Category: PBPP

A conversation with eDRIS: Part 2

In Part 1 of our conversation with the Electronic Data Research and Innovation Service (eDRIS), we heard from Research Coordinator (RC) Jules. In the post, Jules described what a typical day might look like for an RC. The idea of the post was to provide researchers with an insight into what the job of an RC involves. Overall, my hope was that having this insight might help to better align researchers and RC’s understanding of what one another are doing on a daily basis. In this post, I reflect on the goings on of Jules’s day and ask Jules some follow up questions.

If you want to skip through to any specific questions – for example skip right to the end for some Top-tips!!!- then click on the question headings below:

Post Contents: 

  1. Q: How many projects does an RC normally have on the go at once? 
  2. Q: Are there instances where you would arrange meetings with researchers to have discussions about their projects?
  3. Q: What are the most common issues you see with SDC requests from researchers? Equally, what does the perfect SDC request look like?
  4. Q: Can you quickly explain the difference between HSCPBPP and SPBPP?
  5. Q: How often is it that you, as an RC, would flag up to researchers that their training is about to expire? Is this something you routinely check for?
  6. Q: Is there any kind of trouble shooting list that researchers can refer to before they contact their RC in panic?
  7. Q: Is there somewhere that researchers can see what the rules are around proportionate governance issued by HSC-PBPP?
  8. Q: What’s the most common email template you use?
  9. Q: Would these things not have been flagged during RC and researcher discussions prior to submission? But in any case, would you say these are the most common queries that come back from the panel?
  10. Q: Why are approved PBPP’s are not readily accessible to the public?
  11. Q: What would be the top three bits of advice that you would give researchers whilst they make their way through the process of applying for and using administrative data in their research?

The first thing that jumped out at me was the number of projects you said you would be working on at one time. Twenty-five seems like a lot to be juggling at once.

1: How many projects does an RC normally have on the go at once? 

Twenty-five is actually at the lower end of the scale for us. When demand is really high, it’s not unusual for RCs to carry up to 40 live projects and also deal with up to 20 enquiries on potential projects!

Back to contents.

It also struck me that the primary way that you communicate with researchers is via email. I guess this is important to maintain a paper trail of decisions etc.

2: Are there instances where you would arrange meetings with researchers to have discussions about their projects?

Yes we frequently arrange phone calls to discuss issues. Like a lot of people, many of us are working from home and this has sped up the adoption of remote working tools. For Public Health Scotland, we have access to MS Teams and we are using this more and more for meetings with researchers. As a former researcher, I am aware of the need to plan research carefully. Now with my role in eDRIS, I am aware of potential issues that researchers may not think of early on. We do try to have meetings with researchers early on, even before permissions applications start, mainly to ascertain if the data requests are feasible. It may seem like we don’t respond quickly, and, though this can be true, I hope part 1 of this blog has given a little bit of insight into some of the reasons for this!

Back to contents.

Statistical Disclosure Control (SDC) is clearly one of the routine things you guys are dealing with and you mentioned that you might look at Helen’s first because hers are usually filled in properly and explained well. Researchers should obviously read the NSH Requesting Outputs SDC Booklet to make sure they are requesting things in the correct way.

3: What are the most common issues you see with requests from researchers? Equally, what does the perfect SDC request look like?

It doesn’t need to be perfect. We get that researchers are busy juggling competing demands so the request just needs to be good enough so that the reader can understand the context enough to assess easily. The framework eDRIS operates under is what is called the ‘Five Safes’. This is a way to model the whole process, from permissions through to outputs. The basic principle is to break projects into five themes: Safe People, Safe Projects, Safe Setting, Safe Data and Safe Outputs. SDC requests fall into this last theme. When we look at outputs we are asking ourselves if there is any risk of disclosing confidential information from this output. We have to judge several things: Does this output disclose anything on its own, does this output in conjunction with other data that may be available increase the risk of disclosure and lastly, what is the damage that would be done if something were disclosed.

Output checking requires us to have a good working relationship with our researchers, as we may ask them to do something that they don’t agree with. With all that in mind, a good enough output would be one where we, as output checkers, can look at it and say “Ah, there’s a title, clearly labelled, acronyms expanded, this researcher has explained all of the outputs clearly to a non-specialist, there’s enough information in this file for me to understand what I’m looking at and make an informed assessment, and where there are disclosure risks, they have mitigated against them and provided an explanation of what has been done, and they have asked us only for the most important outputs for their research” If we can see all of these, then output checking becomes a routine check for us and outputs, I can’t emphasise this enough, are released much quicker. We know that us asking researchers to look at outputs again is frustrating, as it’s also frustrating and time-consuming for us (we don’t like going back to researchers either…).

Over time, if the outputs from researchers are easy for us to check, we trust that researcher more, and it will be easier and quicker for their outputs to be released.

Back to contents.

The ‘quick-question’ from James that turned out not to be a quick question tickled me. I think it highlights the differences in understanding about the processes and …. between researchers and eDRIS. What seems like a quick question to us, often isn’t so quick from your perspective. I’m not sure I can think of an immediate solution to this miss-match, but hopefully bits and pieces of this blog post can go some way in helping. You mentioned in your response to James, the HSCPBPP and the SPBPP.

4: Can you quickly explain the difference between HSCPBPP and SPBPP?

The Health and Social Care Public Benefit and Privacy Panel (HSC PBPP) and the Statistics Public Benefit and Privacy Panel (SPBPP) are the main bodies, we interact with, that assess project applications and decide whether permissions are given to access confidential data. The difference is HSC PBPP represent NHS Scotland so decide on applications to access NHS Scotland datasets, and SPBPP represent the Scottish Government (SG), and decide on applications where the researchers want to access e.g. Census data or Education data. Where the project intends to link NHS Scotland and SG data, applications to both panels are required.

Back to contents.

Information Governance (IG) – unsurprisingly- also came up a lot in your account of your day. One of the recurring issues was researchers (and your own) IG training expiring. You also noted that the expiration dates are different for different data controllers. Of course, it is a researcher’s responsibility to ensure their IG training is up to date and if their IG training certificate expires during the course of their project they must obtain new IG training within two weeks of the expiry date and provide eDRIS with the new certificates.

5: How often is it that you, as an RC, would flag up to researchers that their training is about to expire? Is this something you routinely check for?

