{"id":885,"date":"2018-10-25T07:38:34","date_gmt":"2018-10-25T07:38:34","guid":{"rendered":"https:\/\/www.informationgovernance.scot.nhs.uk\/pbpphsc\/?page_id=885"},"modified":"2025-11-07T14:58:35","modified_gmt":"2025-11-07T14:58:35","slug":"ht-section-3overview","status":"publish","type":"page","link":"https:\/\/www.informationgovernance.scot.nhs.uk\/pbpphsc\/ht-section-3overview\/","title":{"rendered":"Knowledge Base Section 3:Overview"},"content":{"rendered":"<p><strong>Information about the project<\/strong><\/p>\n<p>Background \/ Aims \/ Methods \/ Study design<\/p>\n<ul>\n<li>Clear description and objectives<strong> in lay terms<\/strong><\/li>\n<li>Tier 1 reviewers are not researchers<\/li>\n<li>HSC-PBPP scrutinise applications across every discipline<\/li>\n<\/ul>\n<p>Will data requested fulfil the objectives?<\/p>\n<ul>\n<li>Be clear about data requested<\/li>\n<li>Data requested can only be provided for processing data for specific purposes (UKGDPR Article 5.1.b purpose limitation) and limited to what is necessary for the purpose (UKGDPR Article 5.1.c data minimisation).<\/li>\n<li>Justify why you need all variables<\/li>\n<li><strong>Don&#8217;t request everything<\/strong> possible and then decide what you need; <strong>that&#8217;s a breach of data protection law<\/strong>.<\/li>\n<\/ul>\n<p><strong>Section 3 is the part of the application which explains your project and justifies the need for it.<\/strong> \u00a0Focus on clearly and concisely completing these sections<strong> in language that is understandable to a lay person<\/strong>, as the Tier 1 panel are Information Governance experts, not scientists or clinicians. Therefore, avoid technical, subject-specific language and explain\u00a0 acronyms.<\/p>\n<p><strong>3.1.06-3.1.09 &#8211;<\/strong>Use these sections to give the background and justification of your proposal, to demonstrate how your project will benefit the public, as well as show your understanding of the Information Governance issues specific and inherent to your project. Please show that you have considered how to balance the privacy risks and public benefits when designing the study.\u00a0 <strong>The requirement for the datasets requested should be fully justified in the light of the aims and objectives of the proposal.<\/strong><\/p>\n<p><strong>3.1.11<\/strong> &#8211;<strong>A data flow diagram is required<\/strong> as these are very helpful in showing clearly\u00a0 how data will move through the project, whether the data are identifiable or pseudonymised, who has access to and who is responsible for the data at any point and how it will be kept secure at every stage.<\/p>\n<p><strong>3.1.17<\/strong> Providing completed Information Commissioner\u2019s Office (ICO) screening questions for a Data Protection Impact Assessment (DPIA) as a supporting document is good practice and an appropriate way to demonstrate that you have thought about and addressed any privacy risks. Completing <strong>a full DPIA may also be a legal obligation<\/strong>, depending on the type and extent of data processing in your proposal, so we advise very strongly that you work through the screening questions and <strong>discuss<\/strong> the outcomes <strong>with your organisation\u2019s Data Protection Officer<\/strong> (DPO). Correspondence with your DPO can also be cited as evidence that you have taken expert advice when designing your study. <strong>\u00a0If you do not think a DPIA is required, the reasons why not must be clearly documented.<\/strong><\/p>\n<ul>\n<li>DPIA should cover <strong>the whole project<\/strong> (HSC-PBPP might only cover NHS Scotland element of project).<\/li>\n<li>A DPIA is a legal requirement for high risk processing of data.<\/li>\n<li>Small projects \/ rare diseases can be thought of as being as risky as big projects.<\/li>\n<\/ul>\n<p><strong>3.2.02<\/strong> It is essential that you select a<strong> lawful basis for processing<\/strong> the data you wish to process. Your study <strong>cannot be submitted<\/strong> without this. To be approved to process health data you <strong>must <\/strong>select an appropriate lawful basis from <a href=\"https:\/\/ico.org.uk\/for-organisations\/guide-to-data-protection\/guide-to-the-general-data-protection-regulation-gdpr\/lawful-basis-for-processing\/\">Article 6<\/a> (for personal data) <strong>and <\/strong><a href=\"https:\/\/ico.org.uk\/for-organisations\/guide-to-data-protection\/guide-to-the-general-data-protection-regulation-gdpr\/special-category-data\/what-are-the-conditions-for-processing\/\">Article 9<\/a> (for special category data) of GDPR. <a href=\"https:\/\/ico.org.uk\/for-organisations\/uk-gdpr-guidance-and-resources\/lawful-basis\/a-guide-to-lawful-basis\/\">Resources are available from the ICO<\/a> and from <a href=\"https:\/\/mrc.ukri.org\/research\/facilities-and-resources-for-researchers\/regulatory-support-centre\/gdpr-resources\/\">the MRC<\/a> to help you with this. If you are accessing <strong>pseudonymised data, this still counts as personal data<\/strong> and the lawful bases for processing it are required.