A conversation with eDRIS: Part 2

In Part 1 of our conversation with the Electronic Data Research and Innovation Service (eDRIS), we heard from Research Coordinator (RC) Jules. In the post, Jules described what a typical day might look like for an RC. The idea of the post was to provide researchers with an insight into what the job of an RC involves. Overall, my hope was that having this insight might help to better align researchers and RC’s understanding of what one another are doing on a daily basis. In this post, I reflect on the goings on of Jules’s day and ask Jules some follow up questions.

If you want to skip through to any specific questions – for example skip right to the end for some Top-tips!!!- then click on the question headings below:

Post Contents: 

  1. Q: How many projects does an RC normally have on the go at once? 
  2. Q: Are there instances where you would arrange meetings with researchers to have discussions about their projects?
  3. Q: What are the most common issues you see with SDC requests from researchers? Equally, what does the perfect SDC request look like?
  4. Q: Can you quickly explain the difference between HSCPBPP and SPBPP?
  5. Q: How often is it that you, as an RC, would flag up to researchers that their training is about to expire? Is this something you routinely check for?
  6. Q: Is there any kind of trouble shooting list that researchers can refer to before they contact their RC in panic?
  7. Q: Is there somewhere that researchers can see what the rules are around proportionate governance issued by HSC-PBPP?
  8. Q: What’s the most common email template you use?
  9. Q: Would these things not have been flagged during RC and researcher discussions prior to submission? But in any case, would you say these are the most common queries that come back from the panel?
  10. Q: Why are approved PBPP’s are not readily accessible to the public?
  11. Q: What would be the top three bits of advice that you would give researchers whilst they make their way through the process of applying for and using administrative data in their research?

The first thing that jumped out at me was the number of projects you said you would be working on at one time. Twenty-five seems like a lot to be juggling at once.

1: How many projects does an RC normally have on the go at once? 

Twenty-five is actually at the lower end of the scale for us. When demand is really high, it’s not unusual for RCs to carry up to 40 live projects and also deal with up to 20 enquiries on potential projects!

Back to contents.

It also struck me that the primary way that you communicate with researchers is via email. I guess this is important to maintain a paper trail of decisions etc.

2: Are there instances where you would arrange meetings with researchers to have discussions about their projects?

Yes we frequently arrange phone calls to discuss issues. Like a lot of people, many of us are working from home and this has sped up the adoption of remote working tools. For Public Health Scotland, we have access to MS Teams and we are using this more and more for meetings with researchers. As a former researcher, I am aware of the need to plan research carefully. Now with my role in eDRIS, I am aware of potential issues that researchers may not think of early on. We do try to have meetings with researchers early on, even before permissions applications start, mainly to ascertain if the data requests are feasible. It may seem like we don’t respond quickly, and, though this can be true, I hope part 1 of this blog has given a little bit of insight into some of the reasons for this!

Back to contents.

Statistical Disclosure Control (SDC) is clearly one of the routine things you guys are dealing with and you mentioned that you might look at Helen’s first because hers are usually filled in properly and explained well. Researchers should obviously read the NSH Requesting Outputs SDC Booklet to make sure they are requesting things in the correct way.

3: What are the most common issues you see with requests from researchers? Equally, what does the perfect SDC request look like?

It doesn’t need to be perfect. We get that researchers are busy juggling competing demands so the request just needs to be good enough so that the reader can understand the context enough to assess easily. The framework eDRIS operates under is what is called the ‘Five Safes’. This is a way to model the whole process, from permissions through to outputs. The basic principle is to break projects into five themes: Safe People, Safe Projects, Safe Setting, Safe Data and Safe Outputs. SDC requests fall into this last theme. When we look at outputs we are asking ourselves if there is any risk of disclosing confidential information from this output. We have to judge several things: Does this output disclose anything on its own, does this output in conjunction with other data that may be available increase the risk of disclosure and lastly, what is the damage that would be done if something were disclosed.

Output checking requires us to have a good working relationship with our researchers, as we may ask them to do something that they don’t agree with. With all that in mind, a good enough output would be one where we, as output checkers, can look at it and say “Ah, there’s a title, clearly labelled, acronyms expanded, this researcher has explained all of the outputs clearly to a non-specialist, there’s enough information in this file for me to understand what I’m looking at and make an informed assessment, and where there are disclosure risks, they have mitigated against them and provided an explanation of what has been done, and they have asked us only for the most important outputs for their research” If we can see all of these, then output checking becomes a routine check for us and outputs, I can’t emphasise this enough, are released much quicker. We know that us asking researchers to look at outputs again is frustrating, as it’s also frustrating and time-consuming for us (we don’t like going back to researchers either…).

Over time, if the outputs from researchers are easy for us to check, we trust that researcher more, and it will be easier and quicker for their outputs to be released.

Back to contents.

