Third-party data

We are required to ensure that projects involving certain kinds of data have the necessary permissions in place. While EIDF’s philosophy is “as open as possible, as restricted as necessary”, not all datasets can be freely used for data innovation without permission from data owners, data subjects or data controllers.

When you apply for access to EIDF services, if you intend to upload data to the service for your own purposes then, depending on the nature of the data, we may need you to support your application with the relevant data usage agreements. These might include data privacy impact assessments, data sharing agreements, data processing agreements, consent statements, licences or copyright waivers.

UK Government Security Classifications Policy (GSCP) administrative system to protect information assets

The GSCP is an administrative system used by UK and Scottish Governments and their partners to protect information assets appropriately against prevalent threats. The administrative system uses three classification tiers (OFFICIAL, SECRET and TOP SECRET) that each provide a set of protective security controls and baseline behaviours, which are proportionate to the potential impact of a compromise, accidental loss or incorrect disclosure AND the level of interest expected from threat actors. In this context EIDF will operate in the following manner:

SECRET or TOP SECRET

EIDF may not be used to process data which are UK or Scottish Government classified as SECRET or TOP SECRET.

Other non-personal data

You must decide whether EIDF is a suitable environment for your data based on its sensitivity.

Personal data

EIDF can be used to process personal data under certain conditions.

Consented personal data

If you have the consent of your data subjects we may ask that you provide us with a summary of those consents (obviously without breaking individuals' confidentiality!), or with a copy of your data protection impact assessment (DPIA).

We might also recommend you consider using a Safe Haven service rather than a standard EIDF service, but you should be guided by your information governance needs and the consents you have. We will be happy to talk through options with you. Feel free to contact us.

Unconsented personal data

If you do not have the consent of your data subjects, users must establish that they have a legal basis to process the data and must be able to provide evidence of this if required. Again, this may be part of your DPIA. If you don't have a lawful basis for processing, you may not use EIDF for this purpose.

If you do have a lawful basis for processing, we will require that the data be de-identified, with any and all personally identifiable information removed, before you may upload those data to EIDF. If you cannot remove the identifiable data we recommend that you use a Safe Haven service: please contact us in the first instance.

Special categories of unconsented personal data

If your unconsented data contain special categories of personal data (health data, for example) you must use a Safe Haven, and you may want to consider one of the Safe Haven services that we operate on behalf of independent Controllers. General EIDF services (ie, those outside the EPCC Trusted Research Environment security perimeter) are not suitable for processing unconsented special-category personal data. 

UK Information Commissioner’s Office online tool to help determine legal bases for data processing

“Special categories of personal data” include those defined in the UK Data Protection Act 2018

EIDF Safe Haven Services

Copyright data

If the data you will propose to use contains copyrighted material or other intellectual property for which you do not own the copyright, you may use EIDF to process them under certain conditions.

If your use of these data is covered by an exemption under the UK Copyright, Designs and Patents Act 1988 (CDPA) we may ask you for a note of the exemption you are using.

If you have a licence from the copyright owner we may ask you to provide a copy of the licence under which you intend to process those data.

If you have neither a suitable licence nor an exemption under the CPDA then you may not use EIDF to process these data. The Copyright, Designs and Patents Act 1988

Ethically-sensitive data

If your data contain ethically sensitive information (for example, the locations of endangered species or sites of sensitive cultural heritage), you may use EIDF to process them under certain conditions.

We will require that sensitive information be suitably de-identified, masked or removed before you may upload these data to EIDF. We may ask to see a copy of relevant data usage agreements.