Health Informatics Centre Privacy Notice

The Health Informatics Centre (HIC), East of Scotland Regional Safe Haven provides a secure, ISO 27001 certified environment for the management and analysis of health and related data in support of clinical and scientific research in the public interest. We are committed to protecting the privacy, confidentiality, and security of the data we are authorised to process.

Data We Hold

HIC works with a range of data types, including:

• Identifiable data (e.g. name, CHI/NHS number, date of birth, postcode)
• Pseudonymised data
• Linked health and administrative datasets

These data support ethically approved and governance-reviewed research projects that aim to improve patient care, health outcomes, and public health services.

How We Use Your Data

We process data to enable clinical, health, and social care research projects that benefits individuals and populations. Projects must demonstrate public value, have appropriate approvals, and comply with legal and ethical obligations.
Examples include:

• Evaluating treatments and interventions
• Understanding disease patterns
• Planning and improving healthcare services
• Linking datasets to enable longitudinal analysis

Security and Data Processing Location

All data processed by HIC are stored and managed securely within the UK. HIC operates segregated, access-controlled environments both on-premise and in secure cloud configurations that comply with the highest standards of information security and governance.

HIC applies security by design and by default, with strict user access controls, network segmentation, encryption, and audit logging. Access to identifiable or sensitive data is granted only to authorised personnel for approved purposes.
Depending on the type of data and the requirements of each project, additional restrictions may apply. For example:

• Remote access may be restricted or not permitted, even from within the UK
• Some datasets may only be accessed from designated secure physical locations or specific trusted devices
• Restrictions are applied based on data provider agreements, project-specific governance, ethical conditions, and legal obligations

We do not transfer data outside the UK, unless explicitly authorised by the data controller under appropriate safeguards.

Legal Basis for Processing

HIC processes data for research in the public interest. The legal bases for this processing under UK data protection law are:

• Article 6(1)(e) UK GDPR - Processing is necessary for the performance of a task carried out in the public interest
• Article 9(2)(j) UK GDPR - Processing of special category data is necessary for scientific or historical research purposes, subject to appropriate safeguards
• Schedule 1, Part 1, Paragraph 4 of the Data Protection Act 2018 – Processing is necessary for research purposes

HIC operates within an academic institution and also holds honorary affiliations with NHS. Therefore, our public task is grounded in:

• The Further and Higher Education (Scotland) Act 1992, which establishes the University’s role in advancing and disseminating knowledge through research
• The National Health Service (Scotland) Act 1978, which provides the statutory basis for NHS bodies to promote health and care and undertake or support research for the improvement of services and treatment

All research is conducted with appropriate safeguards in place including data minimisation, pseudonymisation, and independent governance and ethics review. These safeguards ensure that data are used responsibly, lawfully, and in a way
that protects individual privacy.

Your Rights

Under data protection law, individuals may have rights including:

• The right to access personal data
• The right to rectify inaccurate data
• The right to restrict or object to processing
• The right to erasure

However, these rights may be limited when data are processed for research purposes. Specifically:

• Where applying these rights would seriously impair or prevent the achievement of research objectives, exemptions under the Data Protection Act 2018 (Schedule 2, Part 6) may apply
• In Scotland, the use of population-level data for research is subject to additional legal provisions and rights such as access, rectification, and erasure may not apply

Despite these exemptions, HIC is committed to using data responsibly, proportionately, and in a way that protects individual privacy.

If you believe your rights have been affected, please contact us at [email protected]