (DPO). Correspondence with your DPO can also be cited as evidence that you have taken expert advice when designing your study.  If you do not think a DPIA is required, the reasons why not must be clearly documented.

  • DPIA should cover the whole project (HSC-PBPP might only cover NHS Scotland element of project).
  • A DPIA is a legal requirement for high risk processing of data.
  • Small projects / rare diseases can be thought of as being as risky as big projects.

3.2.02 It is essential that you select a lawful basis for processing the data you wish to process. Your study cannot be submitted without this. To be approved to process health data you must select an appropriate lawful basis from Article 6 (for personal data) and Article 9 (for special category data) of GDPR. Resources are available from the ICO and from the MRC to help you with this. If you are accessing pseudonymised data, this still counts as personal data and the lawful bases for processing it are required.  If personal identifiers will be accessed at any point in processing the data, by yourself or a third party on your behalf, even if the ultimate output is anonymised, the lawful bases for processing personal data are still required.

Most applicants use the following legal bases:-

For Processing Personal Data

6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject.

Please cite the specific legislation that applies

 6(1)(e) processing is necessary for the performance of a task carried out in the public interest.

 Other: if using another legal basis under article 6(1) please cite specific basis.

For processing Special Category Data

9(2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

 9(2)(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care, and of medicinal products or medical devices.

 9(2)(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1).

 Other: if using another legal basis please cite specific basis

Be aware, Scotland may have different legal requirements or policies in force from other UK home countries e.g. withdrawal of consent.

Speak to your organisation data protection team.  They are there to protect you and the organisation.

3.2.04 and 3.3.01. Other approvals or agreements and ethical approval might be required for some applications.  It is the responsibility of the applicant to ensure that these are in place.

Overall, section 3 is your opportunity to describe how your study will work and show that it is a well-designed, safe, legal and beneficial project, all of which are key to it being approved.

Public engagement – See Public Engagement Resources

  • Have any lay people been involved in design? If not, why not?
  • Do the public see the benefit in the sort of study you wish to do?
  • Do they feel that the types of data requested are reasonable?

Peer review

  • Has anyone else looked at your proposal to see if there are flaws in design or analysis plan? If not, why not?

Patient level data – if pseudonymised, still counts as personal data (ICO) and GDPR applies, even in a Safe Haven.

Other approvals

If processing data on behalf of another data controller, HSC-PBPP will want to see a Data Processing Agreement.

Approvals from outwith Scotland (e.g. CAG).

Approvals from other data controllers for linkage to non-health data (also please be aware of their/our time-scales).

Ethics

Has there been an ethical review?

Non-research projects don’t tend to need ethical opinion (e.g. Audits, service improvement etc.).

If ticked research in 3.1.04, need to have some evidence of advice from Ethics or HRA algorithm for why you don’t need an ethical opinion.

Sometimes Tier 2 might ask for one anyway.

Links to the other sections

Section 1: People Involved

Section 2: Organisations & Bodies

Section 4: Data, Data Subjects and Methodology 

Section 5: Safe Data Processing and Security

Section 6: Outputs and Dissemination 

Section 7: Declaration

Here is an example of a completed HSC-PBPP Application using fictional data.

Back to How to Apply

Contact eDRIS Team phs.edris@phs.scot

Full details of how we use your information, and how we maintain your right to privacy, can be found on the Public Health Scotland Privacy and Cookies page.