Since its’ inception in 2015, the NHS Scotland Public Benefit and Privacy Panel (PBPP) has approved over 200 applications for access to data. The PBPP are accountable to the public and must demonstrate their assessment of applications for data use in terms of envisaged public benefit and potential privacy risks.
Objectives and Approach
In 2017 the first annual audit took place. The purpose of the audit exercise was twofold; establish that the governance process is robust and that proportionate governance criteria are the correct measurement tool. The full PBPP committee reviewed a random selection of 10 applications approved at Tier 1 between January 2016 and December 2016.
Committee members were split into groups and sent paperwork relating to the application. A review record was completed covering the questions within the proportionate governance criteria. Review records were sent to the PBPP Panel Manager for collation and an audit record compiled for each application.
Applications were identified where a discrepancy existed between the Tier 1 decision and the PBPP Committee audit review. These audit records were tabled for discussion at a workshop involving a subgroup of PBPP Committee and Tier 1 panel members. From the ten applications that were randomly selected, six were consistently reviewed by both the Tier 1 and Tier 2 Committee with no referral points identified from the either Tier. 4 were identified for discussion in a workshop including representatives from both Tiers. During the discussion it was agreed that 2 out of the 4 should have triggered a further review by Tier 2 but that the decision to approve all 4 applications would have remained.
This suggests that both Tiers have a sound understanding of the proportionate governance criteria and that for the majority of applications this is being interpreted uniformly and that the audit process is required to ensure this is maintained going forward.