As you say, this is the responsibility of the researchers. However, as we are also responsible for ensuring researchers meet the conditions of their permissions, we do make sure that IG training is still valid. For projects using the safe haven, we set accounts to be disabled on the IG training expiry date. In tandem with this measure RCs also periodically remind researchers that their training is due to lapse to avoid the situation where the researcher contacts us to let us know they can’t access the safe haven! Obviously this is not ideal, as it adds delays while training is renewed, so it’s far better that researchers take responsibility for being aware that their training is up to date Again I don’t have any wonderful solution that comes to mind at the moment but there must be some simple steps researchers can take to make sure we don’t end up in the position where our IG training is about to expire and we haven’t planned to get updates (i.e. by booking onto a Safe Researcher Training course). Something as simple as setting a calendar reminder when we first do and pass our training?! Or maybe a month in the year where we encourage researchers to check- Information Governance Ganuary?! This has actually prompted me to check mine…

Back to contents.

Another thing you mentioned that made me laugh (though understandably this might not be so funny to you…) was the email from Bob to ask if you can help because he couldn’t access the safe haven. I can relate to this entirely: you try to log in and it doesn’t work. Mild panic – you promised your boss/supervisor to run some analysis that day. You frantically send an email to your RC begging for them to help. Then you realise it’s your own fault and you’ve jumped the gun in reaching out for help. You immediately feel bad and send another email to apologise and ask the RC to please ignore the first email.

6: Is there any kind of trouble shooting list that researchers can refer to before they contact their RC in panic? I suppose this might minimise the frequency of the scenarios like the one you mention arising.

The main reasons we see for safe haven access are actually forgotten passwords, but this is usually obvious to the user!The first thing to be aware of is the safe haven web page is only accessible from recognised IP addresses, which are always associated with your host institution (e.g. the University). If you are not in the office (true for most people nowadays!), make sure you are on the university VPN. This will give an ‘Access Denied’ message if the IP address is not recognised.The least common issue is with the two-factor authentication PIN codes. The system used for the 2FA PINs very rarely fails (only once that I am aware of!), so if PINs are not being received, it’s usually something else. The most common reason is the user has entered the wrong username, these are different from the subsequent logins and researchers sometimes forget. The next most common reason is lack of mobile phone signal. If you have not received a PIN, check these first.
Finally, if you are not sure, just ask us!

Back to contents.

You also mentioned that some requests can be processed by yourself (i.e. the RC) under the proportionate governance rules issued by HSC-PBPP.

7: Is there somewhere that researchers can see what the rules are around proportionate governance issued by HSC-PBPP?

If we knew which of our requests would need to be sent for higher approval then we might reassess the situation and work out what is the best approach to take before coming to you with something that you then need to explain needs higher authorisation. This would be especially useful in cases where time constraints are tight for research projects. I suppose this comes back partly to understanding what is a ‘quick-question’ and what isn’t.

The governance around amendments is always evolving, so these rules are given to us as guidelines. RCs still frequently ask the panel mangers for advice! This is purely because of the diversity of projects, so I think it would be difficult to pin down every scenario and how each may be treated by the panel and eDRIS. The best way for researchers to figure out which amendments are the least controversial is to ask their RC! Another source of information is the amendment request form available from the HSC PBPP website, in conjunction with the guidance for applicants document, also available from the same website.

Back to contents.

It’s interesting to know that you have template responses for certain things. I guess in themselves they might indicate which are the typical ‘issues’ that arise.

8: What’s the most common email template you use?
The most common template, by far, is to ask researchers to complete a new enquiry form. Internally, the most common template is the safe haven password reset form… Since I wrote this article, eDRIS have developed, and continue to develop new tools, which has reduced the number of template emails we have had to use. It would be interesting to hear if researchers have noticed changes in the safe haven password reset processes, as this is now relatively painless for us!

Back to contents.

The request back from the PBPP with further questions really surprised me. The issues raised were:

1) Please provide a clear data flow diagram
2) Please provide a Data Privacy Impact Assessment or evidence that one is not needed. Your data protection officer should be able to offer advice.
3) Please provide evidence of public involvement in the research design
4) Please ensure your lay proposal is clearer to those with no experience of research
5) Please ensure anyone named in 1.1 to 1.5 of the PBPP form have valid IG training, there is a list in the ‘Guidance for Applicants’ available from the PBPP website.

These are all things that the researcher should have done before submission. You even suggested that this is a regular kind of feedback from the panel.

9: Would these things not have been flagged during RC and researcher discussions prior to submission? But in any case, would you say these are the most common queries that come back from the panel?

These issues will have been flagged by RCs before submission, but RCs can only offer advice, and it’s up to the researchers whether they choose to implement these! Most applications have at most, one or two of these items in feedback from the panels. It’s worth remembering that the majority of the applicants to eDRIS are first time applicants from a huge variety of backgrounds and will not have had to do anything like this before. As a researcher, a role I was in for many years myself, your focus is on the scientific or methodological merit of your research. Being asked to think of wider issues can be difficult to get right first time. I am guessing that this is a major factor in accounting for the frequency of these issues being highlighted. My advice would be to pay attention to the advice that your RC gives you (and read the guidance documents when you are completing the application form). I would say the data flow diagram is probably the most important piece of information to get right. This needs to show the source of the data (usually the individual records in a dataset), and each step in the journey from there to the place where researchers will access the final dataset. Once that is pinned down, it’s much easier for eDRIS to figure out what needs done, and for the panel to see where any risks are.

Back to contents.

I’ve applied to PBPP several times so I like to think I am quite familiar with the application. But if you are a new researcher then there are plenty of resources out there to help you fill it in. Including guidance on the PBPP website, an eCRUSADers blog post (this includes links to an example PBPP and DPIA).

10: Why are approved PBPP’s are not readily accessible to the public? I think this would improve transparency in the use of public/patient data, but also help avoid situations where researchers submit incomplete applications. Although all projects are different, it can often help to see what a successful application looks like, even if it is in an unrelated research project.

Do you have any view on this?

While a good idea in principle, the PBPPs contain confidential data! As an example, researchers’ emails, work addresses, professional registration numbers, signatures to name just a few. PHS have to process these under the same laws (GDPR, Data Protection Act) that we treat e.g. patient and employee records. I believe the eCRUSADers website has a link to the ‘Tooth Fairy’ application. I would recommend this as a resource for researchers to see what a complete application would look like. For transparency, PBPP publish abbreviated lists of approved projects and end of project summaries provided by applicants once projects are completed; these are available on the HSC PBPP website.

Back to contents.

Overall, it’s interesting to see the overlap between the challenges we face: expiring passwords and IG training, safe haven outages. Not to mention the barrage of emails coming in regarding different projects. I guess most researchers (at least academic researchers) are in a similar position in that they are often juggling research on several projects alongside other things like teaching and administrative responsibilities.