\u00a0 If personal identifiers will be accessed <strong>at any point<\/strong> in processing the data, by yourself or a third party on your behalf, even if the ultimate output is anonymised, the lawful bases for processing personal data are still required.<\/p>\n<p><strong>Most applicants use the following legal bases:-<\/strong><\/p>\n<p style=\"padding-left: 40px\"><strong>For <a href=\"https:\/\/ico.org.uk\/for-organisations\/guide-to-data-protection\/guide-to-the-general-data-protection-regulation-gdpr\/lawful-basis-for-processing\/\">Processing Personal Data<\/a><\/strong><\/p>\n<p style=\"padding-left: 40px\">6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject.<\/p>\n<p style=\"padding-left: 80px\">Please cite the specific legislation that applies<\/p>\n<p style=\"padding-left: 40px\">\u00a06(1)(e) processing is necessary for the performance of a task carried out in the public interest.<\/p>\n<p style=\"padding-left: 40px\">\u00a0Other: if using another legal basis under article 6(1) please cite specific basis.<\/p>\n<p style=\"padding-left: 40px\"><strong>For processing <a href=\"https:\/\/ico.org.uk\/for-organisations\/guide-to-data-protection\/guide-to-the-general-data-protection-regulation-gdpr\/lawful-basis-for-processing\/special-category-data\/\">Special Category Data<\/a><\/strong><\/p>\n<p style=\"padding-left: 40px\">9(2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.<\/p>\n<p style=\"padding-left: 40px\">\u00a09(2)(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care, and of medicinal products or medical devices.<\/p>\n<p style=\"padding-left: 40px\">\u00a09(2)(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1).<\/p>\n<p style=\"padding-left: 40px\">\u00a0Other: if using another legal basis please cite specific basis<\/p>\n<p><strong>Be aware, Scotland may have different legal requirements or policies in force from other UK home countries e.g. withdrawal of consent.<\/strong><\/p>\n<p><strong>Speak to your organisation data protection team.\u00a0<\/strong> They are there to protect you and the organisation.<\/p>\n<p><strong>3.2.04 and 3.3.01<\/strong>. Other approvals or agreements and ethical approval might be required for some applications.\u00a0 It is the responsibility of the applicant to ensure that these are in place.<\/p>\n<p>Overall, section 3 is your opportunity to describe how your study will work and show that it is a well-designed, safe, legal and beneficial project, all of which are key to it being approved.<\/p>\n<p><strong>Public engagement &#8211; See Public Engagement Resources<\/strong><\/p>\n<ul>\n<li>Have any lay people been involved in design? If not, why not?<\/li>\n<li>Do the public see the benefit in the sort of study you wish to do?<\/li>\n<li>Do they feel that the types of data requested are reasonable?<\/li>\n<\/ul>\n<p><strong>Peer review<\/strong><\/p>\n<ul>\n<li>Has anyone else looked at your proposal to see if there are flaws in design or analysis plan? If not, why not?<\/li>\n<\/ul>\n<p>Patient level data \u2013 if <b>pseudonymised<\/b>, still counts as <b>personal data <\/b>(ICO) and GDPR applies, even in a Safe Haven.<\/p>\n<p><strong>Other approvals<\/strong><\/p>\n<p>If processing data on behalf of another data controller, HSC-PBPP will want to see a <strong>Data Processing Agreement.<\/strong><\/p>\n<p>Approvals from outwith Scotland (e.g. CAG).<\/p>\n<p>Approvals from other data controllers for linkage to non-health data (also please be aware of their\/our time-scales).<\/p>\n<p><strong>Ethics<\/strong><\/p>\n<p>Has there been an ethical review?<\/p>\n<p>Non-research projects don\u2019t tend to need ethical opinion (e.g. Audits, service improvement etc.).<\/p>\n<p>If ticked research in 3.1.04, need to have some evidence of advice from Ethics or HRA algorithm for why you don\u2019t need an ethical opinion.<\/p>\n<p>Sometimes Tier 2 might ask for one anyway.