Guidance on transferring data in all forms.
Transfer data securely
When transferring data to share with other organisations, ensure you have a clear legal basis for doing so. The Information Commissioner’s Office published a draft code of practice on data sharing in 9th September 2019 which you should be mindful of when sharing data and we have written guidance for researchers on sharing with collaborators or getting third parties to work on data with you.
To transfer data securely, you need to assess the risk. The nature of your data is relevant here because certain types of data or data provided by some organisations are more controlled or would have greater impact than others if they were disclosed without authorisation. The landing point for a transfer is relevant too because certain services provide more assurance than others. A risk assessment will account for both of these effects. IG Advisory service provides a risk assessment when you register your project and carry out the information asset register activity.
Data that are governed by contracts including data sharing agreements can sometimes be restricted to certain services such as the Data Safe Haven in UCL’s case. Users should be aware of what contractual restrictions are placed on their data and their use of it.
After risk assessing the data transfer in terms of its disclosure and any restrictions, if you are able to use options from the risk assessment and the risk is shown to be low enough, then you just need the technical permissions in place to move your data between transfer start and end points, i.e. your account needs to be configured.
Exporting from the Data Safe Haven
In the UCL Data Safe Haven, permissions are restricted to information asset owners by default to be able to remove data from the service via the file transfer portal. Ordinary users who do not have ownership of a share are not by default able to export/remove data from that service. In order to gain the permission to do so as an ordinary user the information asset owner for the data needs to grant permissions and should have a clear understanding of why they are doing so. If the owner has delegated permissions to an information asset administrator then the same guidance applies to that administrator as to the owner.
Transferring data from external sources into the DSH
In many cases external data providers have their own portals for the downloading of data sets (e.g. NHS Digital), due to the secure environment these portals are unreachable from within the UCL Data Safe Haven. In these cases receiving data and storing it in the DSH requires an intermediate step, during which it is important to maintain proper control of the data. We recommend* you add the following steps to your standard operating procedures:
1. Use a hardware encrypted storage device to store the downloaded data set. (Devices like the iStorage range are suitable https://www.ucl.ac.uk/isd/services/computers/recommended-and-supported-m...).
2. When setting the encryption ‘password’ choose something that is complex (difficult to guess) and ensure it is stored in a different location to the storage device.
3. Ensure that the computer you use is either a UCL Managed Desktop Service device or has a modern, fully patched operating system and has working, up to date anti-malware software installed.
4. Download the data set directly from the portal to the encrypted storage device. Check your browser settings to ensure the download is stored on the encrypted device and is not placed in another less secure area.
5. Upload to the Data Safe Haven immediately (https://filetransfer.idhs.ucl.ac.uk).
6. Remove the data set from the encrypted device as soon as you have confirmed it has been loaded into the DSH.
7. The encrypted device should be kept in a locked safe or cupboard, within a secure building.
8. The encrypted device should be included in your Information Asset Register.
9. Maintain a record of what data sets were stored on the device (even temporarily), when they were added and when they were deleted.
*Please note that these steps are required if you need to comply with the DSP Toolkit and download data from NHS Digital.