11: What would be the top three bits of advice that you would give researchers whilst they make their way through the process of applying for and using administrative data in their research?

This is a tricky one, however, I will do my best!

1) Listen to your RC! We are well aware of the more problematic issues, but we usually have solutions to these. We can only offer advice, but we give this advice to help, not to make people’s lives difficult. We appreciate the governance arrangements are complex and can be confusing (see no 2 in this list), but we want to help.

2) Try to understand your project from the data controllers’ point of view. Data controllers want their data to be used for good, but they are also obliged by law to protect the privacy of the individuals whose data they hold. This applies from the moment you apply for access, right through to the point you request outputs for publication. RCs can help, but I would also recommend making use of the Information Commissioners website to understand data controllers’ obligations with regards to personal data.

3) Ask your peers and eDRIS. There are researchers and RCs that have many years of experience using administrative data in research. Your eCRUSADers website is a fantastic initiative.

If I could add a ‘bonus’ tip, please also let us know what causes you, as a researcher, the most pain. If it causes you pain, it causes us pain! We can’t promise to make swift changes, but we will do our best.

Back to contents.

Thanks again Jules for taking the time to talk to eCRUSADers over these last two posts. It has been great to get an insight into the day in the life of an RC and overall I hope that this conversation will improve the working relationship between eDRIS and the researchers who apply to use health data in their research going forward.

Researcher Experience: Dr Feifei Bu

In this first Research Experience post of 2021 we hear from Dr Feifei Bu, Senior Research Fellow in the Department of Behavioural Science and Health at the University College London (UCL). Feifei first started working with administrative data in 2014 when she worked with the National Pupil Database linked to Understanding Society survey data (UK Household Longitudinal Study). In 2015, she joined the University of Stirling and started working on projects that were using administrative extensively. In particular, she worked with Scottish Morbidity Record (SMR) data linked with the Social Care Survey (now Source) and Healthy Ageing in Scotland (HAGIS). From there, her interest in carrying out research using administrative data continued into her current position at UCL where she has worked with Hospital Episode Statistics (HES) linked with English Longitudinal Study of Ageing (ELSA). She has also worked with de-identified Whole Systems Integrated Care (WSIC) data. All in all, Feifei has been carrying out research using administrative datasets for around seven years.

Overview of my research

My work using administrative data has been mainly around health service utilisation. Collaborating with colleagues from Stirling and Dundee, we had looked at the cost of hospital admissions for people with cognitive spectrum disorders using SMR data. In 2019, I worked on a project on the relationships between social factors and health outcomes amongst older adults using ELSA linked with HES. We looked at how loneliness and social isolation were associated with the risk of hospitalisation related to fall, cardiovascular disease and respiratory disease respectively. More recently, I led a project looking at how patient activation (a measure of people’s knowledge, skills and confidence to manage their own health and wellbeing) was related to the usage of different health care services, including GP and non-GP primary care, elective and emergency inpatient admissions, outpatient and A&E attendances. At the moment, I am involved in an ESRC funded project looking at how indoor temperature is related to secondary care health service utilisation using ELSA linked with HES.

Summary of any challenges faced

Unlike survey data that are usually thoroughly cleaned and well documented, administrative data often require some extra work. Based on my own experience, for example, the episode order variable comes with the SMR or HES data cannot be taken for granted. In some cases, it could be important to further sort them into the correct order. Also, it may take some detective work to find out what a specific variable measures or how data were collected in practice and by who—this could be critical for data interpretation.

A unique strength of administrative data is that they offer objective and detailed measures that are usually unavailable in surveys. However, as these data were not collected for research purposes, there is often a lack of other critical information that we would like to take into account in our research. If data linkage is not possible, this is an even tougher challenge than the one above.

Due to data protection purposes, administrative data often need to be analysed in a safe setting, like a data safe haven. This can usually be accessed via a remote desktop connection, but in some cases, you might need to go to a secure access point that is not necessarily local. This will slow down your progress significantly. Some administrative data are stored in data warehouses, in which case researchers need to extract data that are relevant to them using programming language, like SQL. In other instances, researchers may not have access to the data warehouse directly and data extraction need to be done by a data analyst. This would require a lot of planning ahead as well as communication back and forth. Finally, data access is time-limited in most cases. It may ‘expire’ before getting everything published. This is something that needs to be taken into account when applying for data access.

Working with administrative data is like learning to tame a dragon—albeit challenging, it is also exciting and rewarding!

Thoughts for fellow and future eCRUSADers

As previous Researcher Experience posts have mentioned already, the access application can take a long time to go through. It is important to plan ahead especially if you are on a tight schedule—either for your PhD or other funded projects.

It is important to acknowledge the limitations of administrative data, in particular, the lack of critical information that need to be ‘controlled for’ in analyses. We should not rule out the possibility that survey data may serve our research purposes better. Here is a note to myself, and to be shared with eCRUSADers: our passion for data should not outweigh a solid research design.

Public Benefit Privacy Panel Timelines

Project: Social Care Survey linked to Scottish Morbidity Record

Preparation of PBPP application: – December 2015- April 2016 (approximately 4 months)

Submission to initial PBPP approval: April 2016 – August 2016 (approximately 4 months)

PBPP approval to data access: August 2016 – April 2018 (approximately 2 years)

Publications using administrative data

Bu, F., Abell, J., Zaninotto, P., & Fancourt, D. (2020). A longitudinal analysis of loneliness, social isolation and falls amongst older people in EnglandSci Rep, 10 (1), 20064. doi:10.1038/s41598-020-77104-z

Bu, F., Zaninotto, P., & Fancourt, D. (2020). Longitudinal associations between loneliness, social isolation and cardiovascular eventsHeart. doi:10.1136/heartjnl-2020-316614

Bu, F., Philip, K., & Fancourt, D. (2020). Social isolation and loneliness as risk factors for hospital admissions for respiratory disease among older adultsThorax. doi:10.1136/thoraxjnl-2019-214445

Hapca, S., Guthrie, B., Cvoro, V., Bu, F., Rutherford, A. C., Reynish, E., & Donnan, P. T. (2018). Mortality in people with dementia, delirium, and unspecified cognitive impairment in the general hospital: prospective cohort study of 6,724 patients with 2 years follow-upClin Epidemiol, 10, 1743-1753. doi:10.2147/CLEP.S174807

A conversation with eDRIS: Part 1

The Electronic Data Research and Innovation Service (eDRIS) is a small team within Public Health Scotland set up to facilitate access to administrative data for research. Sometime back in the beginning of 2020, I was invited along to talk to eDRIS about eCRUSADers at one of their Development Days. My main hope from the talk was to introduce eDRIS to the eCRUSADers platform and work out if we could come up with any ideas for improving the journey that researchers and eDRIS go through together, when applying to use and using administrative records in Scotland.

