This template includes steps to ensure new members of the research team understand their responsibilities and have access to the information needed to carry them out.
Purpose
This template includes steps to ensure new members of the research team understand their responsibilities and have access to the information needed to carry them out. It also addresses the risk of those leaving the study retaining access to study data without being authorised to do so.
The joiners movers and leavers template is designed to provide a list of activities to integrate into existing induction / leaving processes within the study or where no formal induction process is in place. It is important to keep a record of activities completed for each joiner / mover / leaver.
Terminology
IAO: Information Asset Owner
The IAO is equivalent to the Data Owner as defined in the UCL Data Protection Policy. Within a study, this is typically the PI and must be a UCL employee, not an honorary staff member.
More information can be found on the Information Asset Owner page.
IAA: Information Asset Administrator (optional)
Appointed by the IAO, their role is to ensure that policies and procedures are followed; recognise potential or actual security incidents; consult their IAO on incident management; ensure that IG Framework risk assessments and other documents for the study are accurate and maintained up to date.
More information can be found on the Information Asset Administrator page.
Joining:
IAO to send email to new team member setting out responsibilities (IG Advisory supply a template for this)
Where a new IAO takes over the study, they need to send PI email to IG Lead (IG Advisory supply a template for this)
Provide joiner with an overview of data handling within the study, including electronic and paper, clear desk policy etc
Ensure the joiner does not have access to data until they have completed or renewed their IG training:
Highlight the need to treat data as confidential; highlight confidentiality clause in Information Security Policy (compliance with policy is part of UCL contract):
Make new starter aware of responsibility to report incidents – SLMS-IG15 Incident reporting procedure:
Ensure that the joiner has authorisation (eg. Approved Researcher status) to access the data as stipulated in any contracts relating to that data
Assign appropriate access rights to data: electronic, paper and other formats, issuing keys etc as needed
Keep a record of recent joiners and confirmation the above steps have been completed for audit purposes
If the joiner is assigned as an IAA, assign access to Sharepoint (notify IG Advisory, who will do this)
In between joining and leaving:
Team members need to ensure that they complete their annual IG training refresher
Consider making annual IG training an appraisal objective for research team members
Movers (note, this means 'leaving a specific study permanently or temporarily, but continuing employment with UCL'):
If leaver is moving elsewhere in UCL (ie. will retain their swipe-card) remove access to the study's work area and confirm (by testing) that the card no longer works
Remove access to databases, including REDCap within the Data Safe Haven
Change codes on keypads / key-safes and any other locally-managed access controls
If suspension of access is temporary or uncertain, suspend account for the duration as per remove access below
Remove access to the study's Data Safe Haven share (or equivalent on other systems):
- self-service forms. Use the search box and the search term 'Data Safe Haven'. Requests can only be made by the Information Asset Owner or their nominated Information Asset Administrator.
If the mover is an IAA, nominate new IAA, revoke and re-assign access to Sharepoint (via IG Advisory)
Leaving (UCL):
Close Data Safe Haven account / remove access to share (or equivalent on other systems):
- self-service forms. Use the search box and the search term 'Data Safe Haven'. Requests can only be made by the Information Asset Owner or their nominated Information Asset Administrator.
Return SafeID token via local IT for SLMS support team
Return swipe-card / keys and other local access controls to IAA or IAO
Add to a record of recent leavers, maintained for audit purposes
Notify IG Advisory of leaver (to ensure training stats for the study reflects current set of researchers)
If IAA, nominate new IAA, revoke and re-assign access to Sharepoint (via IG Advisory)