Scottish National Safe Haven

The Scottish National Safe Haven is the responsibility of the electronic Data Research and Innovation Service (eDRIS) which is part of Public Health Scotland. Formally the Scottish NSH is operated by EPCC (part of the University of Edinburgh) under contract to eDRIS in governance terms. In practice, it is very much a collaboration between eDRIS, EPCC and National Records of Scotland (who provide de-identification services).

Active users: 350 open researcher accounts | Active projects: 200

Pricing: Studies are priced as small, medium or large, and there is an annual fee for compute/disclosure. Pricing details.

SAFE People - Login & Access

All users must become an Approved Researcher. They must all demonstrate appropriate Information Governance training and come from an Approved Organisation. They must also read and sign the eDRIS User Agreement.

✓ Login: login to a virtual desktop environment via SSO and 2FA.

✗ Minimum requirement: users access the Scottish NSH from their desktop using a VPN connection via a whitelisted IP address.

✗ International access: if approval is given then this is possible but the same controls will apply as for other users. In practice, collaboration with an existing Approved Organisation is the simplest approach rather than from an organisation outside the UK.

SAFE Settings - Compute & Services

✓ Private Cloud environment accessed over virtual desktop infrastructure (VDI): a “desktop in a browser”.

✓ A wide variety of VMs can be provided and these are sized according to the needs of each project. In general a single VM is provided with a small number of cores.

✓ Some servers which have two CPUs and 4 GPUs are also available - again these are provided as VMs to users.

✗ No managed data analytics provided.

✗ No federated queries.

✗ No federated analytics.

SAFE Settings - Security Certifications and Measures

✓ Security certifications: governed by eDRIS and approved by NHS Scotland IT Security. ISO27001, ISO9001, Cyber Security Essentials and DEA Accredited Processor

✓ Security measures: regular IT Health checks, whitelisting of IP address, VDI, 2FA and NextGen Firewall. Projects are backed up and archived. System and user activity is logged.

✓ Secured operating system: users have no ability to modify OS.

✓ No VM direct access: access is via VDI only.

✓ VM access controls: no USB, no copy/paste, no Internet access, internal mirrors for software packages.

SAFE Settings - Software access

✓ Default software: R, Stata, SAS, SPSS, MS Office.

✓ Code/library import: users may import software code associated with the standard packages above. These code imports use standard managed file transfer mechanisms under eDRIS control, and basic security checks are performed.

✓ Collaboration software: in development; not yet available.

✗ No software installation by users is permitted.

SAFE Data - Data Access Mechanisms

✓ Data provisioning: scoped and minimized linked data provided on a per project basis. See the eDRIS Data Linkage Process pages.

✓ Reduce re-identification risk by separation of concerns – EPCC, eDRIS and National Records of Scotland provide a triple lock on re-identification.

✓ Receive data: all data transfer is via managed file transfer (MFT) service SERV-U under eDRIS control. All requested datasets are included in initial project applications and are approved for use in combination. No datasets may be added without additional approval.

• ✓ Linked data: yes, approved datasets only; linkage during project setup via eDRIS.

• ✓ Sensitive data: yes, approved datasets only; users may not import data.

• ✓ Open data: yes, approved datasets only; users may not import data.

✓ Record linkage: linkage performed using study-specific ID numbers derived from encrypted CHI.

SAFE Outputs - Data Output/export

✓ Aggregate level graphs and tables. In general exported data are aggregate results for inclusion in papers etc. However, since all data egress is subject to disclosure control by eDRIS, a request to eDRIS to export any data type can be made, provided the export would be allowed by the data controller. In practice this means that what can be exported is limited and tightly controlled.

✓ Export plans: none specified.

✓ Data transmit to other SAFE Settings: mechanisms are in place for us to transfer data via MFT to external locations, provided such a transfer is within the terms of the IG approvals for a specific project / data set.

✓ Statistical disclosure control process in place.