/
Data Access Approvals

Data Access Approvals

Owned by Symone Sheane
Apr 30, 2025

PURPOSE

This SOP outlines the process for requesting, approving, and managing access to sensitive data within HIC. This SOP aims to ensure that access to data is granted to authorised roles in compliance with data access regulations, policies and privacy.

SCOPE

This SOP covers all of the projects and tasks which HIC undertake. It is applicable to all HIC staff and approved users of HIC services.

RESPONSIBILITIES

ROLE

RESPONSIBILITY

HIC Client

  • Adhere to data access policies and guidelines when accessing sensitive data.

  • Obtaining all necessary approvals.

  • Responsible for submitting accurate and complete access requests, including all required information and justification for access.

HIC Staff

  • Ensure correct data access approvals are received.

  • Advising on required approvals.

PRINCIPLES

  1. For all HIC Projects, HIC will:

    • Document the data requirement representing the data that best fulfils the objectives of the project. This document is agreed with the Principal Investigator.

    • Record a project description or protocol which must be versioned or dated.

    • Record copies of all applicable approvals.

  2. HIC Clients will read, sign and date the current TRE User Agreement (unless this is not required as agreed within a Service Level Agreement between HIC and the relevant External Data Controller). Authorised signatories are required from HIC Clients, a representative for and on behalf of the client organisation, a student supervisor and a representation for and on behalf of HIC, as required. 

  3. All HIC Clients are required to maintain the security and confidentiality of their Project Datasets in accordance with the TRE User Agreement and the Data Protection Principles. HIC Clients are encouraged to report inadvertent events that are in breach of the terms of the TRE User Agreement to enable improvements to be made.

  4. HIC Clients will not reuse the data for purposes outside the scope of each project; share it with colleagues who are not named project HIC Clients, attempt to link it to other datasets, or to de-anonymise it.  

  5. HIC Clients will only remotely access their data within the centrally-managed HIC TRE. Individual-level data is not permitted to be stored or transferred outside the TRE without explicit Data Controller (or delegate) permission. 

  6. No approval is required when requesting aggregate data for developing a Project Plan. 

  7. Only approved datasets will be released to the HIC Client. Partial Project Datasets can be released where approvals are already in place.

  8. The HIC Client is responsible for obtaining all necessary approvals. HIC will advise on what is required based on the flowchart below. The flowchart illustrates the approvals required by HIC for different types of research, audit or service evaluation projects requiring data, following a proportional risk-based approach, i.e. lower risk data use requires less approval scrutiny.

ISMS Document Diagrams (1).jpg

APPROVALS

1. Research Projects

  • R&D Approval

    • Projects using NHS data require NHS R&D approval from the appropriate NHS R&D Office(s) responsible for the NHS Board(s)/Trust(s) of the patients residency.

    • For NHS Tayside R&D approval, an IRAS (Integrated Research Application System) approval is required as a prerequisite. NHS Tayside's R&D Office, Tayside Science Centre (TASC) can assist in this.

  • Ethical Approval

    • HIC have an existing ethical approval covering retrospective deidentified research projects that operate in the TRE, if the project meets this criteria this is applicable, and the IRAS application can state that Ethics is approved.

    • A separate Research Ethics Committee (REC) review and approval is required if the project:

      • Deviates from the above criteria.

      • Will contact any patients or volunteers.

    • Approval is obtained via IRAS. Advice can also be obtained directly from the TASC Research Governance Office or the East of Scotland Research Ethics Service (EoSRES) Office.

2. Non-Research Projects

  • For Audit and Service Evaluation (non-research) projects no REC review or NHS R&D approval(s) are required. 

3. Data Controller Approvals (including Caldicott)

  • A data controller approval is required for:

    • Access to identifiable data.

    • Any new data not hosted within HIC.

    • Releasing data to other secure environments.

    • Any data processed or provisioned outside of existing HIC agreements.

  • For NHS Data, the data controller is represented via Caldicott Guardians.

  • For Scottish NHS national data, the data controller may be represented by PBPP (Public Benefit and Privacy Panel).

  • Where a Data Controller carries out its own project approval process, the HIC Data Access Approval Process will not be additionally required. The Data Controller’s approval process will be described and agreed within a Data Sharing Agreement between HIC and the Data Controller.  

  • Where the study uses both consented data and existing HIC hosted data, HIC will not give access to any identifiable data without an explicit approval from the Data Controller.

APPLICABLE REFERENCES

  • TRE User Agreement 

  • Data Security

  • Information Security Policy

  • For Definitions see ISMS Glossary

DOCUMENT CONTROLS

Process Manager

Point of Contact

Process Manager

Point of Contact

Chris Hall

hicbusiness-support@dundee.ac.uk

Revision Number

Revision Date

Revision Made

Revision By

Revision Category

Approved By

Effective Date

Revision Number

Revision Date

Revision Made

Revision By

Revision Category

Approved By

Effective Date

1.0

01/01/24

  • Moved SOP to Confluence from SharePoint and updated into new template.

Bruce Miller and Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

10/01/24

1.1

04/04/24

  • Updated Roles and Responsibilities.

Bruce Miller

Superficial

Governance Co-Ordinator: Symone Sheane

5/04/24

1.2

10/04/24

  • Formatted document control table and added in revision category.

Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

10/04/24

1.3

16/04/24

  • Deleted Appendix C from applicable references. No longer an applicable reference used across ISMS.

Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

16/04/21

1.4

19/04/24

  • Updated Approved by title.

Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

19/04/24

1.5

30/04/24

  • updated and embedded Miro workflow.

  • Reformatted and removed duplication of steps.

  • Updated language

  • Updated roles & responsibilities.

Symone Sheane

Superficial

Process Manager: Chris Hall

30/04/24

1.6

30/04/24

  • Updated Header to conform with BSI guidelines.

Bruce Miller

Superficial

Governance Co-Ordinator: Symone

30/04/24

1.7

02/05/24

  • Updated links to Definitions in ISMS Glossary.

Bruce Miller

Superficial

Governance Co-Ordinator: Symone Sheane

02/05/24

1.8

06/06/24

  • Added Data Access Approval Diagram to page using different format. No information content was changed.

Symone Sheane

Superficial

Governance Co-Ordinator: Symone Sheane

06/06/24

1.9

09/10/24

  • Incorporated & updated comments. Updated labels in-line with 2022 standard.

Bruce Miller

Superficial

Governance Co-Ordinator: Symone Sheane

18/11/24

1.10

18/11/24

  • Updated Approved Data User terminology to HIC Client.

Symone Sheane

Material

Leadership Team

18/11/24

1.11

29/04/25

  • Reformatted.

  • Updated roles and responsibilities.

  • Streamlined duplication.

  • Updated applicable references.

  • Changed Data User Agreement to TRE User Agreement.

Chris Hall

Symone Sheane

Superficial

Process Manager: Chris Hall

29/04/25

 Copyright Health Informatics Centre. All rights reserved. May not be reproduced without permission.
All hard copies should be checked against the current electronic version within current versioning system
prior to use and destroyed promptly thereafter. All hard copies are considered Uncontrolled documents.