You are here : Home > How We Work > Privacy Advisory Committee > Your PAC Questions Answered
 
 

Your PAC Questions Answered

Why does NSS have the Privacy Advisory Committee?

NSS recognises its responsibilities to the Scottish health service, government and the people of Scotland to ensure that the important health data it holds on a national basis for epidemiological, statistical and other important purposes is used and released appropriately. NSS is equally mindful of its need to meet a number of legal obligations in relation to its handling of this information; these include compliance with the Data Protection Act and the common law duty of confidentiality.

NSS therefore set up the Privacy Advisory Committee (PAC) over 20 years ago to advise on the correct balance between protecting personal data and making data available for research, audit and other important uses, and to ensure that any information releases are carefully controlled.


How does PAC relate to the National Information Governance Board in England and Wales?

PAC is not an equivalent body to the National Information Governance Board (NIGB), including its Ethics and Confidentiality Committee (ECC), in England and Wales. The NIGB does not have any authority over Scottish held data. Applicants who have received an ECC opinion for their study and wish to make use of data within the custodianship of NSS, must still apply to PAC, as described below.


When is it necessary to apply to PAC?

You should apply to PAC if:

  • you would like to link data with data within the custodianship of NSS. The linkage may involve unlinked data held entirely within NSS; data within your custodianship that you wish to be linked with data held at NSS; or data from a number of data sources, including at NSS;
  • you would like NSS to release data from the national data repositories within its custodianship for research, audit, service evaluation or other additional purposes in either identifiable or potentially identifiable form.

Applicants from Scottish NHS Boards seeking any of the above in relation to their own NHS Board's resident or treated population should make contact with NSS through routine channels. In some cases a Confidentiality Statement signed by the Director of Public Health or the Medical Director may be required for release of potentially identifiable data. Sometimes, NSS may also ask that these applicants complete an application to PAC where it believes the view of PAC is needed.

PAC approval only relates to the data within the custodianship of NSS, and where other datasets are involved, PAC will seek evidence from the applicant that appropriate authorisation has been obtained from the custodians of the other datasets involved.


What does 'potentially identifiable' mean?

Sometimes an application to PAC may be seeking the release by NSS of data which, although stripped of personal identifiers such as names and reference numbers, might contain an item or a combination of items (e.g. rare diagnosis, sex, ethnicity for a sparsely populated geography) which is likely to identify an individual. NSS regards this sort of data as posing a high risk to individuals' privacy and where such 'potentially disclosive' data are involved will require applicants to justify the need for such data for the purposes of their study, remove any unnecessary potentially disclosive data items from their application, and demonstrate security safeguards commensurate with actually identifiable personal data.

The Information Services Division (ISD) of NSS has developed a disclosure protocol (PDF 548KB) to guide decision-making in this area.


What about ethics approval?

PAC is not an ethics committee and does not give advice on ethical matters. The UK framework for these matters is set by the National Research Ethics Service (NRES)(opens in new window). Although many studies that PAC considers have received either ethics approval or advice from a local ethics service, many have not. Approval by PAC should not be regarded as an ethical approval.


What does PAC not deal with?

PAC does not:

  • give ethical opinions;
  • consider or approve releases of identifiable or potentially identifiable data on behalf of other NHS Boards or other bodies;
  • consider or approve uses or releases of data from the Community Health Index (CHI). This is a matter on which the Community Health Index Advisory Group (CHIAG)(opens in new window)advises.

How do I apply to PAC?

You should complete the PAC Application Form (Word 248KB)(opens in new window)and submit it to the PAC mailbox at nss.pac@nhs.net.


I'm not sure how to complete the application form — what do I do?

E-mail the PAC mailbox nss.pac@nhs.net if you need advice on completing the form. We will aim to respond within 5 working days.


I need advice on the NSS datasets involved in my application — what do I do?

Consult the PAC Guidance Notes (Word 133KB).

If you still require advice e-mail members of the ISD Record Linkage team at ISDMedicalRecordLinkage@nhs.net. The team will be happy to advise you on the linkage process and/or the content of NHSS held datasets. If they are unable to answer specific questions regarding content of data they will put you in contact with the relevant team within NSS.


I'm not sure about some of the details required in the information governance section of the application — what do I do?

Complete the form as best you can.

Where information is being sought about hardware, be specific e.g. a standalone PC is not connected to any network either through cables or wirelessly, and a networked PC is connected to a network through cables or wirelessly.

Where identifiable or potentially disclosive data are being stored on any PC internal hard drive the hard drive is required to be encrypted to minimum AES128 encryption standards.

Where data are being held on a network server, your local security policies and/or procedures need to be attached to your application.

Where further assistance is required in completing the form please send your queries to nss.pac@nhs.net.


How long does a PAC application take?

The length of time to process a PAC application varies, and depends greatly on how well you initially complete the application form.

Once your application is submitted to the PAC mailbox nss.pac@nhs.net it is reviewed by the NSS Data Protection Advisor, NSS Information Security Officer and ISD Caldicott Guardian to ensure that the application contains all the information PAC members require in order to make a decision. E-mail correspondence with NSS usually takes place at this stage. This process can take some time, in particular if you omit key information e.g. the variables you seek for the output, information on the security measures you will deploy to safeguard the data.

Once NSS is satisifed that your application contains all the information PAC members require in order to make a decision, your application is forwarded to the members. PAC members are given a deadline of 4 weeks within which to respond. These responses are collated and considered by NSS and some correspondence may occur with you at this time, in particular if PAC members have sought clarification or raised concerns. At this stage, NSS aims to provide a final decision to you within 2 working weeks.


How does PAC reach its decisions?

PAC has developed guiding principles (PDF 36KB) to steer its decision-making.


What do I do if I am unhappy with the outcome of my PAC application?

There is no official appeal mechanism for applicants who are unhappy with PAC's decision. However NSS will maintain dialogue with applicants whose application has been rejected by PAC, and advise on alternative approaches that are less likely to negatively impact individuals' privacy and therefore more likely to receive PAC approval.

In line with other NHS organisations, NSS also has a formal complaints procedure.

Back to top
 
Privacy Advisory Committee About PAC Applying to PAC Caldicott Guardians For the Public PAC Contacts and Links PAC Meetings and Decision Making Your PAC Questions Answered
 
 
explore NHS National Services Scotland