DataLoch is a secure data service that supports health and social care priorities and is funded under a ten-year Data-Driven Innovation (DDI) programme. DataLoch has been developed in partnership between NHS Lothian and the University of Edinburgh. Find out more about the DDI programme on their website.
In the DataLoch team, we believe that putting data at the centre of responses to health and care system challenges is critical to improving services through research, innovation and planning.
Our approach will lead to better decision making, research, and support for colleagues on the front line. We will do this by:
bringing together health and social care data for the South-East Scotland region;
working with experts in health and social care to understand and improve this data; and
providing safe access to data for researchers
What sorts of data will DataLoch host?
DataLoch brings together routine data collected as part of people’s day-to-day interactions with health and social care services. These data include the types of services used, details of visits to hospitals or GPs, treatments and medicines, as well as outcomes and test results.
These data enable researchers to answer important questions about how to improve people’s wellbeing. There are many examples of how health data research has delivered insights to help solve challenging health problems, including diagnosing rare diseases, improving the performance and equity of care, identifying diseases early, and assessing the effectiveness of health systems. Read about some of the projects DataLoch has supported.
What is the legal basis for DataLoch's processing of these data?
NHS Lothian is the Data Controller of the data currently hosted by DataLoch. This means NHS Lothian exercises overall control over the purposes and means of the processing of personal data. Hence, DataLoch processes health care data in accordance with the NHS Lothian Privacy Notice.
Who will have access to the data that DataLoch hosts?
DataLoch applicants for data access include academic researchers and health and social care service managers. Alongside this, we are currently working with NHS Lothian to define the appropriate governance to work with third- and private-sector organisations from August 2022 and are testing a prototype framework with NHS collaborators.
Any person wishing to access extracts of the data must follow an approved application process and complete relevant training as described within the Charter for Safe Havens in Scotland definition of an approved researcher. This requires applicants to meet a number of key criteria to ensure their purpose and interest is both legitimate and appropriate.
In all cases, applications will be processed according to the standards set out by the NHS Health Research Authority, National Data Guardian, and regulatory bodies including the Information Commissioner’s Office (ICO).
How will access to data in DataLoch be controlled?
Any person wishing to access any of the datasets hosted by DataLoch will need to meet a number of key criteria to ensure their purpose and interest is both legitimate and appropriate.
Each project is scrutinised by NHS employees to ensure the request is proportionate and in the public interest. Researchers will access and analyse the minimal amount of data required to answer research questions within the Scottish National Safe Haven. This infrastructure is one of several Safe Havens across Scotland already dedicated to protecting the confidentiality of data and which meet the best practice national standards for access and information security.
As well as supporting researchers, DataLoch also support requests from the NHS team for access to data to help them understand and support service improvements. Again, these projects are approved through DataLoch’s governance process, and data are then shared securely within the NHS infrastructure.
Data are archived and deleted according to NHS Lothian record management policies. The retention periods vary according to the type of project.
Are the data accessed in DataLoch identifiable?
Data accessed by researchers are de-identified, meaning aspects that can directly identify an individual (like names, addresses, and date of birth) are removed. This process is also called pseudonymisation. Data extracts accessed by researchers are also minimised, which means we provide no more data than the minimum needed to fulfil the specific approved application.
Before giving access to researchers, the DataLoch team also assesses the likelihood and impact of someone’s identity being inferred, for example from a rare condition or unique combination of information. We take steps to avoid this kind of inferred identification, for example aggregating information into ranges (e.g. between ages 25-50) or withholding data.
While the process varies with every project, it is designed (along with other controls such as the use of the Safe Haven) to minimise the risk of researchers being able to identify individuals represented in the data without prejudicing the goals of the research.
How will the DataLoch team ensure its service is secure from cyber attack or unauthorised use?
Data are held within NHS Lothian servers behind the NHS Lothian firewall. Access to these data outside of the NHS is only permitted via a trusted research Safe Haven environment such as the Scottish National Safe Haven. This infrastructure is one of several Safe Havens across Scotland already dedicated to protecting NHS information and which are required to meet the best practice national standards for access and information security.
The DataLoch team has a Data Protection Impact Assessment in place to help identify and minimise any data protection risks. This will be continually monitored and modified as the DataLoch service continues to develop, in consultation with other parties that may contribute data to DataLoch.
Have patients consented to the usage of their personal health data?
The datasets represent unconsented, patient-identifiable information derived from NHS sources. Legislative and governance provisions exist for the re-use of these data under controlled circumstances for specific purposes. These purposes are detailed within the NHS Lothian Privacy Notice. DataLoch processes data according to this NHS Lothian Privacy Notice which contains a description of your data-protection rights within NHS Lothian, and also details how to contact NHS Lothian should you have any queries.
When will DataLoch be available for applications?
DataLoch is in the early stages of development. Since its establishment, in spring 2020, the DataLoch team’s focus has been on supporting the region’s response to COVID-19. We are now accepting applications outwith COVID-19 from academics and health and social care professionals within the South-East Scotland region with a further expansion of the service in summer 2022.
What is the DataLoch team doing specifically in relation to COVID-19?
In March 2020, colleagues from NHS Lothian and the University of Edinburgh asked the DataLoch team to help in the production of a dedicated COVID-19-linked dataset. This request was motivated to support immediate hospital-based service management and to provide a data asset for active and anticipated regional and national research into the outbreak.
The DataLoch team, working in collaboration with clinicians on NHS Lothian data, built a linked COVID-19 dataset for use by approved researchers on 30 April 2020.
Will data be shared with third-sector or private-sector organisations?
Currently, DataLoch is accepting applications from academics and health and social care professionals within the South-East Scotland region. The team is also working with NHS Lothian and innovation partners to design the required governance framework for working with private- and third-sector organisations. From summer 2022, we expect to extend our service to support approved researchers from these organisations.
The application process includes an assessment of whether the project will benefit patients and is in the public interest. For example, partnerships between the NHS and private- or third-sector organisations can result in new healthcare technologies and treatments and medical devices that support better outcomes for patients.
What is the Five Safes Framework and how does it apply to DataLoch?
Safe Projects – Data are only used for valuable, ethical research that delivers clear public benefit;
Safe People – Researchers are trained for safe handling of data;
Safe Settings – Access to data is via secure technology systems;
Safe Data – Researchers use data that have been de-identified and with extracts that have the minimum amount of data to fulfil the purpose of their project; and
Safe Outputs – All research outputs are checked to ensure they cannot indirectly identify people.
The DataLoch team has incorporated the Five Safes in our overall strategy on keeping data secure. Assessing each aspect of the framework individually and as a whole is part of how we ensure data are hosted and accessed safely.
What is the City Regional Deal?
DataLoch is a secure data service that supports health and social care priorities and is funded under a ten-year Data-Driven Innovation (DDI) programme as part of the Edinburgh and South East Scotland (ESES) City Region Deal. Finalised in August 2018, the ESES City Region Deal is a UK and Scottish Government-led investment designed to accelerate productivity and inclusive growth in the region through the funding of infrastructure, skills and innovation.
The regional partners of the City Region Deal include three NHS Boards (Lothian, Borders and Fife), six local authorities (City of Edinburgh, Midlothian, East Lothian, West Lothian, Fife and the Scottish Borders), plus regional universities and colleges. Find out more about the Edinburgh and South East Scotland City Region Deal.