Based on the Researcher Experience posts on eCRUSADers at the time (and to this day), as well as personal and published evidence, a common theme is the lengthy wait for data access. As researchers (especially ECRs who are often on temporary research contracts), it is vital that we make the best use of the time from initial contact with eDRIS, right up until data access and beyond. To do this, we need to make sure that our interactions with eDRIS are productive and efficient for both parties. My belief is that if we are to identify any areas where this journey can be improved, both parties need to understand more about one-another’s work and roles in the process.

So, on the back of my presentation to eDRIS, we chatted about the prospect of beginning to create this understanding, by putting together a couple of blog posts in conversation with eDRIS.

In this first post, I am incredibly grateful to have Jules, one of eDRIS’s Research Coordinators (RC), to describe what a typical day looks like. Jules talks through his morning and afternoon, giving us an idea of some of the daily tasks he is involved in and providing an insight into the emails and requests he receives throughout the day.

For me (as a researcher who has worked with a number of RCs on different projects), this insight was very useful and as I read about Jules’s day I had lots of further questions to ask. Jules has kindly offered to answer those questions and these will be posted in Part 2- so stay tuned!

But first off, let’s hear from Jules on his account of a day in the life of an RC. Not quite sure what an RC’s role is? Have a quick read here.

A day in the life of a Research Coordinator

For statistical disclosure control purposes (SDC), the names used here are fictional but the events described are based loosely on real incidents.


Check for new emails, only 10 from last night, great, not bad for my 25 projects! Ok, first job, do we have any SDCs… Yes, two researchers on different projects have output requests, which one first? I think I’ll do Helen’s first, she usually has done a good job of explaining the outputs and making sure there are no disclosure risks. On top of that, she only has health data, so only one data controller requirements to worry about, result! So, lets log in to the safe haven…. now, what is my password? Oh yes, the access path has changed, I need a new password. Oh well, let’s get that password reset first, that might take up to an hour and means I can’t do the other SDC.

Ok, what’s next in the Inbox. Ahh, a ‘quick question’ from James, this should be easy. Nope, he wants to add a Census variable, so…let’s check the existing permissions… Just as well, the Health and Social Care Public Benefit and Privacy Panel (HSC PBPP) and Statistics Public Benefit and Privacy Panel (SPBPP) end date is in two weeks! So, I need to ask James to submit an amendment to add the new Census variable, as well as extend the study date, so that means an amendment to SPBPP and HSC PBPP, and maybe get him to contact the National Records of Scotland (NRS) data access team to discuss if it’s possible first? Yes, that would be best. So, I’ll just email James…


Uh-oh email from HR, my own information governance (IG) training needs refreshed, perfect timing! That reminds me, does anyone on James application need their own IG training refreshed…. yep, James and two others are about to expire. Let’s see what the data controllers accept as valid IG training… So, Census accept Safe Researcher Training (SRT) as valid for five years, but HSC PBPP have this as three years… so it’s about to expire as far as HSC PBPP are concerned… I may just ask them to do the online Medical Research Council course (MRC), as that’s quicker, and we worry about the SRT in two years’ time… So, lets email James.

“Dear James, thank you for your request to add a Census variable. The first thing to do would be to discuss feasibility with NRS, I have added their contact details below. Let me know if you need any help with your approach to them. I also noticed that your project permissions are due to expire, and some of your colleagues named on the form have IG training that is also about to expire, but only as far as HSC PBPP are concerned. Each of these changes needs to be recorded in the permissions, so we need to submit amendments to both SPBPP and HSC PBPP for: adding a new variable, extending the study duration and updating IG training. I think the best way to do this is to submit amendments to the PBPP panels for the end date and updated training, then, after you have got the go-ahead from NRS to add the new variable, we can process another amendment to add the variable, as this will take longer. Please let me know if that makes sense?”


“Dear Jules, I can’t access the safe haven, please can you help? Thanks, Bob”

Now, is the safe haven down? Nope… So where is the issue for Bob, he didn’t say…

“Dear Bob, sorry you are having problems accessing the safe haven. Please can you let me know at which stage you are having the problem? If you can access the safe haven page, are you receiving the 2FA PIN? If not…”


“Dear Jules, please ignore my last email, I wasn’t on the VPN, my mistake! I am in now. While I am here, please can you release the tables in my study area? These are quite urgent, and I need them today.

Ok, delete my email draft. Now, do I have my own password yet… Nope. Ok Bob will have to wait, next email. Now, John wants to know where we are with his data sharing agreement. Which project is that? Oh yes, here it is, so… the data sharing agreement was sent back to the Shire Commissioners for signing three weeks ago, good question, where is that? Nothing from them…. so, lets send an email chasing it

“Dear Phyllis, Hope you are well. We have had a researcher chasing…”


“…the data sharing agreement for 1234-5678. We returned to you for review and signature three weeks ago, please can you let me know when you will be able to get to it? Thanks, Jules”

Ok, lets email John

“Hi John, apologies for the delay, we sent to the Shire Commissioners three weeks ago for signing…”


” and I have contacted them to ask for an update, I will let you know as soon as I hear from them. Thanks, Jules”

Ok, where was I? No safe haven access, so no SDCs for now… so, lets check the task list… Next job is an amendment to add a researcher to Siobhan’s HSC PBPP. So this is 1.5, great, under the proportionate governance rules issued by HSC-PBPP I can process these myself.


Ok, let’s get back to it…


An email from HSC PBPP to researcher:

“Dear Prof. Urquhart,
The HSC PBPP panel have reviewed your application and have some further questions for you before your application can be properly considered. Please provide responses below the listed queries, and return to us within two weeks:
1) Please provide a clear data flow diagram
2) Please provide a Data Privacy Impact Assessment or evidence that one is not needed. Your data protection officer should be able to offer advice.
3) Please provide evidence of public involvement in the research design
4) Please ensure your lay proposal is clearer to those with no experience of research
5) Please ensure anyone named in 1.1 to 1.5 of the PBPP form have valid IG training, there is a list in the ‘Guidance for Applicants’ available from the PBPP website.

