XClose

Information Services Division

Home
Menu

Get Information Governance assurance for a series of Masters projects

Masters' projects present similar information risks compared to multi-year, grant funded research. This page explains how to make use of UCL trusted research environments for student-lead research.

When Masters' students begin their research projects, the timeframe for creating projects, getting ethical approval and data protection registration will be limited. Students are not employed on UCL staff contracts so accountability must reside with the student supervisor for handling sensitive research data, as information asset owners.

Student supervisors can take advantage of the assurance of the trusted research environments by taking forward steps prior to ethical approval and data protection registration. The assurance process is detailed in full here.

Assuming that rules can be set in relation to how information will be stored, transferred and analysed, the student supervisor can create a project on the Information Governance Advisory service which will underpin the series of Masters' projects. Examples of the rules that may be set at a group level are seen below:

  • Confidential information may only be collected using a particular survey tool which is known to have adequate data protection arrangements including a data processing agreement
  • Working environments are assessed as having a low risk of eavesdropping and have strong access controls
  • Paper or other media for recording data are kept in a secure physical environment or with the person collecting the data at all times
  • Only laptops and computers with a supported operating system may be used to collect/store confidential information

In this way, third party software used to collect data, working environments used to operate on data and information risk arising from transfers can be subject to governance, designed and enforced by the supervisor in order to raise compliance.

Both trusted research environments allow for multiple working subareas to be created under one case reference from Information Governance services' records:
- In the Data Safe Haven, multiple folders ('shares') can be created.
- In the ARC TRE, multiple sub-environments ('projects') can be created.

In both cases, each subarea will have its own list of users who can access data saved in that place. These subareas will need to be requested by the owner when the student projects are designated to individual students.

Please note that third parties providing access to participant information such as a GP or hospital may set their own restrictions on the information provided if it is held in UCL so special account should be taken for these kinds of external requirements.

If student supervisors can register themselves as an information asset owner with the Information Governance Advisory service at least six weeks before the student research projects are due to begin, then it should be easy enough to complete the assurance process for a group in time for the collection of data to begin with suitable assurance in place. The requirement for each student will then be to complete information governance training on (i) the agreed local procedures setup by the owner and (ii) the NHS England Data Security Awareness Level 1, which takes up to three working days to register for and usually around two hours to complete.

Note that the information governance assurance process in full still applies to every research project but registering with the Information Governance Advisory service, risk assessments and contracts requirements will be met at a group level thus saving discussion and time required.