Approval body approves access

The following information about SHIP processes is included here chiefly for information only, as it does not require action on your part.  It is essential to note, however, that you should not progress to the next station of this route map (release of the data) until you are satisfied that all the necessary SHIP processes below have been concluded, this will be signalled by the signing of a SHIP Data Sharing Agreement.

1.  If SHIP assigns a privacy risk category of ‘0’ or ‘1’ to a data access application then no further authorisation for use will be required.

A privacy risk category of 0 or 1 means that the conditions the researchers themselves and you, as data controller, have set for the way in which patient data may be used are sufficient to authorise data use for the purposes explicitly stated in the approved research protocol.

2.  If SHIP assigns a privacy risk category ‘2’ or ‘3’ the data access application will be sent to the Privacy Advisory Committee (PAC) for approval.

As outlined in the previous section, if your privacy risk category is ‘2’ it will need to be reviewed by PAC, but this will be a ‘fast track review.’ However if your privacy risk category is ‘3’ then a full review by PAC will be required.

3.  PAC will either (a) approve the data access application, (b) set conditions for data access or (c) refuse the application.

PAC might simply approve the data access application on terms specified by the researchers themselves alongside any further access conditions you have set as data controller.  However, it may be the case that they feel they need to impose additional access conditions. For example, they may specify that you must only use anonymous data, or that you must use a SHIP Safe Haven to access the data.

It is possible that in some circumstances PAC will refuse a data access application. This may be because they do not judge the research project to be in the public interest or because they judge the proposed data use raises too many security concerns.

For more information please see the guidance page on PAC.

4.  The SHIP Research Coordinator will facilitate the communication of the results of the privacy risk triage and any subsequent PAC approval process to the researcher and to you, the data custodian.

5.  However, before a project can proceed the researchers will also need to obtain ethical approval from a Research Ethics Committee as well as, in certain circumstances, NHS Research and Development approval.

Research Ethics Committee
Approval must be sought from a Research Ethics Committee for the use of even anonymous data in your research project. However the use of anonymised data will be much easier to justify, both legally and ethically, than the use of identifiable data. For more information please see the guidance page on Research Ethics Committees.

NHS R&D approval
NHS R&D approval will be required where NHS resources, staff time or patients are involved.

6.  A Data Sharing Agreement must be in place before any data is released.

The Data Sharing Agreement is a legally binding agreement describing the terms and conditions of disclosure of specific data in the context of a relationship between organisations.

7.  Your release of data should await the completion of all the above approval stages.

The next station of this route map sets out the full list of requirements that must be fulfilled before a dataset can be released. The guidelines listed there will apply whether the data is being released directly to a researcher or for access via a SHIP Safe Haven.

Please click here for more information on the SHIP data access application process and please click here for more informaiton on the SHIP process for releasing a dataset.

Return to top of page
Return to route-map