Ah this is a shame, but at least chimes with the advice I gave to the Prof. that the panel would likely pick up on these issues if we didn’t address them before submitting the application. With tight funding cycle deadlines I can sympathise with the desire to get something submitted very quickly, sadly this often creates more work, now where’s that template response… send, done.

Now, has my new Safe Haven password turned up? Nope. Ok, next

“Dear Jules,
In order to avoid SDC, please can I share my safe haven screen with my collaborators? I would only need to do this using Zoom, and with a small number of colleagues, so nothing would leave the safe haven.

Oh dear…

“Dear Gary,
Please do not do this!
Sharing the safe haven screen is not allowed in any circumstances, whether screen shots, screen sharing or in person. As a reminder, these terms are detailed in the user agreement you signed and are also on the statements you accept every time you log in to the safe haven. Any outputs from the safe haven must be assessed for disclosure, please complete the request form to help speed these assessments up.
Let me know if you have any questions.


“Dear Jules,
I submitted a draft PBPP to you a few weeks ago. I know the data flow is missing, but this is because I don’t yet know what data I need. I was hoping you could just submit it anyway, to get the ball rolling.

Ok… where’s that template…

“Dear XXXX,
Please note I have not submitted your incomplete PBPP; if I had, the panel would have returned to us asking where the missing sections were. It saves time if the required sections are completed, as indicated in the ‘Guidance for applicants’ available from the PBPP website. I believe I have already provided the minimum recommended changes for the PBPP to be able to consider your application.
In this case, if the panel do not know what confidential data you are asking for, they cannot assess the risks to the privacy of the individuals in the datasets, as they don’t know which individuals you are asking for data on.
Please let me know if you have any further questions.

Ok, last thing, do I have my password?.. Yes!!! Now let’s finally look at Bobs urgent SDC then Helen’s.


“Dear Safe Haven user,
We have experienced some network issues which means we need to shut down the Safe Haven for the rest of today. The Safe Haven will be unavailable from 1530 today until 1000 tomorrow morning. Please save any work and log off.
We apologise for any inconvenience caused by this unexpected outage.
The Safe Haven.”

What time is it??? 1528….

“Dear Bob,
Unfortunately, the Safe Haven has experienced an unexpected error and I am unable to look at your SDC request today.
Please also note that, as you have Census data, we need NRS to carry out checks and clear the outputs before we can check and release. I know you asked for the outputs today, I am afraid this is not possible; however, we will aim to have the outputs checked within our three-day turnaround target.

Apologies for the delays,

I’m going home…oh wait, I am home. (Please note we have flexible working, not all staff finish at 3:30 pm)

The role of an eDRIS Research Coordinator

The two main researcher-facing roles are RCs and Analysts.

The RC role is primarily project management. RCs are assigned a number of projects that they are then responsible for. The essence of the role is to enable access to administrative datasets for researchers, where that access is granted in line with confidentiality laws (e.g. GDPR, Data Protection Act). The RC is there to provide a service to researchers to enable high quality research. In practical terms, this requires the RC to make sure they are aware of current procedures (rather than knowing the jurisprudence around the common law of confidentiality!), so we can provide researchers with the best approach to meeting each data controller’s requirements within a legal framework. There are often multiple data controllers (even within a single organisation) and each data controller has their own requirements (this is why we sometimes ask researchers to provide the same information in slightly different ways). The sheer number of datasets, each with the quirks of their respective data controllers, requires a great breadth of knowledge of the administrative data landscape. As well as projects where data are provided as part of the service, there are numerous projects where the applicants need permissions only, to do all sorts of things, ranging from setting up clinical trials to changing the way health audits are carried out.

The Analyst role is distinct from the RC role and is primarily tasked with creating the extracts for the researchers, although there are often discussions with analysts at early stages to determine feasibility of the requests. The eDRIS analysts have in-depth knowledge of many of the common health data sets, so are a good source of information, for both researchers and eDRIS RCs.
For statistical disclosure control purposes (SDC), the names used here are fictional but the events described are based loosely on real incidents.

Course Round Up: The Whys and Hows of applying to the Public Benefit and Privacy Panel for Health and Social Care (PBPP)

Date of course: Wednesday 11 March 2020
Organised by: Wellcome Trust Clinical Research Facility
Post summary: In this post I provide a run through of the course: The Whys and Hows of applying to the Public Benefit and Privacy Panel for Health and Social Care (PBPP). As the title suggests, the course – delivered by PBPP Manager Dr Marian Aldhous – covered two main areas: Why would you need to apply to the PBPP and how would you go about doing this. My thanks go to Marian, who has kindly let me use her slides to write this post.

In a rush? Check skip to the Top Tips for filling in your application and some of my reflections on the course (where you will also find links to an example Tooth fairy PBPP and associated documents!).

Post Contents: 

  1. What is the PBPP?
  2. What is the legislation and principles covering aspects of information governance for the use of NHS Scotland data for purposes other than direct care?
  3. What is the remit of PBPP?
  4. When do you  need a PBPP application?
  5. How does the PBPP application process work?
  6. How long is your PBPP application going to take?
  7. How to fill in your PBPP application according to the 5 Safes
  8. Top Tips for filling in your PBPP application
  9.  Group discussion and reflection on the concerns raised
  10. Final thoughts
  11. Useful definitions

1. What is the PBPP?

PBPP is a combination of a patient privacy panel and an information governance panel. They were set up by the Scottish Government eHealth to provide a single, consistent, open and transparent scrutiny process for health data to be used for different purposes, including research.

They exist to ensure the right balance between safeguarding the privacy of people in Scotland and the duty of Scottish public bodies to make the best use of data. PBPP provide leadership in the complex privacy and information governance domains so that:

  • Scottish people gain the benefits from the use of data
  • Emerging information risks are managed
  • Public concerns around privacy are addressed
  • Protection of privacy in the public interest is promoted

They have a scrutiny role on behalf of patients with respect to the information you are going to find out about the patient, in work that is not related to their direct care and information not in the public domain. They seek to check if the use of the data is justified, reasonable and will it achieve its purpose. Further, they want to scrutinise how damaging it would be if the information was leaked.

They are there to ensure that applicants have considered the public benefits and privacy implications for participants and their data. Moreover, they are there to provide assurance of the ‘technical and organisational arrangements’ to ensure respect for the data minimisation principle (GDPR Article 89(1)).

What was really clear from Marian’s presentation on the role of PBPP was that they are not there to trip applicants up or to prevent work from going ahead.

Back to contents.

