Is the work related to PHS’s core functions?

Core functions do not include:

  • services from the Local Improvement Support Team (LIST) – for LIST services, a separate information governance framework is available due to its complexity
  • research by academia
  • third sector requests
  • commercial organisation requests

Core functions are defined by the Public Health Scotland Order 2019 and include ministerial directives or those listed in the PHS privacy notice.

Is the processing ongoing as part of business as usual (BAU) for PHS use?
This is applicable to PHS teams.
Is PHS controller of all the data being used?
Do you have approval from all data controllers (NHSScotland Health Data) for this work?

Contact the Data Protection Team at phs.dataprotection@phs.scot

They will advise if any other approval, data protection impact assessment, or agreement such as data processing agreement or data sharing agreement is required.

In a national emergency, specific rapid approval pathways may be created.

Does the work include sensitive topics or vulnerable populations?

Examples of sensitive topics are:

  • sexually transmitted disease
  • pregnancy for those under 16 years
  • abortion
  • mental health
  • drug and alcohol misuse
  • disability
  • suicide

Examples of vulnerable populations are:

  • adults with incapacity
  • some elderly
  • drug/alcohol misusers
  • homeless
  • mentally ill
  • children
  • looked-after children
  • asylum seekers
  • minority ethnic groups
  • specific religious affiliation

Other special category data:

  • ethnicity
  • sexual orientation/sex life
  • religion
  • politics
  • Trade union membership
  • genetics
  • biometrics
  • crime/convictions

Seek Caldicott or special clinical input before completing data protection impact assessment screening questions.

Contact the Data Protection Team for further advice at phs.dataprotection@phs.scot

Complete data protection impact assessment screening questions.

Contact the Data Protection Team for further advice at phs.dataprotection@phs.scot

Is it a one-off piece of work?

Applicable to PHS teams or local NHS boards.

Is it for the following purposes?

Contact the Data Protection Team (phs.dataprotection@phs.scot), who will advise whether a Public Benefit and Privacy Panel or other approval or agreement (such as data processing agreement or data sharing agreement) is required.

In a national emergency, specific rapid approval pathways may be created.

Contact the Data Protection Team (phs.dataprotection@phs.scot)

They will advise whether a Public Benefit and Privacy Panel or other approval or agreement (such as data processing agreement or data sharing agreement) is required.

In a national emergency, specific rapid approval pathways may be created.

Complete data request and linkage form with analytical and clinical input, where required.

Is it for research led by PHS only?
Are other organisations involved in this research as a joint collaboration with PHS or commissioned by PHS?

Public Benefit and Privacy Panel approval required.

Have you contacted the PHS Research Office to check if ethics approval and a research collaboration agreement is required?

Contact the Data Protection Team (phs.dataprotection@phs.scot).

They will advise whether Public Benefit and Privacy Panel, other approval, or agreement such as data processing agreement or data sharing agreement is required.

Sometimes, an updated data protection impact assessment or a complete data request and linkage form should be completed with analytical and clinical input, where needed.

Contact PHS Research Office at phs.researchoffice@phs.scot

Is it for one of the following purposes?
  • Local data for a single board or single independent contractor (GP/GDP) for any purpose or any level of risk?
  • National aggregated data for audit?
  • Individual-level data for audit which is non-sensitive, does not apply to vulnerable groups, or has very low disclosure risk?
  • National data from nationally contracted third parties?
Is this processing covered in a existing PHS DPIA?

You can start the work.

Contact the Data Protection Team (phs.dataprotection@phs.scot).

They will advise whether Public Benefit and Privacy Panel, other approval, or agreement such as data processing agreement or data sharing agreement is required.

Sometimes, an updated data protection impact assessment or a completedata request and linkage form should be completed with analytical and clinical input, where needed.