Table 1. GOSLING data risk tool and scoring weights.
| Question number |
Question | Answer | Multiplier | |
|---|---|---|---|---|
| 1a | Title of Project | x | ||
| 1b | Lead applicant | x | ||
| 1c | Named co-applicants | x | ||
| 1d | Please list any reference numbers, with dates, for existing project approvals, e.g. Research & Development, Integrated Research Application System (IRAS) or Research Ethics Committee. If none, please write N/A. | x | ||
| 1e | Plain English summary (max 300 words) | x | ||
| 1f | Scientific abstract (max 300 words) | x | ||
| 1g | Conflicts of interest statement (including financial disclosures). Please include conflicts relevant to all co-applicants | x | ||
| 1h | Which of the following best describes your study | Please select | x | |
| 1i | Please list the specific data that is being requested with a brief explanation of why this is required for the project | x | ||
| 1k | Name of person completing form | x | ||
| 2a | Do you require de-identified routinely collected patient data for your project? | Please select | x | |
| 2b | The project has ethical approval and patients consent to researchers accessing their routinely collected data for the purposes of this particular project | Please select | x | |
| 2c | The project has a favourable opinion from an NHS REC AND a section 251 consent waiver approval from the Confidentiality Advisory Group | Please select | x | |
| 2d | The project involves members of the hospital clinical care team who will access identifiable information in order to de-identify the data for analysis | Please select | x | |
| 2e | The project involves researchers who have (or will have) a research passport and EPIC access, but who are not members of the hospital team accessing identifiable information at any stage | Please select | x | |
| 3 | Does your project involve any of the following types of data? Please select all that apply | Biometric data (e.g. fingerprints, retinal scans) | Please select | 1.25 |
| Genomic data | Please select | 1.25 | ||
| Linkage with data from outside *Host Organisation* | Please select | 1.25 | ||
| DICOM or other imaging data which includes metadata e.g. CT/MRI scans, echocardiograms or cardiac MRIs with contextual clinical information or metadata | Please select | 1.25 | ||
| Rare or unusual diagnosis either in general population or *Host Organisation* patients (criteria: UK general population prevalence <1 in 100,000 or <10 new diagnoses at *Host Organisation* per year) |
Please select | 1.1 | ||
| Rare or unusual medications or procedures at *Host Organisation* (<10 at *Host Organisation* per year) | Please select | 1.1 | ||
| Outliers in the data set–age, weight, height, length of stay etc | Please select | 1.2 | ||
| Digitised slides or other similar pathology data | 1 | |||
| Specific timestamps (exact dates and times) relating to individuals, including date of death | Please select | 1.3 | ||
| Photographs of the face or other identifying feature | Please select | 1.4 | ||
| Free-text fields | Please select | 1.2 | ||
| 4 | Does your project involve any of the following types of data? Please select all that apply | Data relating to any of: race, ethnic origin, politics, religion, trade union membership, sex life, sexual orientation, domestic violence history, forensic history | Please select | 1.25 |
| Particularly sensitive medical data such as HIV status or IVF treatment | Please select | 1.25 | ||
| Data relating to children (under 18 years) | Please select | 1.2 | ||
| Data relating to vulnerable adults, for example patients living in care homes or other institutions, or with learning difficulties or mental illness | Please select | 1.2 | ||
| 4a | Where any of the options in question 4 have been selected, please justify inclusion of this data. | |||
| 5 | How and where will data be used? Please select all that apply | Internal study within *Host Organisation* only | Please select | 0.9 |
| Study involving transfer to *University Affiliated with Host Organisation* | Please select | 1 | ||
| Study with an academic partner organisation in the UK | Please select | 1.05 | ||
| Study with public or third sector organisation in the UK, including other NHS trusts | Please select | 1.05 | ||
| Study with tech start up | Please select | 1.4 | ||
| Study with established pharmaceutical company | Please select | 1.1 | ||
| Study with established technology company | Please select | 1.1 | ||
| Study with an organisation based outside the UK (including academic, public, commercial and third sector) | Please select | 1.2 | ||
| Study entirely within a trusted research environment | Please select | 0.9 | ||
| Other commercial organisation (will be reviewed separately) | 1 | |||
| 5a | (If Applicable) For external organisations, where will the partner be processing the data: | In the UK | Please select | 1 |
| Outside the UK but in the EEA | Please select | 1.05 | ||
| Outside the EEA but in a country recognised with a GDPR adequacy decision | Please select | 1.05 | ||
| Outside the EEA but in a country recognised with a GDPR partial adequacy decision (e.g. USA, Australia, Japan, Canada) | Please select | 1.1 | ||
