Data Safe Haven Assurance

Get started using the 乱伦秀 Data Safe Haven. This page introduces the Information Governance assurance process before on-boarding to the 乱伦秀 Data Safe Haven.

Does your team already use the Data Safe Haven?

If you are an individual wishing to join an existing Data Safe Haven share then you need to evidence听the approved training on data security听which is completed online. Once you have completed and registered your training (, if so), you need听the existing Data Safe Haven share owner or administrator to request your access here - Service Requests.听Once the Data Safe Haven team are able to听confirm听that you have completed the approved training, your account is created and log-in details provided.

Note that users do not request Data Safe Haven access for themselves unless they are information asset owners or administrators. Also note that听no one should request access to the Data Safe Haven without a project (see below for the assurance process for each project).

Why do I need Information Governance assurance?

The Data Safe Haven听is 乱伦秀's听technical solution for transferring and storing research information that is highly confidential. If you need to use the Data Safe Haven, then your project must be carried out in an accountable way and handle data according to the risk of disclosure, which needs to be听documented through听the Information Governance Framework ('the assurance process'). After demonstrating that information will be handled correctly, the project will be given a case reference number ('CaseRef') which can be used to make requests on the Data Safe Haven.

Projects that intend to use the Data Safe Haven are assessed for eligibility by the Information Governance Advisory service, where the assurance process has been designed and implemented to meet the requirements of the NHS Data Security & Protection听Toolkit and ISO 27001 Information Security standard. To begin this process, projects must .

Once a project is determined as being eligible, applicants will be asked to provide assurance around the project itself, not just the information stored on听the Data Safe Haven.听This will include consideration of how the project plans to manage anonymised/pseudonymised information.

What do听the Principal Investigator and others听need to do?

The PI and every member of the team handling confidential information听will need to have the approved听training on data security听confirmed. The assurance process for the wider project involves:

Stage 1: individual assurances to be provided by the听Information Asset Owner听(usually the principal investigator)
Stage 2: an annual听review of contractual arrangements concerning confidentiality听*
Stage 3: an annual听risk assessment听on the information processed by the project *
Stage 4: an annual signoff of the requirements by the Information Asset Owner

Information Asset Owners may delegate responsibility to an Information Asset Administrator, a named staff member, who can then provide the risk assessments and review of contracts听and听grant access to users听on the Data Safe Haven for听that听project. If you are the Information Asset Owner of a project with a valid case reference issued by the SLMS Information Governance Advisory service and you wish to assign an Information Asset Administrator to the project (you need to first if you have not already done so), use the .

The Information Governance Advisory SharePoint

Once a project has started the Information Governance assurance process, project staff will be given access to the Information Governance Advisory SharePoint to gather evidence of assurance. Guidance on the SharePoint for those who have registered听can be read here:听Guide to the Information Governance Advisory Service SharePoint

How long will the assurance process take?

The required training听takes about two hours to complete, per person. It usually takes an hour or more to complete the risk assessments, depending on how complex the project is. If the project involves sharing confidential information with third parties听(including transcription services and survey tools), then contracts may need to be drawn up听which may take longer. Projects which do not involve any third parties might be able to complete the assurance process in a day, depending on the time the research team has available.

Some projects will be able to progress on to the Data Safe Haven sooner听if the Information Asset Owner has agreed a statement of accountability up front听that ensures adherence to the requirements in a reasonable timescale.

For students supervisors wishing to on-board their students to the Data Safe Haven without allowing each student to see each others' research data, see the assurance process for a series of Masters' projects here.

After completing the assurance process, users will be reminded to annually renew their assurances and will be able to cite either the Data Security & Protection听Toolkit or the ISO 27001 certificate associated with the Data Safe Haven in their research applications. Data Safe Haven applications will only be valid on completion of the assurance process described above.

Requesting accounts and shares

You should find the links to specific Data Safe Haven request forms and the sequence these are required in, within the on boarding diagram:

dsh_onboarding_process_-_diagrams_2019.07.12.pdf

听

Requests for Data Safe Haven will only be valid if:

the request is for a project听which has completed Stage 1 of the assurance process (the information asset owner's statement of accountability) (see above section, 'What do the Principal Investigator and others need to do?')
it includes the project's assigned CaseRef (a product of the assurance process which will be sent to those involved and evident on all of the forms during the assurance process)
the request is made by the information asset owner or administrator of the project, not by anyone else
the new user for whom an account is requested, if applicable, has registered information governance training in the last 12 months