2. What is the legislation and principles covering aspects of information governance for the use of NHS Scotland data for purposes other than direct care?

The UK Data Protection Act 2018 applies when processing (that basically means using or storing) personal data for living individuals, this includes pseudononymous data.

For personal data
For the lawful processing of personal data we look to Article 6(1) of the GDPR which states that the processing of personal data is lawful only if and to the extent that at least one of the following apply:

a) The subject has consented
b) Performance of contract
c) Compliance with legal obligation (under specific legislation)
d) Protection of vital interests i.e. to save someone’s life
e) Performance of a task that is in the public interest
f) Legitimate interests of controller

Point (e) is the most common legal basis used for the processing of personal data given in PBPP. Note that there are very good reasons why the others are NOT used. Specifically, consent for taking part in research, under the Research Governance Framework, is different from consent obtained for processing data under GDPR. This is one of the reasons you are NOT encouraged to use consent as their legal basis under 6.1. or 9.2. Also, legitimate interests can only be used by non-public authority / sector bodies (commercial or charities).

So, 6.1(e) is the most common because it is the most appropriate for the tasks usually covered by PBPP applications.

For sensitive personal data
For the lawful processing of special category sensitive data, we look at Article 9 of the GDPR:

(1) Processing of personal data revealing:
racial or ethnic origin, political opinions , religious or philosophical beliefs , or trade union membership , and the processing of genetic data, biometric data, data concerning health (physical and mental) or data concerning natural person’s sex life or sexual orientation shall be prohibited.

(2) Paragraph 1 shall not apply if one of the following apply:
a) Subject has given explicit consent
b) Necessary for obligations and rights of controller /subject for employment or social security
c) Necessary for vital interests of subject
d) Legitimate activity of non for profit body for political, philosophical, religious or trade union aim
e) Data made public by the subject
f) Necessary for legal claims or judicial capacity of courts
g) Substantial public interest
h) Preventative or occupational health, assessment of working capacity of employee, medical diagnosis, provision of health and social care
i) Public interest in public health
j) Necessary for archiving in public interest, scientific or historical research purposes or statistical purposes in accordance with article 89(1). (Article 89(1): subject to appropriate safeguards for the rights and freedoms of the data subject.)

The most appropriate basis chosen depends on the purpose of the application. If your application is for the use of health data, it would usually be covered by one of 9.2(h), 9.2(i) or 9.2(j), as these are the bases linked to health. For applications looking at NHS/medical processes (e.g. audits, health care planning or service improvement) then 9.2(h) would be used. For public health or infection control, you would most likely use 9.2(i). For any research, 9.2(j) should be used. If you are ever in doubt about this, you can always talk to your eDRIS coordinator to get advice.

The Common Law Duty of Confidentiality also applies to personal data that are not already in the public domain, for example patients have shared personal medical information with their GP and they expect it to be kept confidential. The Caldicott Principles and Data Protection Principles outline the special circumstances under which this information can be shared.

Back to contents.

3. What is the remit of PBPP?

The PBPP replaces the Privacy Advisory Committee (which covered research), National Caldicott Scrutiny Panel (which covered both research and non-research), and CHI Advisory Group (which also covered research and non-research).

PBPP have the authority to scrutinise applications for the use of NHS Scotland controlled data and National Records of Scotland controlled NHS Central Registry data for research, healthcare service planning and improvement, audit and other well defined and bona fide purposes. This scrutiny covers the whole process from patient to data provision/analysis.

In 2017/19, around 53% of applications to PBPP were from academic researchers.

Back to contents.

4. When do you need a PBPP application?

An application to PBPP is mandatory for:

    • Any use of sensitive or identifiable NHS Scotland data other than for direct care
    • Use and linkage of NHS Scotland National Services Scotland ‘national’ datasets
    • Use of NHS Scotland data from multiple boards
    • Linkage with external (non NHS Scotland) data
    • Linkage to primary research data
    • Access to individuals’ clinical data without consent
    • For transfer of NHS data out with Scotland

An application is optional for:

    • Any other use of NHSS data considered sensitive, novel or complex, or with wider national implications
    • Use of data from primary care providers, and/or from beyond NHS, but with implications for the service

An application is not required for:

    • Use of PII from only one NHS Board (Caldicott Guardian approval), unless requires linkage using national datasets
    • Use of data from your own board for direct care
    • Clinical research where covered by other Information
    • Governance processes

Back to contents.

5. How does the PBPP application process work?

There is a single PBPP form for all applicants. Detailed guidance is also given to fill in the form (this is covered in the second part of this post). Entry to PBPP goes through the Electronic Data Research and Innovation Service (eDRIS). The eDRIS team provide advice to applicants on the data sets and variables that are available. They also advise on the capability of that data to meet the objectives of the applicants proposal. Further, they provide help to fill in the PBPP form itself. They also work closely with the PBPP team when helping applicants prepare their applications. The eDRIS team work on the provision of data from different sources and organise access to the Safe Haven and carry out disclosure checks. Finally they offer support for data analysis. Clearly, a very busy team that cover a wide range of areas! The diagram below outlines these roles:

Note as well that there are two PBPP’s- a health one (or health and social care PBPP) and a stats one. All Non-NHSS (External) data go to the stats PBPP (S-PBPP). This includes ScotXEd education data, NRS census data (which takes a minimum of 6 months for data after S-PBPP approval), social care data, HMRC and DWP data (though possible in theory, you are unlikely to be able to obtain this but that’s another story…). There tends to be longer time frames involved for getting approval for external data sets.

So, the whole process (or the eDRIS sandwich) looks like:

I found this diagram really helpful in providing a picture of how the scrutiny process works. All applications go to Tier 1. Around 5 applications are scrutinised every fortnight (in 2017/18, the panel saw 136 applications). They are assessed according to a proportionate governance traffic light system relating to the criteria set out in the PBPP application. Those assessed as Green are all OK at Tier 1 and are approved or approved with some conditions e.g. ethical approval to be obtained. Sometimes the will require clarification of minor points/changes to the form which would then be checked by the PBPP manager and approved. Those that are Amber (medium risk) may need further clarification from applicants. Those responses will need to be reviewed by the same people who reviewed the application at the panel meeting; this happens by email and the panel does not meet again.  Those that are classed as Red have issues that cannot be tolerated, they are referred to Tier 2, with or without clarification. Applications can also be referred for a re-submission due to too many major changes being needed. Amendments can also be made after approval but this should be the exception. Any amendment must be within the original scope of approval. They can be made for things like change of institution, addition of variables, changes to storage location/mechanisms etc. Amendment forms are available on the PBPP website and must be submitted via your eDRIS coordinator.

