Skip to content

PBPP Approval Pathway

Find out if your project requires approval from a Public Benefit and Privacy Panel (PBPP) and the training requirements for this pathway.

Illustration of two people reading long scrolls of paper. There are more scrolls piled around them,

PBPP Approval Pathway 

Currently, most applications for data access follow the PBPP Approval Pathway. Applications for data access are assessed by either the Health and Social Care Public Benefit and Privacy Panel (HSC-PBPP) or the SG & NRS Data Access Panel, previously known as the Statistics Public Benefit and Privacy Panel (S-PBPP).

Although all project enquiries should be made using our enquiry page, full applications following the PBPP Approval Pathway are not made through our online application system. eDRIS continues to support projects that require PBPP approval but these applications will follow the same procedure as before. 

To find out if eDRIS can support your project, head to our enquiry page. You’ll be asked a few questions about your data needs to ensure the service is right for you. After this, we’ll ask you to provide more detail about your project. A member of the eDRIS team will then get in touch to discuss your project and guide you through the appropriate pathway. 

Funding requirements

Please note that, while you do not need funding in place before submitting an enquiry, you will need to have secured funding before engaging eDRIS services beyond the initial feasibility enquiry. This applies to both applications made through the PBPP Approval Pathway and the RAS Approval Pathway.

HSC-PBPP Information Governance

The Health and Social Care Public Benefit and Privacy Panel (HSC-PBPP) undertakes information governance scrutiny of requests to access NHS Scotland (NHSS) or NHS Central Register (NHSCR) originated data for a variety of purposes. You must complete an application if your research project requires any NHSS originated data relating to individuals, derived from information relating to individuals, or of a sensitive nature.

Researchers should familiarise themselves with the guidance on applying for HSC-PBPP approval (Word document download), which outlines the application and approvals process, as well as required information governance (IG) training. See below for additional information on IG training.

Mandatory training for the PBPP pathway

Data providers will require researchers to complete specific training courses before accessing secure data through the PBPP pathway. (For the RAS pathway, applicants must have accredited researcher status.)

Mandatory training will vary depending on the type of data a researcher needs. Some data providers will include a list of approved courses in their guidance notes and/or application forms. Researchers should check with their data provider to determine which course they must complete.

In general, researchers will be expected to complete and provide proof of information governance and data protection training. Find details on common training modules and requirements for different panel permissions below. 

Information governance (IG) training

Evidence of IG training is an important aspect of all data access applications, providing assurance that individuals are aware of the privacy, confidentiality, data protection and Caldicott implications of working with personal health data. IG training is typically mandatory in NHSS boards and if you have a contract or honorary contract with an NHSS board, you should have undertaken IG training.

For requests made through the HSC-PBPP, IG training must be updated every three years, regardless of the timeframe for which a training provider ascribes validity. All researchers accessing secure data must have valid IG training throughout the duration of their project. If your IG training will expire before your HSC-PBPP approval expires, your training must be renewed in sufficient time to continue to access the data.

Details of selected approved IG training courses are below. Please note this list is not exhaustive and panels may accept other trainings. Please see individual panel guidance for further details.

Medical Research Council (MRC) online training: Research, GDPR and confidentiality

The Medical Research Council (MRC) offers the free online training course “Research, GDPR and confidentiality – what you really need to know,” which comprises a series of 10 bite-sized e-learning modules accompanied by supplementary resources and a quiz. To access this training and quiz, you must first register for an account.

Applicants should go through all the modules and pass the quiz. Each module has a dotted box next to it. A tick will appear in this box when the module has been completed. Screenshots of these ticked boxes should be sent to your eDRIS Research Coordinator alongside the certificate showing that you have passed the quiz.

Office for National Statistics Safe Researcher Training (ONS-SRT)

The four-hour online course ONS Safe Researcher Training is offered in Scotland every month jointly by eDRIS and SCADR. On this course, you will gain an understanding of the different types of Statistical Disclosure and learn about different statistical techniques to deal with them. You will learn the importance of protecting confidentiality and the about the Five Safes framework, which many data providers use to keep data safe.

Please note that while the training provider states that this training is valid for five years, the HSC-PBPP still requires IG training to be updated every three years. Therefore, you will need to renew your ONS-SRT training by passing the online test again at the three-year mark.

SCADR provides further guidance on the ONS-SRT, including how to apply for this training and available dates, linked in the section below. 

SCADR training guidance for researchers

The Scottish Centre for Administrative Data Research (SCADR) website provides guidance on training researchers will need to complete when applying for access to administrative data through the PBPP pathway.

SCADR offers specific guidance on accessing the following two courses:

Additional approvals you may need

In addition to meeting the above conditions and applying for data access through the Public Benefit and Privacy Panel (PBPP), researchers will occasionally require additional approvals depending on the type of secure data required for their projects. Please note the following list is not exhaustive. You should always check with your local organisation to gauge if additional approvals are needed.

Ethical/Research Ethics Committee (REC) approval

Ethical approvals are not specific to research but may be required for your study if applying through the PBPP pathway. It is best to check with your local ethics committee to confirm this. If you are performing an audit, as opposed to research, you will not require ethical approval.

For secondary analysis of NHS Scotland data, eDRIS can facilitate research that meets the criteria below because Public Health Scotland has sought and achieved a favourable ethical opinion from the East of Scotland NHS Research Ethics Service. To meet the conditions, the research study should: 

  1. be in the field of health or social care research; 
  2. not involve any contact with research participants/subjects; 
  3. have undergone scientific peer review; 
  4. include data held in and accessed via the Scottish National Safe Haven; 
  5. be carried out by UK based researchers only 

Please note that the eDRIS team must submit an annual report to the NHS Research Ethics Service that documents all studies that have been undertaken using national level, de-identified data for health and social care research.

R&D approval

If your research involves the use of any resources from a territorial health board, then R&D approvals may be required, and you should approach relevant R&D office for confirmation. If your study requires data held only at national level by PHS, R&D approval from your local health board is not required.

Caldicott approval

You will not have to apply to the NHS Scotland Public Benefit and Privacy Panel (PBPP) if you are an NHS Board employee requesting a data extract of patients resident in your NHS Board area or patients treated within your NHS Board area. Instead, you will be asked to complete a confidentiality statement and obtain a signature from your local Caldicott Guardian or Medical Director.

Approvals from other nations

Approvals from other nations in the UK might be necessary if a project is being conducted with patient data from other nations. Your eDRIS Research Coordinator will be able to further advise on necessary approvals if this is the case. 

What are your data needs?

Answer a few short questions to determine whether we can help you with your project.

Begin an enquiry
Illustration of a filing cabinet with numbers spilling out of an open drawer.

Related content

Illustration of a desktop computer with two keys on the screen.

Pre-application checklist

Understand what is involved in a data access request and how to complete the initial enquiry form.

Complete the checklist

Help shape our Researcher Access Service

Interested in supporting the development of the Researcher Access Service and helping us shape our work?

Join our engagement contact list
Illustration of an envelope with a letter sticking out and a mobile phone with a person