<\/p>\n<p><strong>Links to the other sections<\/strong><\/p>\n<p style=\"margin: 0cm;margin-bottom: .0001pt;vertical-align: baseline\"><span style=\"font-family: 'Arial',sans-serif;color: #2b2b2b\">Section 1: <a href=\"https:\/\/www.informationgovernance.scot.nhs.uk\/pbpphsc\/ht-section-1people-involved\/\">People Involved<\/a><\/span><\/p>\n<p style=\"margin: 0cm;margin-bottom: .0001pt;vertical-align: baseline\"><span style=\"font-family: 'Arial',sans-serif;color: #2b2b2b\">Section 2: <a href=\"https:\/\/www.informationgovernance.scot.nhs.uk\/pbpphsc\/ht-section-2organisation\/\">Organisations &amp; Bodies<\/a><\/span><\/p>\n<p style=\"margin: 0cm;margin-bottom: .0001pt;vertical-align: baseline\"><span style=\"font-family: 'Arial',sans-serif;color: #2b2b2b\">Section 4: <a href=\"https:\/\/www.informationgovernance.scot.nhs.uk\/pbpphsc\/ht-section-4data-data-subjects-and-methodology\/\">Data, Data Subjects and Methodology<\/a>\u00a0<\/span><\/p>\n<p style=\"margin: 0cm;margin-bottom: .0001pt;vertical-align: baseline\"><span style=\"font-family: 'Arial',sans-serif;color: #2b2b2b\">Section 5: <a href=\"https:\/\/www.informationgovernance.scot.nhs.uk\/pbpphsc\/knowledge-base-section-5safe-data-processing-and-security\/\">Safe Data Processing and Security<\/a><\/span><\/p>\n<p style=\"margin: 0cm;margin-bottom: .0001pt;vertical-align: baseline\"><span style=\"font-family: 'Arial',sans-serif;color: #2b2b2b\">Section 6: <a href=\"https:\/\/www.informationgovernance.scot.nhs.uk\/pbpphsc\/ht-section-6-outputs-and-dissemination\/\">Outputs and Dissemination<\/a>\u00a0<\/span><\/p>\n<p>Section 7: <a href=\"https:\/\/www.informationgovernance.scot.nhs.uk\/pbpphsc\/ht-section-7-declaration\/\">Declaration<\/a><\/p>\n<p>Here is an example of a completed <a href=\"https:\/\/www.informationgovernance.scot.nhs.uk\/pbpphsc\/wp-content\/uploads\/sites\/2\/2020\/07\/1819-9999-PBPP-Application-Tooth-Fairy.pdf\">HSC-PBPP Application<\/a> using fictional data.<\/p>\n<p>Back to <a href=\"https:\/\/www.informationgovernance.scot.nhs.uk\/pbpphsc\/test-phase-1-about-the-public-benefit-and-privacy-panel-for-health-and-social-care-what-does-it-do\/how-to-apply-2\/\">How to Apply<\/a><\/p>\n<p>Contact <span style=\"font-size: medium\"><span style=\"margin: 0px;color: #2b2b2b;font-family: 'Arial',sans-serif\">PHS <\/span><\/span>eDRIS Team <a href=\"mailto:phs.edris@phs.scot\">phs<u>.edris@phs.scot<\/u><\/a><\/p>\n<p><span style=\"margin: 0px;color: #2b2b2b;line-height: 115%;font-family: 'Arial',sans-serif;font-size: 11pt\">Full details of how we use your information, and how we maintain your right to privacy, can be found on the Public Health Scotland <\/span><span style=\"margin: 0px;line-height: 115%;font-family: 'Calibri',sans-serif;font-size: 11pt\"><a href=\"https:\/\/www.publichealthscotland.scot\/our-privacy-notice\/\"><span style=\"margin: 0px;color: #24890d;font-family: 'Arial',sans-serif\">Privacy and Cookies<\/span><\/a><\/span><span style=\"margin: 0px;color: #2b2b2b;line-height: 115%;font-family: 'Arial',sans-serif;font-size: 11pt\"> page.<\/span><\/p>\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Information about the project Background \/ Aims \/ Methods \/ Study design Clear description and objectives in lay terms Tier 1 reviewers are not researchers HSC-PBPP scrutinise applications across every discipline Will data requested fulfil the objectives? Be clear about data requested Data requested can only be provided for processing data for specific purposes (UKGDPR &hellip; <a href=\"https:\/\/www.informationgovernance.scot.nhs.uk\/pbpphsc\/ht-section-3overview\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Knowledge Base Section 3:Overview<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":6,"featured_media":0,"parent":0,"menu_order":12,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-885","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www.informationgovernance.scot.nhs.uk\/pbpphsc\/wp-json\/wp\/v2\/pages\/885","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.informationgovernance.scot.nhs.uk\/pbpphsc\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.informationgovernance.scot.nhs.uk\/pbpphsc\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.informationgovernance.scot.nhs.uk\/pbpphsc\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.informationgovernance.scot.nhs.uk\/pbpphsc\/wp-json\/wp\/v2\/comments?post=885"}],"version-history":[{"count":38,"href":"https:\/\/www.informationgovernance.scot.nhs.uk\/pbpphsc\/wp-json\/wp\/v2\/pages\/885\/revisions"}],"predecessor-version":[{"id":4538,"href":"https:\/\/www.informationgovernance.scot.nhs.uk\/pbpphsc\/wp-json\/wp\/v2\/pages\/885\/revisions\/4538"}],"wp:attachment":[{"href":"https:\/\/www.informationgovernance.scot.nhs.uk\/pbpphsc\/wp-json\/wp\/v2\/media?parent=885"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}