XClose

Information Services Division

Home
Menu

Data Safe Haven & ARC Trusted Research Environment Assurance

Get started using UCL's trusted research environments, the Data Safe Haven and the ARC Trusted Research Environment. This page introduces the assurance process for on boarding to these environments.

Does your team already use the Data Safe Haven (DSH) or the Advanced Research Computing Trusted Research Environment (ARC TRE)?

If you are an individual wishing to join an existing DSH share or ARC TRE project, then you need to evidence approved training on data security, which is completed online:

Note that users do not request DSH or ARC TRE access for themselves unless they are information asset owners or administrators. Also note that no one should request access to the DSH or ARC TRE without their research being registered (see below for the assurance process for research).

Why do I need Information Governance assurance?

If you need to use the DSH or ARC TRE, then your research must be carried out in an accountable way and handle data according to the risk of disclosure, which needs to be documented through the Information Governance Framework ('the assurance process'). After demonstrating that information will be handled correctly, the research will be given a case reference number ('CaseRef') which can be used to make requests for resources on the DSH and ARC TRE.

Research that intends to use the DSH or ARC TRE is assessed for eligibility by the Information Governance Advisory service, where the assurance process has been designed and implemented to meet the requirements of the NHS Data Security & Protection Toolkit and ISO 27001 Information Security standard. To begin this process, the research must be registered with the Information Governance Advisory Service.

Once the research is determined as being eligible, applicants will be asked to provide assurance around the research itself, not just the information to be stored in the trusted research environment. This will include consideration of how the research plans to manage anonymised/pseudonymised information.

Register your research with Information Governance Advisory Service

What do the Principal Investigator and others need to do?

The Principal Investigator and every member of the team handling confidential information will need to have the approved training on data security confirmed. The assurance process for the wider project involves:

Information Asset Owners may delegate responsibility to an Information Asset Administrator, a named staff member, who can then provide the risk assessments and review of contracts and grant access to users for that project. If you are the Information Asset Owner of a project with a valid case reference issued by the Information Governance Advisory service and you wish to assign an Information Asset Administrator to the project (you need to register the research first if you have not already done so), use the form to assign an administrator.

The Information Governance Advisory SharePoint

Once a project has started the Information Governance assurance process, project staff will be given access to the Information Governance Advisory SharePoint to gather evidence of assurance. Guidance on the SharePoint for those who have registered can be read here: Guide to the Information Governance Advisory Service SharePoint

Check your progress on the Information Governance Advisory SharePoint Portal

How long will the assurance process take?

The required training takes about two hours to complete, per person. It usually takes an hour or more to complete the risk assessments, depending on how complex the project is. If the project involves sharing confidential information with third parties (including transcription services and survey tools), then contracts may need to be drawn up which may take longer. Projects which do not involve any third parties might be able to complete the assurance process in a day, depending on the time the research team has available.

Some projects will be able to progress on to the DSH or ARC TRE sooner if the Information Asset Owner has agreed a statement of accountability up front that ensures adherence to the requirements in a reasonable timescale.

For student supervisors wishing to on-board their students' research to a trusted research environment without allowing each student to see each others' research data, see the assurance process for a series of Masters' projects here.

After completing the assurance process, users will be reminded to annually renew their assurances and will be permitted to cite either the Data Security & Protection Toolkit or the ISO 27001 certificate associated with the environment in their research applications. DSH and ARC TRE applications will only be valid on completion of the assurance process described above.

Requesting accounts and shares on the Data Safe Haven

You should find the links to specific Data Safe Haven request forms and the sequence these are required in, within the on boarding diagram:

 

Requests for Data Safe Haven will only be valid if:

  • the request is for a project which has completed Stage 1 of the assurance process (the information asset owner's statement of accountability) (see above section, 'What do the Principal Investigator and others need to do?')
  • it includes the project's assigned CaseRef (a product of the assurance process which will be sent to those involved and evident on all of the forms during the assurance process)
  • the request is made by the information asset owner or administrator of the project, not by anyone else
  • the new user for whom an account is requested, if applicable, has registered information governance training in the last 12 months

Requesting projects on the ARC TRE

Development of the ARC TRE is being carried out in an iterative fashion, with features being rolled out over time. We recommend and request that researchers wishing to use the ARC TRE contact the team, so that we can discuss how best to support you, and help you through onboarding and early usage of the environment.