| Outside the EEA and in a country without GDPR adequacy decision | Please select | 10 | ||
| 5b | Please name any organisations identified in Q5 | |||
| 6 | Who will have access to the de-identified data? | Data will only be accessed by members of the clinical care team at *Host Organisation*, other *Host Organisation* staff with a substantive contract or with a non-research contract | Please select | 0.9 |
| Data will only be accessed by academic researchers (usually *University Affiliated with Host Organisation* or PPIE) with an honorary research contract or letter of access for *Host Organisation* | Please select | 0.95 | ||
| In addition to or instead of the above options, data will be accessed by staff from another NHS partner organisation, with or without a research passport/honorary contract | Please select | 1.05 | ||
| In addition to or instead of the above options, data will also be accessed by staff from another academic partner organisation, third sector organisation or PPIE members who do not fit into any other category. They may or may not have a research passport/honorary contract | Please select | 1.05 | ||
| In addition to or instead of the above options, data will also be accessed by staff from a commercial partner organisation. They may or may not have a research passport/honorary contract | Please select | 1.1 | ||
| 7 | What are the security arrangements for data storage? Please select all that apply | Within the *Host Organisation* IT environment ONLY, including BYOD | Please select | 0.9 |
| Within an area of the University of *University Affiliated with Host Organisation* covered by an NHS toolkit | Please select | 1 | ||
| Within an area of the University of *University Affiliated with Host Organisation* not covered by an NHS toolkit | Please select | 1.05 | ||
| Organisational secure electronic devices (laptops, tablets, smart phones) | Please select | 1 | ||
| Personal electronic devices (laptops, tablets, smart phones) | Please select | 10 | ||
| Encrypted mobile media (thumb drives, mobile hard drives, magnetic media) | Please select | 1 | ||
| Encrypted cloud storage not covered above but ISO270001 compliant | Please select | 1 | ||
| Paper records/hard copies subject to the trust policy on sensitive documents | Please select | 1 | ||
| Other (detail): | ||||
| 8 | How will the data be transferred between devices? | Not applicable | Please select | 0.8 |
| Secure File Transfer Protocol | Please select | 0.95 | ||
| Encrypted cloud storage (ISO270001 compliant) | Please select | 1 | ||
| Secure email server (e.g. *Host Organisation* email, NHS.net) | Please select | 1 | ||
| Standard email | Please select | 10 | ||
| Encrypted mobile media (thumb drives, mobile hard drives, magnetic media) | Please select | 1.05 | ||
| Standard mobile media | Please select | 10 | ||
| 9 | Please indicate if any of the following apply to your project? | Patients and public have been involved in the design of this study, including membership on the research team or close involvement in the formulation of the study | Please select | 0.8 |
| Patients and public have been consulted on the study but not directly involved in its design [Do not select this option if the above option has already been selected] | Please select | 0.9 | ||
| There is a protocol for the study in the public domain, e.g. as a published article or on a public repository | Please select | 0.95 | ||
| A plain-English summary will be made available online, aimed specifically for public consumption e.g. on a website with an avenue for members of the public to contact the team if needed for further information [This does not include mandatory reporting on data use registries] | Please select | 0.95 | ||
| 10 |
Please indicate if any of the following apply to your project? | This study has received NHS or University ethics approval | Please select | 0.85 |
| There will be a data transfer agreement (DTA) in place for this data transfer/exchange | Please select | 0.95 | ||
| This study has received specific research funding after review by a funding body | Please select | 0.9 | ||
| *Host Organisation* maintains control of the data retention period | Please select | 0.95 | ||
| *Host Organisation* maintains control of data access | Please select | 0.95 | ||
| If there is a relevant data transfer agreement (DTA) for this project, please list it here: | x | |||
| 11a | Please describe the extent to which patients and the public have been involved in designing this study. Include information about how PPIE members were recruited, specific feedback and changes that have been made as a result of PPIE and plans for ongoing input (max 250 words) | x | ||
| 11b | Please provide details of the ethics review for this project (max 250 words) | x | ||
| 11c | Please provide details of the funding that has been provided for this project (max 250 words) | x | ||
| 11d | If applicable, please attach the data protection impact assessment that has been completed specifically for this study (optional) (max 250 words) | x | ||