How to apply

Preparation

If you are considering making an application for access to data you should:-

  1. Look at the Handy Hints for Applicants – a brief summary of feedback points received from applicants. If you are only going to read one document; make it this one.
  2. Read what HSC-PBPP have to consider when scrutinising your application. Panel Guiding Principles and Proportionate Governance Criteria
  3. Know that NHS Scotland HSC-PBPP, Public Health Scotland (PHS) eDRIS and Research Data Scotland (RDS) are separate services.
  4. Know the eDRIS support your data, analytical and access needs (you discuss and complete the eDRIS forms).
  5. Know the HSC-PBPP is a governance structure of NHSScotland (NHSS) to scrutinise and consider your application purpose for public benefit and information governance requirements. (you complete the HSC-PBPP application form, your eDRIS contact will assist).
  6. Read the HSC-PBPP Guidance for Applicants v4.0 document,
  7. Look at the examples of completed HSC-PBPP application key documents (Application Form, DPIA, Privacy Notice)
  8. Read through the RDS guidance on accessing data, particularly the data access overview and pre-application checklist.
  9. Look at the Hints and Tips to complete a HSC-PBPP Application form
  10. Read the article from an applicant Dr Elizabeth Lemmon, Research Fellow in Health Economics, Edinburgh Clinical Trials Unit (ETU) The Whys and Hows of applying to the Public Benefit and Privacy Panel for Health and Social Care (PBPP) delivered in March 2020. The Top Tips for filling in your HSC- PBPP form are great.
  11. Speak to your organisation Information Governance or data protection service; they are there to protect the data subject, you and your organisation. Some data protection laws are different in Scotland e.g section 251 of the National Health Service Act 2006 does not apply in Scotland. Your information governance or data protection service can advise.
  12. Complete an initial enquiry form[VM1]  on the Research Data Scotland (RDS) website.

You will be assigned to an individual PHS eDRIS application coordinator who will work with you as a single point of contact and will advise you on how to approach the eDRIS application process including completion of the HSC-PBPP Application form.

A PHS eDRIS team member contact you and discuss and guide you through the process.

After this, you can download the HSC-PBPP Application Form V4.0  for completion. This is the only version that is accepted.

The HSC-PBPP application form has been updated, with in form guidance notes, to help applicants complete the application form. Completing the application form, with the necessary information clearly provided, can allow a Tier 1 HSC-PBPP scrutiny panel to consider and come to a decision about your application without the need for clarifications.   The HSC-PBPP Guidance for Applicants has been updated (V4) to give to give further assistance.   Please also see the hints and tips for applicants on this website. 

You must submit your HSC-PBPP application via your eDRIS application coordinator.

Contact eDRIS Team phs.edris@phs.scot.

Information about  eDRIS. Link to their website.

HSC-PBPP Applications must be:

  • supported by the right approvals where appropriate (including applicants organisation, ethics, peer review, training certificates, systems security certification.
  • completed fully and answer all the questions (what is required is detailed in the HSC-PBPP Guidance for Applicants V4.0 )
  • have all descriptions in everyday terms that a layperson can understand as application scrutiny benefits from lay and non clinical representation.

Applications must

Clearly demonstrate consideration and knowledge of :-

  • Public Benefit
    • Information Governance (people, places, project, data)
    • Privacy considerations
    • Commercial Access
    • Data sources
    • Ethics
    • eDRIS
  • Safe Haven

The Law

Access to NHS Scotland data is governed by Data Protection principles and law.

Personal Identifiable data can only be processed (see ICO definition of Processing) “.. for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’)” Art 5.1.b and “..adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)” Art 5.1.c

Applicants must specify and justify the minimum data to complete the proposed analysis (UKGPDR and DPA2018 principles).

Legal Bases for processing personal and special category data.

It is essential that you select a lawful basis for processing the data you wish to access. Your study cannot be submitted without this. To be approved to process health data you must select an appropriate lawful basis from Article 6 (for personal data) and Article 9 (for special category data) of GDPR. Resources are available from the ICO and from the MRC to help you with this. If you are accessing pseudonymised data, this still counts as personal data and the lawful bases for processing it are required.  If personal identifiers will be accessed at any point in processing the data, by yourself or a third party on your behalf, even if the ultimate output is anonymised, the lawful bases for processing personal data are still required.

Most applicants use the following legal bases:-

For Processing Personal Data

6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject.

Please cite the specific legislation that applies

 6(1)(e) processing is necessary for the performance of a task carried out in the public interest.

 Other: if using another legal basis under article 6(1) please cite specific basis.

For processing Special Category Data

Be very aware, UKGDPR states in Article 9:-

  1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

UNLESS you satisfy one of the conditions A-J.

9(2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

 9(2)(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care, and of medicinal products or medical devices.

 9(2)(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1).

 Other: if using another legal basis please cite specific basis

Speak to your organisation data protection team.  They are there to protect the data subject, you and your organisation.

Finally

File naming and Versioning of HSC-PBPP application forms.

Documents that do not follow the HSC-PBPP file naming or versioning guidance will not be accepted by HSC-PBPP.

File Naming of HSC-PBPP application forms:-

 Acceptable file name is

  • Reference Number provided by PHS eDRIS followed by
  • the applicant name followed by
  • HSC PBPP Application followed by
  • the version number.

e.g. 2122-9999 Name HSC PBPP Application Vx

No other information is required in the file name.

The applicant is free to provide documentation to organisation, information security or project governance stakeholders with whatever naming convention and format they require for their purposes

File naming of support documents

Document no. e.g. SD1Document type / description e.g. protocol, DPIAFilename (use short names) e.g. SD1 protocol YYYY-1234 Surname e.g. SD2 DPIA YYYY-1234 Surname

DO NOT provide support documents with long file names, for example

“ABC-2018-DSA-02 – External Data Sharing Agreement between Applicant Organisation and University of X – First Name Last Name – Study Title – signed”

“SD2 DSA YYYY-1234 Surname” is acceptable.

You may have file naming conventions for your project however you must follow the HSC-PBPP- guidance for document submission.

The HSC-PBPP have to share application and support documents with remote panel members and large file names cannot be opened or cause difficulties between systems.

Versioning

A new application or amendment to an approved application is a whole number.

An updated version e.g. providing clarifications requested adds a decimal until approval.

e.g.

  • New application is V1. Accepted and approved as V1.
  • New application is V1. Clarifications required. Updated application is V1.1. Accepted and approved as V1.1.
  • New application is V1. Clarifications required. Updated application is V1.1. Further clarification required. Updated application is V1.2. Accepted and approved as V1.2.
  • First amendment request to an approved version V1 – V1.x is supported by application V2. Accepted and approved as V2.
  • First amendment request to an approved version V1 – V1x. is supported by application V2. Clarifications required. Updated application is V2.1. Accepted and approved as V2.1.
  • First amendment request is supported by application V2. Clarifications required. Updated application is V2.1. Further clarification required. Updated application is V2.2. Accepted and approved as V2.2.

Plan well ahead and have a timescale that includes

  • the HSC-PBPP public benefit and information governance scrutiny process,
  • eDRIS and data controllers providing the approved data. The HSC-PBPP approval provides assurance to data controllers that you are a safe person or organisation to have access to their data. The data controller retains the authority to refuse access to the data under their controllership,
  • DPIA and other data sharing/processing agreements signed off

Full details are provided in the HSC-PBPP Guidance for Applicants V4.0  document.

The eDRIS email address is phs.edris@phs.scot.

Full details of how we use your information, and how we maintain your right to privacy, can be found on the Public Health Scotland Privacy and Cookies page