Back to contents.

6. How long is your PBPP application going to take?

This is the question we all really want to know the answer to, especially when we are planning projects with limited funding. The timing can be split up into three puzzle pieces:

Pre-PBPP submission

This stage of the process is mainly down to you (at least once you have been allocated an eDRIS coordinator). The time taken in this stage depends on the number of iterations needed in your application, so making sure you have been thorough and clear when first filling it in will help. It will also be influenced by the complexity and clarity of the project- you’ve got to be incredibly clear and concise when outlining your research plans. Top-Tip: use diagrams where you can!

PBPP submission to PBPP approval

This part of the process is mostly very well defined and evidence is available on these timings. The figure below shows data from the 2017/18 PBPP annual report. Clocked days is the number of working days the application is being processed by the PBPP. The time for applicants to respond to any queries regarding the application is not included in clocked days. The ‘total’ number of working days from submission until the final decision is made, includes any time spent back with the applicant.

The Tier 1 panel meet every fortnight and see 5 applications. The timing for PBPP scrutiny and review is dependent on the number of iterations the application needs to go through and the speed of panel members responding. The complexity and clarity of the proposal are also important factors which could affect the time to approval. Tier 1 is faster than Tier 2 (they meet less often and by definition your application will have already been through Tier 1 processes).

Post-PBPP approval

This appears to be the most uncertain part as it depends on so many factors. These include, the waiting list for an eDRIS analyst, if you are requesting data from different sources. The timing is also affected by the overall complexity of the project, the amount of data required and the requirement for data sharing agreements.

Back to contents.

7. How to fill in your application according to the 5 Safe Principles

So, we know that the PBPP are there to weigh up the public benefit versus the privacy risk of applications. They carry out this assessment by considering the Five Safe Principles which coincidentally correspond to sections in the application:

When you are filling in your application you must demonstrate how you meet the 5 Safe Principles. In what follows, I outline the main questions that PBPP ask you to answer in your application. Some of them overlap somewhat and they should not be treated as a complete check list (every project is different!), but they will help to ensure you demonstrate the 5 Safes.

Safe People

The PBPP will be looking for:

  • Who has access to the data?
  • Who needs to know? Caldicott Principle 1!
  • How responsible are the applicants/analysts?
    • What is their knowledge and experience?
    • What training do they have?
      • IG training is required for an application (applicants, PHD supervisors, clinical leads, data custodians and anyone who is accessing patient level data (including pseudonymised data) needs to have up to data IG training)
      • Links to possible courses are on the PBPP website
      • Training must be renewed every 3 years
    • Who is responsible to ensure the applicants do what they say? Accountability principle!

Safe Organisations

The PBPP will be looking for:

  • Which organisation is responsible for the data?
    • Which organisation is the data controller? Affects main contact, which DPO should be consulted, purpose of the proposal
    • Responsible for the data
    • Researchers with NHS / University contracts
    • Who will keep the researchers accountable?
    • Does this change at different points in your proposal?
  • How safe is each organisation?
    • Is it a known public organisation / charity /company?
    • Who will become Data controller?
    • Is there a Data processor involved?
    • Data processing agreement in place?

Safe Projects

The PBPP will be looking for:

  • Is this an appropriate use of the data?
  • Project information
    • Background / Aims & objectives / Methods / Outcomes
      • Be very clear in your description and objectives.
      • Write so that a non-expert can understand.
      • Write about the whole process- from patient to data analysis.
    • Is the use of data necessary? Can it be done another way?
      • Be clear about variables requested
      • Bear in mind the principles of data minimisation
      • Justify the need for every single variable
    • Is the project ethical?
    • Where will the data go? Who will access it? Top Tip: Use flow diagrams! This can really help you to see what agreements will be needed, between which organisations.
    • What is the population for which data requested?
    • Would they expect their data to be used for this purpose?
    • How will the processing take place?
    • Is the processing lawful, fair and transparent?
      • You MUST state the legal basis for processing data. GDPR Article 6(1) for personal data (including pseudonymised data) and GDPR Article 9(2) for special category data.
    • How will the rights of the subjects be upheld?
  • What is the public benefit?
  • Has the applicant carried out any public engagement? (may not apply to all applications)
    • Have lay people been involved in the project design? If not, why not?
    • Do the public see the benefit in the project you wish to do?
    • Would they feel that the types of data requested are reasonable?
  • Has any peer review of the proposal been carried out?
  • Has there been a review from ethics?
    • NHS REC opinion
    • University ethics committee
  • Has the applicant assessed the privacy risks?
    • Have they carried out a Data Protection Impact Assessment? Note that this can be a legal requirement, depending on the nature of the processing. If not, why not? (It’s good practice to do this and a lot of it overlaps with the content required in the PBPP).
  • Other approvals
    • If you are a data processor, you will need a Data Processing Agreement setting out the processing instructions.
    • Approvals from out with Scotland
    • Approvals from another Data Controller for linkage to non-health data.

Safe Data

The PBPP will be looking for:

  • How identifiable are the data?
    • Are identifiers used for processing only? Make this clear!
    • Do combinations of variables make individuals identifiable e.g. rare diseases in small populations?
    • Are the data anonymised or pseudonymised?
  • Are the data highly sensitive?
  • Are you adhering to the principles of data minimisation?
    • Are the data relevant?
      • Too much data? Are all variables necessary? Can you use partial or derived variables?
      • Too little data? Will they fulfil the aims?
    • Justification for requesting these data variables
    • Are all the details necessary e.g. full dates, full postcodes?
  • What will happen to the data at end of project?
  • What are the sources of data requested?
    • For new data
      • How is it being collected?
      • Who is the data controller?
    • For existing datasets
      • Who are the data controllers?
      • If not NHSS do you have permission?
    • Who is carrying out the cohort identification and/or data linkage and how? Should be by third party.
  • How do individuals know about the use of their data?
  • What would individuals expect you to do with their data?
    • Participant information leaflets
    • Privacy notices on NHS Board websites
    • Generic NHS leaflets/website links

Safe Settings

  • From where will the data be accessed?
    • Will it be accessed in a Safe Haven? This is what NHS Scotland prefers!
    • If not in Safe Haven, why not? Consider:
      • How secure is the data collection process?
      • How secure is the transfer of data?
    • Will the data be accessed securely (data protection principle 6)?
      • Will it be accessed remotely?
      • Can anyone see over your shoulder?
      • Will the data be pseudonymised?
      • How will access be monitored?
    • Will the data be transferred securely?
    • Will the data be stored securely?
      • For how long?
      • Will it be destroyed? If so how?

