Scottish Health Survey: data protection impact assessment (DPIA)

6. General Data Protection Regulation (GDPR) Principles

Principle

6.1 Principle 1 – fair and lawful, and meeting the conditions for processing

• Compliant: Yes
• Description of how you have complied: Processing is necessary for compliance with a legal obligation - Article 6 (1) (c) UK GDPR. In the case of the sensitive data collected, Article 9 (2) (j) applies – “processing is necessary for …… statistical purposes in accordance with Article 89(1) ….”. The survey advance letters and leaflet explain how the respondent’s data is handled and refer respondents to additional privacy information published on the survey website. Respondents are asked to agree for their personal details (name, address, email address and date of birth) to be used by the Scottish Government or passed on to research agencies for the purpose of follow-up research endorsed by the government.

6.2 Principle 2 – purpose limitation

• Compliant: Yes
• Description of how you have complied: GDPR Article 89(1) exemption for statistical purposes applies – see section 5.7.

6.3 Principle 3 – adequacy, relevance and data minimisation

• Compliant: Yes
• Description of how you have complied: The content of the survey is regularly reviewed to ensure that there is a continued need for the data collected.

6.4 Principle 4 – accurate, kept up to date, deletion

• Compliant: Yes
• Description of how you have complied: The information is obtained directly from respondents. The computer-assisted personal interviewing (CAPI) questionnaire includes some built-in logic checks and further quality assurance checks are performed by the contractor. The data does not require to be kept up-to-date as it is representative of the survey year in which the respondent was interviewed. A new sample of respondents is drawn each year.

6.5 Principle 5 – kept for no longer than necessary, anonymization

• Compliant: Yes
• Description of how you have complied: The pseudonymised survey datasets are held indefinitely by the Scottish Government to enable analysis looking at changes over time. The contractor holds the survey datasets for as long as it holds the survey contract, after which the data will be permanently deleted. The personal identifiers of respondents are held in a separate file by the contractor (on behalf of the Scottish Government) for the purpose of follow-up research and data linkage. These files will be transferred to the Scottish Government when the contract ceases (or at any time at the Scottish Government’s request). When the contract ceases, following transfer to the Scottish Government, the contractor will permanently delete the personal identifiers.

6.6 GDPR Articles 12-22 – data subject rights

• Compliant: Yes
• Description of how you have complied: Respondents are advised in the survey leaflet that the survey is not compulsory and that they do not have to answer all the questions.

6.7 Principle 6 - security

• Compliant: Yes
• Description of how you have complied: Within Scottish Government, the survey data is held on a restricted access area of the government’s secure server. Data is transferred from Scotcen to the Scottish Government via password controlled secure file transfer. Within Scotcen, survey data has its own specific data security plan. Datasets are securely stored on Natcen’s network with a secure sub-folder for respondent confidential data which has restricted staff access. All paper documents containing data about a respondent are identifiable only by a serial number; such documents are returned in the post separately from any document(s) containing the respondent’s name and address or other personal details. All interviewer laptops are protected with full disc encryption, to the FIPS 140-2 standard using PGP. Any information that could be used to identify individual respondents is stored separately, and once verified by the interviewer, is concealed should anyone else attempt to access the questionnaire file. CASI data is also ‘locked’ after it is entered and cannot be accessed by the interviewer. As a National Statistics product, all data files and materials relating to reporting outputs for SHeS are kept within secure folders with access limited to only those staff working directly on the study. All report authors receive specific guidance on their responsibilities in relation to National Statistics, including the need to lock away or shred all draft text and tables. Report files are transferred using PGP or via the FTP secure server. Data sticks and unauthorised hardware are not permitted to be used in any Natcen computer (the USB ports have been disabled). Where personal data are transmitted outside Scotcen electronically, strict guidelines are followed, using a PGP encryption, protected using the 256-bit AES-encryption feature in WinZip or a secure FTP server. The FTP website offers the facility to transfer data securely over a FIPS 140-2 compliant SSL connection, without the need for third party organisations to install specialist software on their local PC. It has been verified by DigiCert and the system we use is Enhanced File Transfer (EFT) Globalscape. Respondent confidential data is never stored on an Iron Key. All files, including data, are backed up daily on off-site servers. The IT infrastructure at the University of Cambridge that supports research across the MRC Epidemiology Unit is hosted in data centres located in various University of Cambridge buildings to mitigate risk. Physical and remote access to the server infrastructure is very tightly controlled and there are strict network and access controls in place around all aspects of the Unit’s IT network and storage volumes. All Unit-managed desktops and laptops are encrypted using Microsoft BitLocker using the AES-128 method. Data backups are performed in a number of ways. The primary storage is automatically snapshotted regularly to disk providing the first layer of redundancy and offering user-driven file/data recovery. Key volumes are additionally automatically mirrored to a replica storage appliance elsewhere within the University for local disaster recovery purposes. Virtual servers containing Natcen data outside of the “file/folder” storage volumes are replicated daily to dedicated infrastructure hosted in a geographically separate data centre under University of Cambridge Clinical School control. As a research institution, MRC Epidemiology Unit servers, including servers for Intake24, are centrally maintained for security and updates. Critical updates are implemented in an advertised window *at least* once every four weeks, sometimes more frequently as appropriate. Disruption is extremely minimal (seconds/minutes if anything) and it is very rare that problems would be detected. Server and data backups are run routinely for business continuity purposes, including encryption and rotating of all disks or tapes created for business continuity purposes and stored in secure locations. Access to backups is strictly controlled. The University of Cambridge has a detailed and regularly reviewed Business Continuity Plan.

6.8 GDPR Article 24 - Personal data shall not be transferred to a country or territory outside the European Economic Area.

• Compliant: Yes except for some limited data on the saliva sample analysis
• Description of how you have complied: The majority of the survey personal data is not shared with any organisation that operates or sub-contracts operations outside the EEA. The exception to this is that ACM global laboratories have stored some data relating to the saliva sample analysis on a US server since 2021. A risk assessment has been undertaken and indicates that the risk of anyone being identified from limited information is extremely low. The sub-contract for the saliva analysis is being retendered for the 2026 survey analysis onwards.