Keeping data safe

We follow a strict framework to ensure data is kept secure and that all research is in the public interest.

Guiding principles and the 'Five Safes'

In Scotland, we follow the Guiding Principles for Data Linkage which are designed to support the safe and appropriate use of data for research and statistical purposes. They ensure data linkage takes place within a controlled environment and that the research carried out is legal, ethical, secure and efficient.

The principles align with the established ‘Five Safes’ framework, developed by the Office for National Statistics (ONS) to ensure data is kept safe and secure:

  • Safe Data - Data provided to researchers is ‘de-identified’, meaning no information which can directly identify individuals is included.
  • Safe Person - Any researcher accessing administrative data is assessed for their skills and suitability before being granted access to the data needed for their project.
  • Safe Project - The research project itself is scrutinised and must be in the public interest. 
  • Safe Place - Data must be accessed in a safe and secure room within one of our facilities, or otherwise via an assured connection at an accredited institution. 
  • Safe Output -The researcher’s actions whilst accessing the data are monitored using keystroke technology and all outputs (publications, presentations or articles) are checked thoroughly, with any potentially re-identifiable information removed.

Watch this video to learn more about the Five Safes Framework -

Data about individuals

Administrative data is largely information about how people interact with public services or government departments. Researchers only ever have access to data which has had anything which can directly identify an individual (like names, dates of birth, full addresses) removed. There are rigorous safeguards in place to protect it from re-identification, including strict separation of functions of those involved in the process. What is left is a set of information about unidentified individuals and their interactions with public services, allowing for relationships between these to be analysed. This information is very useful for research, without giving away information about identified members of the public.

Administrative data is linked and processed for research in compliance with GDPR regulations (via the ‘public task’ lawful basis). Processing data is lawful where it “is necessary for the performance of a task carried out in the public interest” where it is set out in law; meaning that the organisation involved or overall task must have a clear basis in law. The law this is clarified in will change depending on the organisations involved, for example universities’ charters set out their core functions as including research.

Who can access data for research?

Data cannot be accessed by anyone who is not authorised or for any reason other than research that passes the public benefit test. Researchers seeking to use the data go through rigorous approval processes set by the organisations responsible for the data. These include:

  • checking the researcher is from a suitable research institution
  • that the researcher has completed appropriate security training
  • undertaking an ethics assessment of the proposed research to ensure its delivers benefit to the public and that the data access requested matches the research questions being asked.

Read more about how to access data for research >