Keeping data safe

Guiding principles and the 'Five Safes'

In Scotland research follows the Guiding Principles for Data Linkage, designed to support the safe and appropriate use of data for research and statistical purposes. They ensure data linkage takes place within a controlled environment and that the research carried out is legal, ethical, secure and efficient.

The principles align with the established ‘Five Safes’ guidance, developed by the Office for National Statistics (ONS) to ensure data is kept safe and secure:

• Safe Data: data provided to researchers is ‘de-identified’, meaning no information which can directly identify individuals is included.
• Safe Person: Any researcher accessing administrative data is assessed for their skills and suitability before being granted access to the data needed for their project.
• Safe Project: The research project itself is scrutinised and must be in the public interest. 
• Safe Place: Data must be accessed in a safe and secure room within one of our facilities, or otherwise via an assured connection at an accredited institution. 
• Safe Output: The researcher’s actions whilst accessing the data are monitored using keystroke technology and all outputs (publications, presentations or articles) are checked thoroughly, with any potentially re-identifiable information removed.

Data about individuals

Administrative data is largely information about how people interact with public services or government departments. We know this is important to keep secure, and our researchers only ever have access data which has had anything which can directly identify an individual (like names, dates of birth, full addresses) removed, with rigorous safeguards in place to protect it from re-identification (including strict separation of functions of those involved in the process). What is left is a set of information about unidentified individuals and their interactions with public services, allowing for relationships between these to be analysed. This information is very useful for research, without giving away information about identified members of the public.

Administrative data is linked and processed for research in compliance with GDPR regulations (via the ‘public task’ lawful basis). Processing data is lawful where it “is necessary for the performance of a task carried out in the public interest” where it is set out in law; meaning that the organisation involved or overall task must have a clear basis in law. The law this is clarified in will change depending on the organisations involved – for example universities’ charters set out their core functions as including research.

Who can access data for research

In addition to ensuring researchers do not have access to data which can directly identify individuals, there are also rigorous safeguards in place to ensure data cannot be accessed by anyone who is not authorised, or for any reason other than research that passes the public benefit test.

Researchers wishing to use the data go through rigorous approvals processes set by the organisations responsible for the data. These include checking the researcher is from a suitable research institution, has completed appropriate training, an assessment of the ethics of the proposed research to ensure its delivers benefit to the public, and that the data access requested matches the research questions being asked.

Once researchers have been suitably trained and their project approved, they must then access the data via a secure physical facility – or a secure connection to that facility – provided by our centre or one of our partners. Researcher activity and outputs within these facilities are closely monitored, and outputs checked before being released, to ensure the data has not been misused in any way.

Read more about how to access data for research >