Get started using the UCL Data Safe Haven. This page introduces the Information Governance assurance process before on-boarding to the UCL Data Safe Haven.
Does your team already use the Data Safe Haven?
If you are an individual wishing to join an existing Data Safe Haven share then you need to evidence the approved training on data security which is completed online. Once you have completed and registered your training (UCL members should see their training status registered here, if so), you need the existing Data Safe Haven share owner or administrator to request your access (go to the Data Safe Haven technical page, near to the bottom, under "Getting started with the Data Safe Haven" for details of how requests can be made). Once the Data Safe Haven team are able to confirm that you have completed the approved training and your account has been created by them, the team will invite you to an induction, which is a face-to-face session and will include the handover of your token to log in with.
Note that users do not request Data Safe Haven access for themselves unless they are information asset owners or administrators. Also note that no one should request access to the Data Safe Haven without a project (see below for the assurance process for each project).
Why do I need Information Governance assurance?
The Data Safe Haven is UCL's technical solution for transferring and storing research information that is highly confidential. If you need to use the Data Safe Haven, then your project must be carried out in an accountable way and handle data according to the risk of disclosure, which needs to be documented through the Information Governance Framework ('the assurance process'). After demonstrating that information will be handled correctly, the project will be given a case reference number ('CaseRef') which can be used to make requests on the Data Safe Haven.
Projects that intend to use the Data Safe Haven are assessed for eligibility by the Information Governance Advisory service, where the assurance process has been designed and implemented to meet the requirements of the NHS Data Security & Protection Toolkit and ISO 27001 Information Security standard. To begin this process, projects must register for Information Governance services.
Once a project is determined as being eligible, applicants will be asked to provide assurance around the project itself, not just the information stored on the Data Safe Haven. This will include consideration of how the project plans to manage anonymised/pseudonymised information.
What do the Principal Investigator and others need to do?
The PI and every member of the team handling confidential information will need to have the approved training on data security confirmed. The assurance process for the wider project involves:
- Stage 1: individual assurances to be provided by the Information Asset Owner (usually the principal investigator)
- Stage 2: an annual review of contractual arrangements concerning confidentiality *
- Stage 3: an annual risk assessment on the information processed by the project *
- Stage 4: an annual survey on workplace security *
- Stage 5: an annual signoff of the requirements by the Information Asset Owner
Information Asset Owners may delegate responsibility to an Information Asset Administrator, a named staff member, who can then provide the risk assessments and review of contracts and grant access to users on the Data Safe Haven for that project. If you are the Information Asset Owner of a project with a valid case reference issued by the SLMS Information Governance Advisory service and you wish to assign an Information Asset Administrator to the project (you need to register the project first if you have not already done so), use the form to assign an administrator.
The Information Governance Advisory SharePoint
Once a project has started the Information Governance assurance process, project staff will be given access to the Information Governance Advisory SharePoint to gather evidence of assurance. Guidance on the SharePoint for those who have registered can be read here: Guide to the Information Governance Advisory Service SharePoint
How long will the assurance process take?
The required training takes about two hours to complete, per person. It usually takes an hour or more to complete the risk assessments, depending on how complex the project is. If the project involves sharing confidential information with third parties (including transcription services and survey tools), then contracts may need to be drawn up which may take longer. Projects which do not involve any third parties might be able to complete the assurance process in a day, depending on the time the research team has available.
Some projects will be able to progress on to the Data Safe Haven sooner if the Information Asset Owner has agreed a statement of accountability up front that ensures adherence to the requirements in a reasonable timescale.
For students supervisors wishing to on-board their students to the Data Safe Haven without allowing each student to see each others' research data, see the assurance process for a series of Masters' projects here.
After completing the assurance process, users will be reminded to annually renew their assurances and will be able to cite either the Data Security & Protection Toolkit or the ISO 27001 certificate associated with the Data Safe Haven in their research applications. Data Safe Haven applications will only be valid on completion of the assurance process described above.
Requesting accounts and shares
You should find the links to specific Data Safe Haven request forms and the sequence these are required in, within the on boarding diagram:
Requests for Data Safe Haven will only be valid if:
- the request is for a project which has completed Stage 1 of the assurance process (the information asset owner's statement of accountability) (see above section, 'What do the Principal Investigator and others need to do?')
- it includes the project's assigned CaseRef (a product of the assurance process which will be sent to those involved and evident on all of the forms during the assurance process)
- the request is made by the information asset owner or administrator of the project, not by anyone else
- the new user for whom an account is requested, if applicable, has registered information governance training in the last 12 months
New users will be invited to an induction where they can begin using their account once a successful request has been made.