Get started using the UCL Data Safe Haven. This page introduces the Information Governance assurance process before on-boarding to the UCL Data Safe Haven.
Does your team already use the Data Safe Haven?
If you are an individual wishing to join an existing Data Safe Haven share then you need to take the approved training on data security online and you need your team to request access for you (go to the Data Safe Haven technical page for details of how a request can be made). Once it has been confirmed that you have completed the approved training and your account has been requested and created through the Data Safe Haven team, they will invite you to an induction which is a face-to-face session and will include the handover of your token to log in.
Why do I need Information Governance assurance?
The Data Safe Haven is UCL's technical solution for transferring and storing research information that is highly confidential. If you need to use the Data Safe Haven, then your project must be carried out in an accountable way and handle data according to the risk of disclosure, which needs to be documented through the Information Governance Framework ('the assurance process').
Projects that intend to use the Data Safe Haven are assessed for eligibility by the Information Governance Advisory service, where the assurance process has been designed and implemented to meet the requirements of the NHS IG Toolkit and ISO 27001 Information Security standard. To begin this process, projects must register for Information Governance services.
Once a project is determined as being eligible, applicants will be asked to provide assurance around the project itself, not just the information stored on the Data Safe Haven. This will include consideration of how the project plans to manage anonymised/pseudonymised information.
What do the Principal Investigator and others need to do?
The PI and every member of the team handling confidential information will need to have approved training on data security confirmed. The assurance process for the wider project involves:
- individual assurances to be provided by the Information Asset Owner (usually the principal investigator)
- a review of contractual arrangements concerning confidentiality *
- a risk assessment on the information processed by the project *
- a second risk assessment on workplace security *
- final signoff of the requirements by the Information Asset Owner
Information Asset Owners may delegate responsibility to an Information Asset Administrator, a named staff member, who can then provide the risk assessments and review of contracts and grant access to users on the Data Safe Haven for that project. If you are the Information Asset Owner of a project with a valid case reference issued by the SLMS Information Governance Advisory service and you wish to assign an Information Asset Administrator to the project (you need to register the project first if you have not already done so), use the form to assign an administrator.
The IG Advisory SharePoint system
Once a project has started the Information Governance assurance process, project staff will be given access to the IG Advisory SharePoint system to gather evidence of assurance. Guidance on the SharePoint system for those who have registered can be read here: Guide to the IG Advisory Service SharePoint
How long will the assurance process take?
The required training takes about two hours to complete, per person. It usually takes an hour or more to complete the risk assessments, depending on how complex the project is. If the project involves sharing confidential information with third parties (including transcription services and survey tools), then contracts will need to be drawn up which may take several weeks. Projects which do not involve any third parties might be able to complete the assurance process in a day, depending on the time the research team has available.
Some projects will be able to progress on to the Data Safe Haven sooner if the Information Asset Owner has agreed a statement of accountability up front that ensures adherence to the requirements in a reasonable timescale.
For students supervisors wishing to on-board their students to the Data Safe Haven without allowing each student to see each others' research data, see the assurance process for a series of Masters' projects here.
After completing the assurance process, users will be reminded to annually renew their assurances and will be able to cite either the SLMS IG Toolkit or the ISO 27001 certificate associated with the Data Safe Haven in their research applications. Data Safe Haven applications will only be valid on completion of the assurance process described above. If you have already completed the Information Governance assurance process you may request access using the self-service forms. Use the search box and the search term 'Data Safe Haven'. Requests can only be made by the Information Asset Owner or their nominated Information Asset Administrator.