Recognising, and implementing, the GDPR and Data Protection Act provisions for scientific research in Scotland’s Research Access Service#

Lead: Paul Jackson (Research Data Scotland)

Proposal#

Summary#

The GDPR, now nearly 8 years old, contains special treatment for scientific research.

Many exemptions and exceptions are provided in return for a compensating requirement - that wherever possible, the further processing by the scientific researcher should be of data prepared in advance and provided in such a way as to be anonymised when used.
It says this is achieved by minimising the data as far as possible given the needs of the research, and then completing the minimisation through organisational and technical measures.

TREs are the perfect way to comply with GDPR when facilitating scientific research.

Research Data Scotland is building up a national infrastructure to deliver compliance with this legal framework with a project approval and governance framework designed to be as efficient and effective as possible, significantly shortening project approval timelines, and reducing the bureaucracy for all parties.

In this session we’ll share progress on this infrastructure and get feedback and thoughts from the community.

Required preparation#

Read GDPR recitals 26 and156, and article 89.

Target audience#

Information governance and data protection staff of TREs.

Session#

Summary#

Scotland is advancing its data systems to facilitate research while navigating GDPR regulations. The approach includes dividing the challenge into two segments: data controllers preparing and anonymizing data to create ‘research-ready’ datasets in compliance with GDPR, and once researchers access this anonymized data within a Trusted Research Environment (TRE), it’s considered outside GDPR’s purview because of anonymisation. This strategy aims to move away from the inefficient create-and-destroy method, reducing the oversight burden on privacy boards. The discussion also focused on the importance of maintaining public trust, with plans to engage the public in dialogues about the definition of public good and the mechanisms of data access and use by researchers, alongside a review of private sector access to NHS data.

Discussions highlighted the necessity of explaining to the public the low likelihood of reidentification from anonymized datasets and the non-applicability of GDPR to such data in research contexts. The conversation acknowledged ongoing challenges, such as bottlenecks caused by the requirement to keep data separate across different organizations and concerns over private sector access to NHS data

Next steps#

  • info sharing between Research Data Scotland and Smart Data Foundry on public engagement plans, and on Rowntree foundation on fine grain data into TREs for answering policies - Launch of Income Volatility Dashboard with JRF (smartdatafoundry.com)

Raw notes#

Scotland is looking to mature data systems to learn

  • Scientific research is featured in the GDPR, data subject rights are lifted for scientific research. This must be balanced with the rights and deal with the public

  • Scotland is aiming to split the challenge into two parts. Data controllers to prepare data and anonymise and create research ready datasets (using and accounted for by GDPR guidelines). Once researchers access the data in the TRE then it is no longer under GDPR regulations since it is anonymised.

  • The aim is to replace the create and destroy method. This is inefficient and a lot for the PBPP to look at.

  • In terms of public engagement important to balance public trust

  • Expect to come across all of the issues in their future work, including public engagement. Smart Data Foundry - currently have a fund open for projects which will be in public good https://www.ukri.org/opportunity/smart-data-research-uk-data-services/

  • Queries how to cover with data controllers about the final data accessed by researchers doesn’t need to be personal data therefore isn’t covered by GDPR. And the low liklihood of reidentification.

  • Comissioning first set of public engagement dialogues in the summer. This will cover public good definition and how researchers access and the role of public

  • Similar to work at RDS for our next steps. Ours will be planned in for next year - potential to build on the work of Smart Data.

  • Highlighted Ruth Gilberts work in reference to communicating to public

  • Works with ADR-S which is relevant for the research ready aims. There’s a lot of bottlenecks because so many organisations are required to keep data separate. Has seen different tenants of Safe Havens operating.

  • Recent news stories around dodgy private sector companies having access to NHS data

  • Review of private sector access currently being done at RDS

Next steps#

  • Emails to be exchanged between RDS/SDF for follow up on public engagement plans including intro to Scot Gov contacts

  • RDS to send intial research (now) and public good work (once public)

  • Smart Data Foundry to send info on Rowntree foundation on fine grain data into TREs for answering policies - Launch of Income Volatility Dashboard with JRF (smartdatafoundry.com)