Knowledge Base Section 4:Data, Data Subjects and Methodology

This should cover every dataset and variable you will require. eDRIS recommend submitting variable lists as a supporting document in the form of an excel file with a sheet for each dataset. This applies particularly to projects with long variable lists and/or several datasets. Variable lists must include a “processing only” column to identify variables on each dataset which are needed to create the extract but will not be used for analysis. CHI and other personal identifiers are the most common processing only variables. eDRIS can provide a template for a suitable variable specification document.  If you provide your variable list as a supporting document do not duplicate it in the application form. The request for the datasets and, in some cases, specific variables, and how they achieve the aims and objectives of your proposal should be justified in section 3.  The data protection principle of data minimisation must be followed, such that only the minimum amount of data required to achieve the purposes of the proposal must be requested.  The Tier 1 panel will question the range of variables / dataset requested if they do not feel these have been justified.

4.1 “New data” should only include data that is being specifically gathered for the first time for the purposes of this proposal. i.e. data already held in case notes and transferred to a form is not “new” data, but a survey filled out by clinicians in order to gather information not recorded anywhere else is “new”.

4.2 You must show how the subjects have been informed about the use of their data.  This is from the first data protection principle: processing must be lawful, transparent and fair.  Even if your proposal is unconsented, subjects must be able to find information that tells them their data can be used without their consent in certain circumstances.  Suitable evidence includes patient information leaflets and organisational privacy notices.

4.3 You must include a justification for any identifiable or potentially identifiable variables you request. Common examples would be full date of birth (D.O.B), ethnicity, postcode, Community Health Index (CHI) number. These must be listed in the application form at the second part of 4.3 as well as in the full variable list and a justification provided for each one. Consider carefully whether you really need the variable you’re asking for, and if you do, explain why.   Please be aware that, even if you do not request personal identifiers, the combinations of specific variables can make individuals identifiable, especially with rare diseases, geographical locations and small populations.  In rural Scotland, a full postcode can map to only one specific house.

Sources of data

New data

  • How is it being collected?
  • Who is the data controller?

Existing datasets

  • Who are the data controllers?
  • If not NHSS, do you have permission?
  • Justify use of specific datasets / variables

Cohort identification and/or data linkage

  • Who is doing it and how?
  • Should be by third party

Contact with individuals for this proposal?

  • Includes patients, family members, NHSS staff.

Are the identifiers to be used for processing only (i.e. not part of the dataset to be used for analysis)?

Are the data to be returned to you identifiable?

  • If so, need to justify

Do the combinations of variables make individuals identifiable (Disclosure)?

  • Geography / time period / rare conditions / diseases

Purpose Limitation and Data minimisation

Please note, current data protection law principles include processing data for specific purposes (GDPR Article 5.1.b purpose limitation) and limited to what is necessary for the purpose (GDPR Article 5.1.c data minimalisation).

  • Cannot get data dump and then work out what you want.
  • Reduced variables e.g. partial dates (mm/yyyy), postcode sector.
  • Amendments – need to justify extra variables.
  • Derived variables: e.g. age, SIMD.

How do individuals know of the use of their data?

  • Would they expect you do this with it?
  • Patient information leaflets and consent forms.
  • Are the data requested in line with the information given to patients?
  • Need to be GDPR/DPA2018 compliant.

Privacy notices

Generic NHS leaflets/website links

Links to the other sections

Section 1: People Involved

Section 2: Organisations & Bodies

Section 3: Overview

Section 5: Safe Data Processing and Security

Section 6: Outputs and Dissemination 

Section 7: Declaration

Here is an example of a completed HSC-PBPP Application using fictional data.

Back to How to Apply

Contact eDRIS Team phs.edris@phs.scot

Full details of how we use your information, and how we maintain your right to privacy, can be found on the Public Health Scotland Privacy and Cookies page.