Researcher approvals and training

Approved organisations

One of the conditions for researchers to gain direct access to secure data is institutional affiliation. You must remain employed or affiliated with an approved organisation throughout the length of your research project.

Approved organisations are currently limited to UK-based public sector organisations, namely, select universities, the NHS, Local Authorities and the Scottish Government. Researchers from other organisations, including commercial and industry, can partner with an approved institution or the eDRIS team for analyses to be carried out on their behalf.

More information on approved institutions can be found on the eDRIS website under 'People affiliated with a trusted organisation'.

If you are a researcher affiliated with an approved UK organisation, use our pre-application checklist to see if you have everything you need to apply for secure access to data. 

Researcher training and panel permissions

Data providers will require researchers to complete specific training courses before accessing secure data. Mandatory training will vary depending on the type of data a researcher needs. Some data providers will include a list of approved courses in their guidance notes and/or application forms. Researchers should check with their data provider to determine which course they must complete.

In general, researchers will be expected to complete and provide proof of information governance and data protection training. Find details on common training modules and requirements for different panel permissions below. 

HSC-PBPP training and guidance for researchers

The Health and Social Care Public Benefit and Privacy Panel (HSC-PBPP) undertakes information governance scrutiny of requests to access NHS Scotland (NHSS) or NHS Central Register (NHSCR) originated data for a variety of purposes. You must complete an application if your research project requires any NHSS originated data relating to individuals, derived from information relating to individuals, or of a sensitive nature.

Researchers should familiar themselves with the guidance on applying for HSC-PBPP approval (Word document download), which outlines the application and approvals process, as well as required information governance (IG) training.  

Information governance (IG) training

Evidence of IG training is an important aspect of all data access applications, providing assurance that individuals are aware of the privacy, confidentiality, data protection and Caldicott implications of working with personal health data. IG training is typically mandatory in NHSS boards and if you have a contract or honorary contract with an NHSS board, you should have undertaken IG training.

HSC-PBPP requests that IG training is updated every three years, regardless of the timeframe for which a training provider ascribes validity. All researchers accessing secure data must have valid IG training throughout the duration of their project. If your IG training will expire before your HSC-PBPP approval expires, your training must be renewed in sufficient time to continue to access the data.

Details of selected approved IG training courses are below. Please note this list is not exhaustive and panels may accept other trainings. Please see individual panel guidance for further details.

Medical Research Council (MRC) online training: Research, GDPR and confidentiality

The Medical Research Council (MRC) offers the free online training course “Research, GDPR and confidentiality – what you really need to know,” which comprises a series of 10 bite-sized e-learning modules accompanied by supplementary resources and a quiz. To access this training and quiz, you must first register for an account.

Applicants should go through all the modules and pass the quiz. Each module has a dotted box next to it. A tick will appear in this box when the module has been completed. Screenshots of these ticked boxes should be sent to your eDRIS Research Coordinator alongside the certificate showing that you have passed the quiz.

Office for National Statistics Safe Researcher Training (ONS-SRT)

The 4-hour online course ONS Safe Researcher Training is offered in Scotland every month jointly by eDRIS and SCADR. On this course, you will gain an understanding of the different types of Statistical Disclosure and learn about different statistical techniques to deal with them. You will learn the importance of protecting confidentiality and the about the Five Safes framework, which many data providers use to keep data safe.

Please note that while the training provider states that this training is valid for five years, the HSC-PBPP still requires IG training to be updated every three years. Therefore, you will need to renew your ONS-SRT training by passing the online test again at the three-year mark.

SCADR provides further guidance on the ONS-SRT, including how to apply for this training and available dates, linked in the section below. 

SCADR training guidance for researchers

The Scottish Centre for Administrative Data Research (SCADR) website provides guidance on training researchers will need to complete when applying for access to administrative data. This guidance will shortly be updated.

SCADR offers specific guidance on accessing the following two courses:

• Office for National Statistics Safe Researcher Training (ONS-SRT) 
• An Introduction to Data Science for Administrative Data Research (IDS-ADR) 

Additional approvals you may need

In addition to meeting the above conditions and applying for data access through the Public Benefit and Privacy Panel (PBPP), researchers will occasionally require additional approvals depending on the type of secure data required for their projects. Please note the following list is not exhaustive. You should always check with your local organisation to gauge if additional approvals are needed.

Ethical/Research Ethics Committee (REC) approval

Ethical approvals are not specific to research but may be required for your study. It is best to check with your local ethics committee to confirm this. If you are performing an audit, as opposed to research, you will not require ethical approval.

For secondary analysis of NHS Scotland data, eDRIS can facilitate research that meets the criteria below because Public Health Scotland has sought and achieved a favourable ethical opinion from the East of Scotland NHS Research Ethics Service. To meet the conditions, the research study should: 

1. be in the field of health or social care research; 
2. not involve any contact with research participants/subjects; 
3. have undergone scientific peer review; 
4. include data held in and accessed via the Scottish National Safe Haven; 
5. be carried out by UK based researchers only 

Please note that the eDRIS team must submit an annual report to the NHS Research Ethics Service that documents all studies that have been undertaken using national level, de-identified data for health and social care research.

R&D approval

If your research involves the use of any resources from a territorial health board, then R&D approvals may be required, and you should approach relevant R&D office for confirmation. If your study requires data held only at national level by PHS, R&D approval from your local health board is not required.

Caldicott approval

You will not have to apply to the NHS Scotland Public Benefit and Privacy Panel (PBPP) if you are an NHS Board employee requesting a data extract of patients resident in your NHS Board area or patients treated within your NHS Board area. Instead, you will be asked to complete a confidentiality statement and obtain a signature from your local Caldicott Guardian or Medical Director.

Approvals from other nations

Approvals from other nations in the UK might be necessary if a project is being conducted with patient data from other nations. Your eDRIS Research Coordinator will be able to further advise on necessary approvals if this is the case.