The ‘quick-question’ from James that turned out not to be a quick question tickled me. I think it highlights the differences in understanding about the processes and …. between researchers and eDRIS. What seems like a quick question to us, often isn’t so quick from your perspective. I’m not sure I can think of an immediate solution to this miss-match, but hopefully bits and pieces of this blog post can go some way in helping. You mentioned in your response to James, the HSCPBPP and the SPBPP.

4: Can you quickly explain the difference between HSCPBPP and SPBPP?

The Health and Social Care Public Benefit and Privacy Panel (HSC PBPP) and the Statistics Public Benefit and Privacy Panel (SPBPP) are the main bodies, we interact with, that assess project applications and decide whether permissions are given to access confidential data. The difference is HSC PBPP represent NHS Scotland so decide on applications to access NHS Scotland datasets, and SPBPP represent the Scottish Government (SG), and decide on applications where the researchers want to access e.g. Census data or Education data. Where the project intends to link NHS Scotland and SG data, applications to both panels are required.

Back to contents.

Information Governance (IG) – unsurprisingly- also came up a lot in your account of your day. One of the recurring issues was researchers (and your own) IG training expiring. You also noted that the expiration dates are different for different data controllers. Of course, it is a researcher’s responsibility to ensure their IG training is up to date and if their IG training certificate expires during the course of their project they must obtain new IG training within two weeks of the expiry date and provide eDRIS with the new certificates.

5: How often is it that you, as an RC, would flag up to researchers that their training is about to expire? Is this something you routinely check for?

As you say, this is the responsibility of the researchers. However, as we are also responsible for ensuring researchers meet the conditions of their permissions, we do make sure that IG training is still valid. For projects using the safe haven, we set accounts to be disabled on the IG training expiry date. In tandem with this measure RCs also periodically remind researchers that their training is due to lapse to avoid the situation where the researcher contacts us to let us know they can’t access the safe haven! Obviously this is not ideal, as it adds delays while training is renewed, so it’s far better that researchers take responsibility for being aware that their training is up to date Again I don’t have any wonderful solution that comes to mind at the moment but there must be some simple steps researchers can take to make sure we don’t end up in the position where our IG training is about to expire and we haven’t planned to get updates (i.e. by booking onto a Safe Researcher Training course). Something as simple as setting a calendar reminder when we first do and pass our training?! Or maybe a month in the year where we encourage researchers to check- Information Governance Ganuary?! This has actually prompted me to check mine…

Back to contents.

Another thing you mentioned that made me laugh (though understandably this might not be so funny to you…) was the email from Bob to ask if you can help because he couldn’t access the safe haven. I can relate to this entirely: you try to log in and it doesn’t work. Mild panic – you promised your boss/supervisor to run some analysis that day. You frantically send an email to your RC begging for them to help. Then you realise it’s your own fault and you’ve jumped the gun in reaching out for help. You immediately feel bad and send another email to apologise and ask the RC to please ignore the first email.

6: Is there any kind of trouble shooting list that researchers can refer to before they contact their RC in panic? I suppose this might minimise the frequency of the scenarios like the one you mention arising.

The main reasons we see for safe haven access are actually forgotten passwords, but this is usually obvious to the user!The first thing to be aware of is the safe haven web page is only accessible from recognised IP addresses, which are always associated with your host institution (e.g. the University). If you are not in the office (true for most people nowadays!), make sure you are on the university VPN. This will give an ‘Access Denied’ message if the IP address is not recognised.The least common issue is with the two-factor authentication PIN codes. The system used for the 2FA PINs very rarely fails (only once that I am aware of!), so if PINs are not being received, it’s usually something else. The most common reason is the user has entered the wrong username, these are different from the subsequent logins and researchers sometimes forget. The next most common reason is lack of mobile phone signal. If you have not received a PIN, check these first.
Finally, if you are not sure, just ask us!

Back to contents.

You also mentioned that some requests can be processed by yourself (i.e. the RC) under the proportionate governance rules issued by HSC-PBPP.

7: Is there somewhere that researchers can see what the rules are around proportionate governance issued by HSC-PBPP?

If we knew which of our requests would need to be sent for higher approval then we might reassess the situation and work out what is the best approach to take before coming to you with something that you then need to explain needs higher authorisation. This would be especially useful in cases where time constraints are tight for research projects. I suppose this comes back partly to understanding what is a ‘quick-question’ and what isn’t.

The governance around amendments is always evolving, so these rules are given to us as guidelines. RCs still frequently ask the panel mangers for advice! This is purely because of the diversity of projects, so I think it would be difficult to pin down every scenario and how each may be treated by the panel and eDRIS. The best way for researchers to figure out which amendments are the least controversial is to ask their RC! Another source of information is the amendment request form available from the HSC PBPP website, in conjunction with the guidance for applicants document, also available from the same website.

Back to contents.

It’s interesting to know that you have template responses for certain things. I guess in themselves they might indicate which are the typical ‘issues’ that arise.