Safe Outputs

  • What will be the outputs of the analysis?
    • Disclosure control. Beware small numbers! Groups < 5-10
  • Who will do disclosure control?
  • How aggregated is the data?
  • How identifiable is the data within the outputs?
  • Is there any confidentiality risk from publication?
  • What will happen to the data at the end of the analysis and at the end of the project?

Back to contents.

8. Top Tips for filling in your PBPP


  • Read the latest version of the guidance notes on the PBPP website
  • Use lay language and be concise
  • Use diagrams and flow charts
  • Take advice from your eDRIS coordinator. They know a lot about the data and its capability in meeting your project objectives!
  • Take care while filling in the form- carelessness raises questions of care taken elsewhere
  • Read and answer the questions asked
  • Be consistent across different questions
  • Explain ALL abbreviations and technical terms
  • ‘Tartanise ’ your application
  • Be aware that different legislation applies in Scotland and England
  • Set realistic end dates
  • Clearly label your supporting documents to match what you put into the PBPP form
  • Look at this very handy Tooth fairy PBPP application and corresponding data dictionary of variables, along with an example DPIA and privacy notice.  They have been put together by PBPP Manager Dr Marian Aldhous so you can see what a successful application looks like. Note that this is just ONE example and every application is different!


  • Don’t just copy and paste from other documents. They may not ask the same questions and they may have mistakes
  • Don’t copy from the guidance and include the note that says you shouldn’t use this…
  • Don’t assume the panel knows about your proposal, your area of research or your local processes. All needs to be explained clearly
  • Don’t forget that behind each data variable there is a patient, who might be interested in your results.

Back to contents.

9. Group discussions and reflection on the concerns raised

The general feeling in the room was that the course was very helpful. However, there were concerns raised by some participants. One concern was around ethics and knowing what ethics is required. It seemed some were confused as to what ethical approval they required and they felt they were filling in a lot of forms. I disagreed with this, as an academic who has worked with administrative health data, the ethics side of things was actually the more straightforward part. But I’d be keen on hear others views on this. It’s no surprise that another concern was on timing, but clearly timing depends on so many factors which are highly individualised to specific projects.

On timings, we have those three pieces of the puzzle: writing your application to submission; submission to approval; approval to data access. The middle piece is very clear, at least for the majority of projects, and timings are published in the PBPP annual reports. The other two depend on many external factors. What can we do to influence them?

Puzzle Piece 1: Writing your application.

I’d strongly suggest taking this course or reading this blog post (hey if you’ve read this far, you’re already part way there!). If you’ve done the background work thoroughly and you write a good application, it won’t need to go through as many iterations with your eDRIS coordinator and you will save yourself some time and make the lives of eDRIS easier.

PBPP Panel Manager Dr Marian Aldhous has put together a very handy Tooth fairy PBPP application and corresponding data dictionary of variables, along with an example DPIA and privacy notice, so you can see what a successful application looks like. Note that this is just ONE example and every application is different!

Puzzle Piece 2: From application submission to approval. 

We’ve got this one covered. See the Section 6: How long is your PBPP application going to take? 

Puzzle Piece 3: From approval to data access.

This is the tricky piece and the timing at this stage will vary hugely from project to project. At least, that’s what I assume. But the truth is, we don’t really know. So what can we do? This is one of the reasons I set up eCRUSADers, to try and build up an understanding of the time it will take to get access to data. But realistically I doubt every PBPP applicant is about to come forward and share their experiences with us. One suggestion might be to publish data at the point of data access which outlines clearly the data sets/variables requested and the time timelines for the three parts of the puzzle. This could take the form of simply the PBPP application or just a table filled in with those timings. Alternatively, end of project reports could be made available which detail this information.

Once we know the timing from approval to data access, as well as the factors which might influence them e.g. what data sets are requested, how many years, etc, we would be better equipped to plan for research projects which have limited timelines.

Back to contents.

10. Final thoughts

Overall, The Whys and Hows of Applying to the Public Benefit Privacy Panel for Health and Social Care is a very useful course and I’d recommend you get a space on it if you are thinking about using Scotland’s administrative health data. It will take you half a day but it could save you much more time in the long run. I’d maybe even go further and say that it should be compulsory…. The PBPP is not there to trip you up, it’s there to ensure the balance of public benefit and privacy risk. They are on our side and just as keen to make the processes easier and quicker as we are. Timing remains our biggest challenge and there are bits and pieces we can do to speed things up. Having said that, the biggest timing challenge we face is from PBPP approval to data access. Unfortunately, there is little we can do to influence this and that has to change.

Back to contents.

11. Useful definitions

Anonymous data

Anonymous data are not able to identify any individual in the data. Removal of identifiers does not necessarily make the data anonymous. In anonymous data, no combination of variables would allow an individual to be directly or indirectly identified. Anonymous data is irreversible. It is not subject to the Data Protection Act 2018.

Data Controller

Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data. If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes. Controllers shoulder the highest level of compliance responsibility – you must comply with, and demonstrate compliance with, all the data protection principles as well as the other GDPR requirements. You are also responsible for the compliance of your processor(s). (from the Information Commissioner’s Office website)

Data Processor

Processors act on behalf of, and only on the instructions of, the relevant controller. Processors do not have the same obligations as controllers under the GDPR and do not have to pay a data protection fee. However, if you are a processor, you do have a number of direct obligations of your own under the GDPR. (from the Information Commissioner’s Office website)

Data Protection

Data protection is concerned with the safe use of personal data. The UK Data Protection Act 2018, which incorporates the EU General Data Protection Regulations (GDPR) outlines the data protection principles that organisations, businesses and the government must follow when using personal data.

Personal data

Any information which either alone, or combined with any other data leads to the identification of individual(s). This could be a name or phone number, IP address or cookie identifier.

Pseudononymous data

Pseudonomymous data are data that have been altered so that no direct identification of any individual can occur. However, additional information is held by you or someone else that allows the identification of an individual. This is personal data and is subject to the Data Protection Act 2018.

Special category personal data

Personal data which are subject to more scrutiny when determining the lawful processing. They include things like race, ethnicity, medical conditions (physical and mental), sexual life, religion, philosophical beliefs, politics and trade union memberships, criminal convictions/alleged offences, genetic and biometric data. (from the Information Commissioner’s Office website)

Back to contents.