Scottish Health Survey: data protection impact assessment (DPIA)

5. Questions to identify privacy issues

5.1 Involvement of multiple organisations

The Scottish Government commission the survey.

Scotcen run the survey on behalf of the Scottish Government and process the data. Scotcen is ISO ISO27001 compliant and does not transfer data out-with the UK.

The Office for National Statistics (ONS) were sub-contracted (by Scotcen) (for the 2018 to 2023 surveys) to undertake around a third of the survey interviews when the survey could take place within households, the rest were conducted by Scotcen.

The University of Cambridge run the online dietary intake tool Intake24 which respondents were asked to complete after the SHeS interview in the 2021 and 2024 surveys. The university process the Intake24 data and then transfer to Scotcen for inclusion in the SHeS data sets.

Public Health Scotland link the SHeS data to health record data. Scotcen transfer the contact details of participants to PHS via secure file transfer. The FTP website used offers the facility to transfer data securely over a FIPS 140-2 compliant SSL connection, without the need for third party organisations to install specialist software on their local PC. It has been verified by DigiCert and the system used is Enhanced File Transfer (EFT) Globalscape.

5.2 Anonymity and pseudonymity

A random serial number is assigned to each respondent to the Scottish Health Survey by the contractor. The survey datasets include the survey answers alongside this serial number. The contractor retains (on behalf of SG) the personal identifiers of respondents (name, address and date of birth) in a separate file which is also referenced by this serial number.

A similar approach is taken for the linkage of the health survey data to health records. The personal identifiers of respondents together with a different randomly assigned serial number created by the contractor are sent securely to PHS. No survey answers are included alongside the personal identifiers. PHS then use the personal identifiers to match to Community Health Index numbers in order to pull off the relevant health records of respondents. A separate DPIA has been undertaken specifically in relation to this data linkage.

Any other linkage agreed by the relevant Public Benefit and Privacy panel/s would involve indexing by National Record of Scotland and linking to the population spine.

The samples sent to the labs by interviewers are labelled by the interviewer with the respondent’s serial number and date of birth and sent with a dispatch containing the serial number, sex, date of birth and smoking status. These details are entered onto the labs secure computer system and the samples are assigned a unique barcode. The use of this minimal personal information is necessary to ensure that the samples are correctly assigned to respondents. No lab results are recorded alongside personal identifiers, the serial number is used to link respondent’s lab results with their other survey results.

5.3 Technology

Within Scottish Government, personal data is held electronically on restricted areas of the Scottish Government secure server as described in Section 3.3. Section 3.3 also describes the Scotcen procedures. Each new or additional information technology is assessed for privacy intrusion before it is used in the project.

The Scottish Government survey team only uses technology cleared by Scottish Government IT experts.

5.4 Identification methods

Each respondent to SHeS is identified within the survey datasets by a unique serial number. An additional identifier is used to identify each household.

5.5 Sensitive/Special Category personal data

• Sexual orientation
• Trans status
• Ethnicity
• Religion
• Physical and mental health
• Suicide attempts and self-harm
• Physical measurements – height, weight, waist circumference, blood pressure, saliva sample, urine sample (a urine sample has not been included since the 2017 survey).

5.6 Changes to data handling procedures

Names, addresses and telephone numbers of those respondents who agree to be contacted for the purpose of follow-up research will only be used for this purpose for a maximum of five years following the survey year. So respondents interviewed in 2018, for example, could be contacted up until the end of 2023. In practice, only respondents from the most recent year or two of published data will be used unless the research is restricted to a relatively small group of the population requiring more years to provide a big enough sample.

A new process is in place from 2024 for linking the survey data with health record data. The SG Public Benefit and Privacy Panel and the Health & Social Care Public Benefit & Privacy Panels agreed this process.

The handling of any other data linkage agreed by the relevant Public Benefit and Privacy panel/s would be agreed with the panel/s.

5.7 Statutory exemptions/protection

GDPR Article 89(1) exemption for statistical purposes applies subject to appropriate safeguards such as pseudonymisation.

5.8 Justification

The information collected in the survey provides reliable information to the government and others on the health, and factors related to health, of people living in Scotland. This information is used to inform policy, monitor changes over time and assess health inequalities

5.9 Other risks

N/A