Joiners, movers, leavers template

This template includes steps to ensure new members of the research team understand their responsibilities and have access to the information needed to carry them out.

Purpose

This template includes steps to ensure new members of the research team understand their responsibilities and have access to the information needed to carry them out. It also addresses the risk of those leaving the study retaining access to study data without being authorised to do so.

The joiners movers and leavers template is designed to provide a list of activities to integrate into existing induction / leaving processes within the study or where no formal induction process is in place. It is important to keep a record of activities completed for each joiner / mover / leaver.

Terminology

IAO: Information Asset Owner

The IAO is equivalent to the Data Owner as defined in the UCL Data Protection Policy. Within a study, this is typically the PI and must be a UCL employee, not an honorary staff member.

More information can be found on the Information Asset Owner page.

IAA: Information Asset Administrator (optional)

Appointed by the IAO, their role is to ensure that policies and procedures are followed; recognise potential or actual security incidents; consult their IAO on incident management; ensure that IG Framework risk assessments and other documents for the study are accurate and maintained up to date.

More information can be found on the Information Asset Administrator page.

Joining:

IAO to send email to new team member setting out responsibilities (IG Advisory supply a template for this)

Where a new IAO takes over the study, they need to send PI email to IG Lead (IG Advisory supply a template for this)

Provide joiner with an overview of data handling within the study, including electronic and paper, clear desk policy etc

Ensure the joiner does not have access to data until they have completed or renewed their IG training:

• Information Governance Training & Awareness Service.

Highlight the need to treat data as confidential; highlight confidentiality clause in Information Security Policy (compliance with policy is part of UCL contract):

• Information Security Policy

Make new starter aware of responsibility to report incidents – SLMS-IG15 Incident reporting procedure:

• Approved Information Governance documents.

Ensure that the joiner has authorisation (eg. Approved Researcher status) to access the data as stipulated in any contracts relating to that data

Assign appropriate access rights to data: electronic, paper and other formats, issuing keys etc as needed

Keep a record of recent joiners and confirmation the above steps have been completed for audit purposes

If the joiner is assigned as an IAA, assign access to Sharepoint (notify IG Advisory, who will do this)

In between joining and leaving:

Team members need to ensure that they complete their annual IG training refresher

Consider making annual IG training an appraisal objective for research team members

Movers (note, this means 'leaving a specific study permanently or temporarily, but continuing employment with UCL'):

If leaver is moving elsewhere in UCL (ie. will retain their swipe-card) remove access to the study's work area and confirm (by testing) that the card no longer works

Remove access to databases, including REDCap within the Data Safe Haven

Change codes on keypads / key-safes and any other locally-managed access controls

If suspension of access is temporary or uncertain, suspend account for the duration as per remove access below

Remove access to the study's Data Safe Haven share (or equivalent on other systems):

•  self-service forms. Use the search box and the search term 'Data Safe Haven'. Requests can only be made by the Information Asset Owner or their nominated Information Asset Administrator.

If the mover is an IAA, nominate new IAA, revoke and re-assign access to Sharepoint (via IG Advisory)

Leaving (UCL):

Close Data Safe Haven account / remove access to share (or equivalent on other systems):

•  self-service forms. Use the search box and the search term 'Data Safe Haven'. Requests can only be made by the Information Asset Owner or their nominated Information Asset Administrator.

Return SafeID token via local IT for SLMS support  team

Return swipe-card / keys and other local access controls to IAA or IAO

Add to a record of recent leavers, maintained for audit purposes

Notify IG Advisory of leaver (to ensure training stats for the study reflects current set of researchers)

If IAA, nominate new IAA, revoke and re-assign access to Sharepoint (via IG Advisory)