If you would like to become a data provider, please contact the NISRA's Research Support Unit: rsu@nisra.gov.uk
Background
Over the past 5 years, the UK Government, through the Economic and Social Research Council, has funded NISRA (in partnership with the two local Universities) to host an Administrative Data Research in Northern Ireland (known as the ADR NI). Similar centres have also been established in England, Scotland and Wales. In June 2019, NISRA's RSU was awarded with Accredited Processor status under the terms of Part 5, Chapter 5 of the Digital Economy Act 2017 and the statutory Research Code of Practice and Accreditation Criteria.
The thrust of the initiative has been to provide a secure and accredited research environment to enable agreed, ethically approved and cross-cutting research to be conducted using administrative data sets that are routinely collected and analysed by NICS departments and other bodies. The ultimate aims of the joined up approach are to inform the development and monitoring of public policy and to help ensure that decision making is evidence based and the research question a benefit to society.
The ADR NI makes it possible for trained researchers to use administrative data for social and economic research, while making sure the data remain safe and the privacy of individuals is protected. To date, a number of Departments (DAERA, DoF, DoE, DfC, DfE and DfI) have provided data for ADR NI research projects.
In August 2018, Permanent Secretaries signalled their ‘agreement in principle’ for their respective Departments to continue to engage with the process for the next ADR NI funding period from October 2018 to March 2021 and to explore, with NISRA, how their data might best be lawfully utilised for research purposes. The purpose of this factsheet is to provide IAOs with information on key issues in this area including:
- Compliance with the General Data Protection Regulation (GDPR);
- The legal gateway to sharing data for research purposes; and
- Safety of the data.
Compliance with the General Data Protection Regulation (GDPR) 2018
The GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). The table below highlights how ADR NI projects are compliant with GDPR.
|
GDPR Requirements |
|
|---|---|
|
Use of a Trusted Third Party (TTP) |
The Information Commissioner Office’s Anonymisation Code of Practice highlights conditions for processing personal data for research. The use of an independent NISRA-led Trusted Third Party (TTP) for ADR NI projects, as recommended in the ICO guidance, fulfils a vital role in ensuring the privacy of research subjects. The TTP only receives limited personal information (e.g. name, date of birth and address) from which it creates an anonymous index that matches the IDs of the other datasets. This index is then used by the data custodians and the independent Research Support Unit (RSU) team in NISRA to bring together de-identified datasets to produce an overall research dataset. The two teams in NISRA (TTP and RSU) are managed and run separately under separate Senior Civil Service direction to ensure that the TTP and RSU processes are independent. |
|
Personal and pseudonymised data |
Personal data which have undergone pseudonymisation, could still be attributed to a person by the use of additional information and should be considered to be information on an identifiable person. While there is no potential identification of the data subject in anonymous information, there is a potential to identify a person in pseudonymised data. Data requested for projects comes in two forms; personal data which goes to the TTP for matching and pseudonymised data which goes to the RSU for creating the research dataset. Both personal and pseudonymised data are protected by the GDPR. |
|
Legal gateway |
Data providers require a legal gateway for sharing data with the ADR NI. The Digital Economy Act 2017 facilitates the linking and sharing of datasets for research and statistics purposes (see below for more information on accessing data for research purposes). There are further gateways under article 6 of the GDPR to use data solely for statistics or research purposes. |
|
Privacy notices |
Privacy notices need to reflect that data are being shared for research purposes. |
|
Data sharing agreements |
All data sharing in the ADR NI is underpinned by Data Sharing Agreements (DSAs) which are compliant with the GDPR and include the following headings:
|
Legal gateway for accessing data for research purposes
Sharing of personal data is legally allowable under Article 6 of the GDPR where there is an exemption for processing of personal data for statistics and research purposes. (See also the Code of Practice on Protecting the Confidentiality of Service User Information). In addition, the Digital Economy Act (DEA) 2017 facilitates the linking and sharing of datasets held by public authorities for research purposes (Health data is excluded under the DEA research clauses). Under the DEA, data can be processed and made available in a safe and secure way for research purposes. The table below summarises the conditions under which information can be disclosed for research purposes.
| Research access under the DEA/GDPR |
|
|---|---|
|
Trusted Third Party |
All ADR NI projects are linked using the Trusted Third Party to match the personal data, ensuring safety of the data. There is a code of practice under the DEA and NISRA will be accredited by the UK Statistics Authority for the TTP and RSU functions. |
|
Processing of data |
There is a separation of duties within NISRA by using a Trusted Third Party (TTP) to match the personal data and then a functionally independent Research Support Unit (RSU) with access to the attribute data. Neither functional unit can process the whole dataset for the research project. |
|
Removal of direct identifiers |
ADR NI research datasets have no direct single variable identifiers. When a research dataset is created, RSU carries out statistical disclosure checks to assess the risk of re-identification of a person within the dataset and implement controls to protect the data as required. |
|
Safe access |
Data can only be accessed in NISRA's Secure Environment in Colby House. The Secure Environment is supervised by NISRA using the five safety principles below. |
|
Public interest |
ADR NI projects are approved by an Approval Panel. The Approval Panel set up under the DEA include data providers, statisticians and academics to assess the public value of any research. |
|
Accredited researchers |
The researcher(s) and NISRA staff working in RSU and TTP receive training and are accredited under the DEA. |
Safety of the data
NISRA hosts the Secure Environment where accredited researchers access data for ADR NI research projects. Five simple protocols provide complete assurance for data owners and researchers by ensuring the following 'safes'. The 'Five Safes' have been endorsed by the ICO.
|
The Five Safes |
|
|---|---|
|
Safe data |
Data are pseudonymised by removing names, addresses and any other direct identifiers that would identify the individuals, before being made available for analysis. There is a separation of duties within NISRA by using a Trusted Third Party (TTP) to match the personal data and a Research Support Unit (RSU) with access to the attribute data. No one person can see both personal and attribute data. Researchers are only given access to a bespoke extract of data that has been approved through a research approval panel. NISRA carries out a disclosure assessment on the research datasets prior to them being accessed by the researcher. |
|
Safe people |
Researchers have to apply to the Office for National Statistics (ONS) Approved Researcher scheme before they can access the data. Researchers have to complete a training course on the Five Safes and disclosure and pass the assessment at the end; agree to their details being published; sign an agreement promising to protect the confidentiality of data and have an institutional guarantor. NISRA staff processing the data are trained in data protection and have higher security clearance. Researchers are also required to have basic security clearance. |
|
Safe setting |
Researchers access the data through NISRA's Secure Environment based in Colby House and strictly controlled secure environment governed by policies, protocols and procedures to ensure data confidentiality. Within the Secure Environment, researchers are supervised by NISRA staff at all times. The network which hosts the research dataset is air-gapped and has no connection to the internet. |
|
Safe outputs |
To ensure that text, tables and charts produced by researchers cannot identify individuals, RSU checks all outputs to ensure that they meet confidentiality standards. Output checkers are trained in statistical disclosure control. |
|
Safe projects |
Projects are only approved when the following conditions are met:
If these conditions are not met, the application is rejected. |