Information Services Division


Transfer data securely

Guidance on transferring data in all forms.

Transfer data securely

When transferring data to share with other organisations, ensure you have a clear legal basis for doing so. The Information Commissioner’s Office published a draft code of practice on data sharing in 9th September 2019 which you should be mindful of when sharing data and we have written guidance for researchers on sharing with collaborators or getting third parties to work on data with you.

To transfer data securely, you need to assess the risk. The nature of your data is relevant here because certain types of data or data provided by some organisations are more controlled or would have greater impact than others if they were disclosed without authorisation. The landing point for a transfer is relevant too because certain services provide more assurance than others. A risk assessment will account for both of these effects. IG Advisory service provides a risk assessment when you register your project and carry out the information asset register activity.

Data that are governed by contracts including data sharing agreements can sometimes be restricted to certain services such as the Data Safe Haven in UCL’s case. Users should be aware of what contractual restrictions are placed on their data and their use of it.

After risk assessing the data transfer in terms of its disclosure and any restrictions, if you are able to use options from the risk assessment and the risk is shown to be low enough, then you just need the technical permissions in place to move your data between transfer start and end points, i.e. your account needs to be configured.

Exporting from the Data Safe Haven

In the UCL Data Safe Haven, permissions are restricted to information asset owners by default to be able to remove data from the service via the file transfer portal. Ordinary users who do not have ownership of a share are not by default able to export/remove data from that service. In order to gain the permission to do so as an ordinary user the information asset owner for the data needs to grant permissions and should have a clear understanding of why they are doing so. If the owner has delegated permissions to an information asset administrator then the same guidance applies to that administrator as to the owner.