1. Safe People
A researcher or clinician from the South-East Scotland region, wishing to access any of the datasets must follow an approved application process and complete relevant training as described within the Charter for Safe Havens in Scotland definition of an approved researcher. This requires applicants to meet a number of key criteria to ensure their purpose and interest is both legitimate and appropriate.
2. Safe Projects
Each project goes through careful scrutiny by NHS employees trained in data privacy, to ensure the request is appropriate, proportionate and in the public interest. Then, depending on the specific purpose and data of the project, approvals may be required from: an independent ethics panel; a national Research Ethics Committee; or Caldicott Guardian. Every project is reviewed by our Public Reference Group to assess societal value and as feedback for the previously mentioned NHS employees in their initial assessment stage.
The legal provisions around processing health data are detailed within the NHS Lothian Privacy Notice.
More about our Public Reference Group
3. Safe Data
We do not share identifiable data outside of the NHS.
Data accessed by researchers are de-identified, meaning that aspects that can directly identify an individual (like names, addresses, and date of birth) are removed. Before giving access to researchers, we also check the data so that someone’s identity is unlikely to be inferred, for example from a rare condition or unique combination of information. We take steps to avoid this kind of inferred identification, for example aggregating information into ranges (e.g. between ages 25-50) or withholding data. This process is called pseudonymisation. While the process varies with every project, it is designed to minimise the risk of anyone being able to identify individuals represented in the data.
Project data extracts are archived and deleted according to legislative record management policies.
4. Safe Settings
All data hosted by DataLoch are housed within a secure NHS Lothian IT infrastructure. Once projects and users are approved, the necessary data are supplied to researchers either within NHS Lothian to specified staff, or accessed through the secure Scottish National Safe Haven facility managed by the eDRIS team within Public Health Scotland, hosted by the EPCC at the University of Edinburgh. Researchers can only access approved data directly related to their project using two-factor authentication, and this data cannot leave the secure environment (i.e. it cannot be downloaded to a particular computer or other device).
5. Safe Outputs
Once a researcher has completed their analysis and produced summary data that they wish to remove from the secure Scottish National Safe Haven environment, they can only do so following scrutiny by a DataLoch analyst. The analyst double-checks the proposed outputs to ensure that any risk of disclosure has been mitigated. Once scrutinised and satisfied, the results can then be released to the researcher.
NHS Lothian, as lead Data Controller has robust legal agreements with the University of Edinburgh as a data processor and with contributing data providers. These agreements describe how the data can be treated. All approved projects led by researchers also have agreements with DataLoch that describe their responsibilities in keeping data safe.