Skip to content

Researcher approvals and training

Find details about approved organisations and mandatory training for researchers below.


Researchers requiring access to secure datasets will need to remain affiliated with an approved organisation and ensure that their training remains valid throughout the length of their projects. On this page, you'll find details on approved organisations in the UK, mandatory training for researchers and additional approvals that may be required for your project.

Approved organisations

One of the conditions for researchers to gain direct access to secure data is institutional affiliation. You must remain employed or affiliated with an approved organisation throughout the length of your research project.

Approved organisations are currently limited to UK-based public sector organisations, namely, select universities, the NHS, Local Authorities and the Scottish Government. Researchers from other organisations, including commercial and industry, can partner with an approved institution or the eDRIS team for analyses to be carried out on their behalf.

More information on approved institutions can be found on the eDRIS website under 'People affiliated with a trusted organisation'.

If you are a researcher affiliated with an approved UK organisation, use our pre-application checklist to see if you have everything you need to apply for secure access to data. 

Researcher training and panel permissions

Data providers will require researchers to complete specific training courses before accessing secure data. Mandatory training will vary depending on the type of data a researcher needs. Some data providers will include a list of approved courses in their guidance notes and/or application forms. Researchers should check with their data provider to determine which course they must complete.

In general, researchers will be expected to complete and provide proof of information governance and data protection training. Find details on common training modules and requirements for different panel permissions below. 

HSC-PBPP training and guidance for researchers

The Health and Social Care Public Benefit and Privacy Panel (HSC-PBPP) undertakes information governance scrutiny of requests to access NHS Scotland (NHSS) or NHS Central Register (NHSCR) originated data for a variety of purposes. You must complete an application if your research project requires any NHSS originated data relating to individuals, derived from information relating to individuals, or of a sensitive nature.

Researchers should familiar themselves with the guidance on applying for HSC-PBPP approval (Word document download), which outlines the application and approvals process, as well as required information governance (IG) training.  

Information governance (IG) training

Evidence of IG training is an important aspect of all data access applications, providing assurance that individuals are aware of the privacy, confidentiality, data protection and Caldicott implications of working with personal health data. IG training is typically mandatory in NHSS boards and if you have a contract or honorary contract with an NHSS board, you should have undertaken IG training.

HSC-PBPP requests that IG training is updated every three years, regardless of the timeframe for which a training provider ascribes validity. All researchers accessing secure data must have valid IG training throughout the duration of their project. If your IG training will expire before your HSC-PBPP approval expires, your training must be renewed in sufficient time to continue to access the data.

Details of selected approved IG training courses are below. Please note this list is not exhaustive and panels may accept other trainings. Please see individual panel guidance for further details.

Medical Research Council (MRC) online training: Research, GDPR and confidentiality

The Medical Research Council (MRC) offers the free online training course “Research, GDPR and confidentiality – what you really need to know,” which comprises a series of 10 bite-sized e-learning modules accompanied by supplementary resources and a quiz. To access this training and quiz, you must first register for an account.

Applicants should go through all the modules and pass the quiz. Each module has a dotted box next to it. A tick will appear in this box when the module has been completed. Screenshots of these ticked boxes should be sent to your eDRIS Research Coordinator alongside the certificate showing that you have passed the quiz.

Office for National Statistics Safe Researcher Training (ONS-SRT)

The 4-hour online course ONS Safe Researcher Training is offered in Scotland every month jointly by eDRIS and SCADR. On this course, you will gain an understanding of the different types of Statistical Disclosure and learn about different statistical techniques to deal with them. You will learn the importance of protecting confidentiality and the about the Five Safes framework, which many data providers use to keep data safe.

Please note that while the training provider states that this training is valid for five years, the HSC-PBPP still requires IG training to be updated every three years. Therefore, you will need to renew your ONS-SRT training by passing the online test again at the three-year mark.

SCADR provides further guidance on the ONS-SRT, including how to apply for this training and available dates, linked in the section below. 

SCADR training guidance for researchers

The Scottish Centre for Administrative Data Research (SCADR) website provides guidance on training researchers will need to complete when applying for access to administrative data. This guidance will shortly be updated.

SCADR offers specific guidance on accessing the following two courses:

Additional approvals you may need

In addition to meeting the above conditions and applying for data access through the Public Benefit and Privacy Panel (PBPP), researchers will occasionally require additional approvals depending on the type of secure data required for their projects. Please note the following list is not exhaustive. You should always check with your local organisation to gauge if additional approvals are needed.

Ethical/Research Ethics Committee (REC) approval

Ethical approvals are not specific to research but may be required for your study. It is best to check with your local ethics committee to confirm this. If you are performing an audit, as opposed to research, you will not require ethical approval.

For secondary analysis of NHS Scotland data, eDRIS can facilitate research that meets the criteria below because Public Health Scotland has sought and achieved a favourable ethical opinion from the East of Scotland NHS Research Ethics Service. To meet the conditions, the research study should: 

  1. be in the field of health or social care research; 
  2. not involve any contact with research participants/subjects; 
  3. have undergone scientific peer review; 
  4. include data held in and accessed via the Scottish National Safe Haven; 
  5. be carried out by UK based researchers only 

Please note that the eDRIS team must submit an annual report to the NHS Research Ethics Service that documents all studies that have been undertaken using national level, de-identified data for health and social care research.

R&D approval

If your research involves the use of any resources from a territorial health board, then R&D approvals may be required, and you should approach relevant R&D office for confirmation. If your study requires data held only at national level by PHS, R&D approval from your local health board is not required.

Caldicott approval

You will not have to apply to the NHS Scotland Public Benefit and Privacy Panel (PBPP) if you are an NHS Board employee requesting a data extract of patients resident in your NHS Board area or patients treated within your NHS Board area. Instead, you will be asked to complete a confidentiality statement and obtain a signature from your local Caldicott Guardian or Medical Director.

Approvals from other nations

Approvals from other nations in the UK might be necessary if a project is being conducted with patient data from other nations. Your eDRIS Research Coordinator will be able to further advise on necessary approvals if this is the case. 

More resources

eDRIS researcher support services

Discover how we work together with our eDRIS colleagues to provide data access support.

Discover eDRIS support

Information governance for researchers

Discover key principles and legal considerations of information governance (IG) when accessing data.

Learn about IG

Trusted Research Environments

There are a range of trusted research environments (TREs) in Scotland providing access to secure data. 

Find out more about TREs

Research data security

Find help for navigating data security as you work with secure and sensitive data for your research project.

Learn about data security

Research for public good

Learn about the concept of public good and how research projects must deliver clear benefit to the public.

Learn about public good

Terminology for researchers

Our list of common terms will help you understand more about how public sector data is used for research.

Learn the terminology

Was this information helpful?