8: What’s the most common email template you use?
The most common template, by far, is to ask researchers to complete a new enquiry form. Internally, the most common template is the safe haven password reset form… Since I wrote this article, eDRIS have developed, and continue to develop new tools, which has reduced the number of template emails we have had to use. It would be interesting to hear if researchers have noticed changes in the safe haven password reset processes, as this is now relatively painless for us!

Back to contents.

The request back from the PBPP with further questions really surprised me. The issues raised were:

1) Please provide a clear data flow diagram
2) Please provide a Data Privacy Impact Assessment or evidence that one is not needed. Your data protection officer should be able to offer advice.
3) Please provide evidence of public involvement in the research design
4) Please ensure your lay proposal is clearer to those with no experience of research
5) Please ensure anyone named in 1.1 to 1.5 of the PBPP form have valid IG training, there is a list in the ‘Guidance for Applicants’ available from the PBPP website.
…”

These are all things that the researcher should have done before submission. You even suggested that this is a regular kind of feedback from the panel.

9: Would these things not have been flagged during RC and researcher discussions prior to submission? But in any case, would you say these are the most common queries that come back from the panel?

These issues will have been flagged by RCs before submission, but RCs can only offer advice, and it’s up to the researchers whether they choose to implement these! Most applications have at most, one or two of these items in feedback from the panels. It’s worth remembering that the majority of the applicants to eDRIS are first time applicants from a huge variety of backgrounds and will not have had to do anything like this before. As a researcher, a role I was in for many years myself, your focus is on the scientific or methodological merit of your research. Being asked to think of wider issues can be difficult to get right first time. I am guessing that this is a major factor in accounting for the frequency of these issues being highlighted. My advice would be to pay attention to the advice that your RC gives you (and read the guidance documents when you are completing the application form). I would say the data flow diagram is probably the most important piece of information to get right. This needs to show the source of the data (usually the individual records in a dataset), and each step in the journey from there to the place where researchers will access the final dataset. Once that is pinned down, it’s much easier for eDRIS to figure out what needs done, and for the panel to see where any risks are.

Back to contents.

I’ve applied to PBPP several times so I like to think I am quite familiar with the application. But if you are a new researcher then there are plenty of resources out there to help you fill it in. Including guidance on the PBPP website, an eCRUSADers blog post (this includes links to an example PBPP and DPIA).

10: Why are approved PBPP’s are not readily accessible to the public? I think this would improve transparency in the use of public/patient data, but also help avoid situations where researchers submit incomplete applications. Although all projects are different, it can often help to see what a successful application looks like, even if it is in an unrelated research project.

Do you have any view on this?

While a good idea in principle, the PBPPs contain confidential data! As an example, researchers’ emails, work addresses, professional registration numbers, signatures to name just a few. PHS have to process these under the same laws (GDPR, Data Protection Act) that we treat e.g. patient and employee records. I believe the eCRUSADers website has a link to the ‘Tooth Fairy’ application. I would recommend this as a resource for researchers to see what a complete application would look like. For transparency, PBPP publish abbreviated lists of approved projects and end of project summaries provided by applicants once projects are completed; these are available on the HSC PBPP website.

Back to contents.

Overall, it’s interesting to see the overlap between the challenges we face: expiring passwords and IG training, safe haven outages. Not to mention the barrage of emails coming in regarding different projects. I guess most researchers (at least academic researchers) are in a similar position in that they are often juggling research on several projects alongside other things like teaching and administrative responsibilities.

11: What would be the top three bits of advice that you would give researchers whilst they make their way through the process of applying for and using administrative data in their research?

This is a tricky one, however, I will do my best!

1) Listen to your RC! We are well aware of the more problematic issues, but we usually have solutions to these. We can only offer advice, but we give this advice to help, not to make people’s lives difficult. We appreciate the governance arrangements are complex and can be confusing (see no 2 in this list), but we want to help.

2) Try to understand your project from the data controllers’ point of view. Data controllers want their data to be used for good, but they are also obliged by law to protect the privacy of the individuals whose data they hold. This applies from the moment you apply for access, right through to the point you request outputs for publication. RCs can help, but I would also recommend making use of the Information Commissioners website to understand data controllers’ obligations with regards to personal data.

3) Ask your peers and eDRIS. There are researchers and RCs that have many years of experience using administrative data in research. Your eCRUSADers website is a fantastic initiative.

If I could add a ‘bonus’ tip, please also let us know what causes you, as a researcher, the most pain. If it causes you pain, it causes us pain! We can’t promise to make swift changes, but we will do our best.

Back to contents.

Thanks again Jules for taking the time to talk to eCRUSADers over these last two posts. It has been great to get an insight into the day in the life of an RC and overall I hope that this conversation will improve the working relationship between eDRIS and the researchers who apply to use health data in their research going forward.

Leave a Reply

Your email address will not be published. Required fields are marked *