Part of a reliable approach to handling confidential information is to assess the risk of information travelling from point to point. Data transfers raise questions of security.
The procedure for monitoring information risk is split into two distinct activities to (i) capture information assets that are generated as parts of the project and (ii) quantify the risks around storing and transferring information assets. Both activities are carried out on UCL's Information Governance Advisory SharePoint if your research project has registered with Information Governance Advisory Service.
It is critical to identify and form a register of your information assets. Assets may include, for example, consent from participants in written form, a database of participant questoinnaire responses or a web page used to advertise the study.
Information assets should have ownership assigned to them (which is your information asset owner), they should be reviewed regularly, for example, for retention, and they should be classified under the terms of UCL's Information Management Policy (found here https://www.ucl.ac.uk/informationsecurity/policy/public-policy/Information-Management-Policy-IRGG-20170912.pdf), and the information classification scheme within it. By classifying information assets you are more easily able to assess the risk of storing and transferring them. In order to judge risk you also need to state how the asset is protected in situ, i.e. irrespective of how it is stored or transferred, through encryption, pseudonymisation or anonymisation (or none of these, where it is not possible).
The second required activity is to record the processing activities involving those information assets. A risk assessment must be carried out that includes the storage and transfer of any information assets documented during the information asset registering activity.
Human nature tends to exaggerate short term, more uncommon risks and downplay the most common risks and the longer term risks, so the idea of this risk assessment is to capture risks uniformly and objectively.
If you are working on a research project after registering with the ISD Information Governance service you have to record that the information risk procedure has been completed under Information Risk (Stage 3) on the Information Governance Advisory SharePoint, as part of the required evidence.
More detailed guidance is found below:
The purpose of the Information Risk procedure is to inform the design of a project so that privacy for individuals is maximised. Research project information asset owners or administrators that work with highly confidential information are required to carry out this procedure at the earliest possible juncture so that the project makes use of the best possible technology and services for processing highly confidential information.
Before completing the Information Risk procedure
Users should assemble the views of senior managers, study co-ordinators, staff and, where possible, the individuals affected. All of these viewpoints should be considered in assessing the privacy requirements of the project. However, all legislation, regulations, contracts and UCL policies, procedures and guidance should be adhered to irrespective of whether the risk assessment indicates a low or a high risk. It is best if everyone involved in carrying out the assessment has been through training in information governance beforehand.
The Information Asset register
Users should complete the asset register before moving on to the risk assessment. In doing so, specific information assets can be populated in the risk assessment once the first step is complete. This is necessary because the risk can only be calculated based on the relative ‘impact’ of the asset (where 'impact' means the negative impact on the project in the event of unauthorised disclosure).
Each row in the asset register should contain one data set that is held by the project. If two or more data sets are combined at any point then this will result in three or more information assets until such time as the 2+ original assets are destroyed.
Users are required to consider UCL guidance on anonymisation/pseudonymisation and encryption when describing assets as protected in this way. Assets need to be captured in all of their actual forms: anonymised versions, encrypted files that contain one or more assets, paper and electronic assets etc.
The project information asset owner or administrator should fill out all applicable fields in the information asset register for every asset relating to the project.
The Information Risk Assessment
The information risk assessment requires the user to enter an information asset and its start point, the method of transfer and its end point. In order to settle on the start/end points and method of transfer, the user will need to consider the security of those items by reviewing the Storage and Service Security page and the Transfer Method Security page.
|Asset Name||Select the asset from a drop-down list based on the assets entered in the Information Asset Register|
|The information starts on..||The type of storage or service used to take data from..|
|How is information transferred?||The procedure used for transferring data between start and end points|
|Information will be received on or moved/copied to..||The type of storage or service used to copy or save data to..|
|Risk (score out of 30)||A risk rating based on all aspects of the data flow (users should wait approx. 20 seconds for the risk to populate, refreshing the browser window if necessary)|
Once the assessment has been carried out
Risks identified in the assessment should be considered and any risk mitigating strategies put in place, potentially in liaison with Information Governance Advisory Service (email@example.com). The information asset owner (usually the Principal Investigator or the grant-holder in research) or information asset administrator will need to provide confirmation that the risks are tolerable. However, any ‘red risks’ of 18 or higher do require improvement steps to be implemented and should be alerted to the information asset owner and the Information Governance Advisory Service for advice. If additional measures cannot be found to mitigate these risks within the information risk assessment, then the Senior Information Risk Owner within the UCL School of Life and Medical Sciences will be asked to either accept or reject the activity based on the risk.
If you have reached a satisfactory conclusion on the above then you need to confirm all aspects of the process have been completed using the Information Risk form for 'Stage 3' to be completed.