Changes to the Data Safe Haven (DSH) share management process
What is changing?
Existing access to Data Safe Haven shares will continue, though any changes requested from 17th July 2018 onwards will be handled as detailed in 'How will the new process work?' below.
- A move to online forms, replacing downloaded / scanned paper forms
- A mandatory requirement for the Information Asset Owner (IAO – this is usually the PI) to confirm that suitable information governance arrangements are in place, which is called the 'Information Asset Owner Statement of Accountability', before access is given to the Data Safe Haven.
- The ability for an IAO to delegate management of a share to a nominated member of their team, called an Information Asset Administrator (IAA)
- Changes to existing Data Safe Haven shares will need to cite the project’s case reference number. If you do not know your project’s Information Governance case reference (format is: IG/00999) then please use the form here to request your reference.
Why are we making these changes?
- Continual Improvement of the Data Safe Haven information security management system is a requirement of our ISO 27001 certification
- The new process allows IAOs to formally delegate responsibility for managing a share
- Online forms provide a streamlined and auditable method to make changes to shares without requiring paperwork
- Use of a UCL login and password to access the request system provides much stronger authentication than the current signature method
How will the new process work?
Online forms will require a case reference from Information Governance Advisory service, within IT for SLMS. The reference will relate to a single project so there can be more than one Data Safe Haven account or share per reference but there can only be one project per reference. The reference will only be valid once the IAO has made the 'statement of accountability' in relation to that project.
A note on delegation: While the IAO can delegate responsibility for management of a share to an IAA, they remain accountable for ensuring that the share and data within it are properly managed. This includes making sure that staff keep their Information Governance training up-to-date and appropriate access rights are granted and reviewed when team members leave. Until an IAA is appointed, the IAO will be required to undertake all information governance and share management activities.
Next steps and timescale
The Data Safe Haven web pages will explain how to access the request forms to create accounts and make changes to existing shares. Those pages are here: Data Safe Haven.
The new system will go live on 17th July 2018 and we will continue to accept paper forms until 29th September 2018. Beyond that date, only online forms will be accepted. All online forms will require a case reference from Information Governance services.