Provide data to SHIP

Before releasing a research dataset

The full list of requirements that must be fulfilled before a dataset can be released are as set out in the list below. These guidelines apply whether the data is being released directly to a researcher or for access via a SHIP Safe Haven.

The SHIP Research Co-ordinator will be responsible for making sure that all these requirements are met.  However, you too as data controller should also satisfy yourself that they have been met. 


  1. You, in your role as data controller, have approved the data release.

  2. The project has Research Ethics Committee approval, if required.

  3. The project has NHS R&D approval, from the NHS Board(s) of residence of the patient(s), if required.

  4. The project has Privacy Advisory Committee (PAC) approval, if required.  This approval will specify the appropriate mode of access depending on how sensitive or disclosive the dataset is.

Documentation and accreditation

  1. The research protocol is logged onto SHIP’s project management system.

  2. The researcher has SHIP Approved Researcher Status.

  3. A Data Sharing Agreement has been signed and logged onto SHIP’s project management system.

Your specific responsibilities as a data controller

  1. You transfer to the researchers only as much data as is required for the cohort, aims and methods specified in the SHIP approved research protocol.

  2. If the project does not require patient identifiable data, a research dataset must only be released once the project level anonymisation has been carried out on the dataset. This anonymisation ensures that each research dataset has a project unique series of identifying codes.  If being released to a SHIP Safe Haven, SHIP’s indexing service may be able to assist with this.

  3. A research dataset must only be released to people identified on the project management system as being linked to the Research Project.  This may be to a SHIP safe haven or directly to a researcher depending on the terms of the Data Sharing Agreement.

return to top of page

Releasing data to a SHIP Safe Haven

SHIP will be able to provide advice on the technical aspects of transferring the dataset to the SHIP Safe Haven.

Under the SHIP framework, the SHIP Safe Haven takes on the legal responsibilities of data controller jointly with the data custodian once you release the data to the Safe Haven and for the duration of the research project.

While the data is in the Safe Haven, you as joint data controller, can be assured that the researcher using the Safe Haven must perform the analysis without:

  • attempting to remove data;

  • attempting to identify individuals, households, or firms;

  • using data for which they are not licensed;

  • using data for anything other than the proposed project;

  • linking/matching data without permission;

  • handing out usernames and passwords to others;

  • writing anything down from the screen;

  • attempting to photograph screen;

  • and that the session will be recorded.

Data released directly to researchers

Certain categories of data are deemed to be less sensitive than others and may be inherently less disclosive if it is aggregated etc.  If approved by the SHIP proportional risk assessment process (including authorisation by the Privacy Advisory Committee if this is deemed necessary), such data may be transferred directly to the researcher for analysis.  The conditions for release will be the same as those for release for analysis via a Safe Haven.

As data controller you should ensure that means by which any patient identifiable data is transferred to the researcher, and the quantity and detail of patient identifiable data transferred is compliant with the Data Protection Principles.

Under the SHIP framework, when patient identifiable data is transferred directly to researchers, they take on the legal responsibilities of data controller jointly with you the data custodian.  You can be assured therefore, that they will be expected to maintain the security and confidentiality of their research datasets in line with the Data Protection Principles. Specifically:

  • Researchers will not reuse the data for purposes outside the scope of each project, share it with colleagues who are not project staff or collaborators, attempt to link it to other datasets, or to de-anonymise it.

  • Further transfer of data between named project collaborators or staff should only be of encrypted data, usually directly from an access controlled FTP server to the FTP client but data may also be sent via email using encrypted data files. SHIP can offer advice and provide encryption tools, to help meet this requirement.

  • Researchers should notify SHIP when the project is complete and arrange for the return of the data and the analysis syntax used for archiving or deleting all local copies. SHIP will require written confirmation that all locally-held data has been deleted. This confirmation will be added to the project management system.

  • Researchers should ensure that SHIP and data custodian who was responsible for initially providing the data are acknowledged as data sources in all resulting reports and publications, e.g. “We acknowledge the support of the Scottish Health Informatics Programme for managing and supplying the anonymised data and [...]  the original data provider”

Data handling on completion of project

Whether you provide data directly to a researcher or via a SHIP Safe Haven, SHIP procedures will ensure that the necessary archiving, return or destruction of original datasets and that of data generated through the research is conducted securely, in compliance with the Data Protection Principles.

Return to top of page

Return to route map