Introduction

This Policy sets out the approach undertaken by The School of Clinical Medicine in order to provide a robust Information Governance framework for the management of research related identifiable information. The purpose of the Policy is to put in place the structure, resources and processes necessary to ensure the information needed to support the research carried out by members of the Clinical School, is appropriately collected and stored in line with all current legislation and guidance. This Policy should be read in conjunction with the Clinical School Secure Data Hosting Policy.
Under the Policy all identifiable research data – from both NHS and healthy volunteer participants must be held in one of the named approved Clinical School safe havens or on NHS computers. In addition, all data transfers in or out of the University must be accompanied by a Data Transfer Agreement.

Scope of the Policy

This Policy applies to all members of the Clinical School and other members of the University or external researchers who are working in collaboration with Clinical School Investigators.

This Policy relates to

a) identifiable personal information collected and stored by Clinical School employees for the purposes of research

and

b) the management of ALL research data leaving and entering the Clinical School, to and from external parties

It does not relate to University staff and student data which should be stored and collected under the University of Cambridge guidelines.

Definitions

Personal data is defined in the UK GDPR and carried over into the UK Data Protection Act 2018 (DPA 2018) as:

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Accepted practice in health care research is that this covers:

• name, date of birth, address and contact details
• NHS number, which makes sure a person’s records are linked to them and them alone

However, the DPA 2018 also includes online identifiers and effectively any data that, when put together, will enable someone to be identified.

Legal Compliance

The Clinical School regards all identifiable personal information relating to research participants as confidential. It is only to be used in line with the ethical approval and consents received for use of the data.
All participant data collected and stored by Clinical School researchers must be stored and used in line with the UK Data Protection Act 2018 and the Common Law of Confidentiality.

Information Security

The Clinical School has established safe haven areas for the effective and secure management of personal/sensitive identifiable information used for research purposes. There are seven safe havens which comply with the NHS England Data Security and Protection Toolkit requirements:

1. The Clinical School Secure Data Hosting Service which is open to all Clinical School staff;
2. The UIS Secure Platform for Storage of Research Data.  This has two tenancies for the storage of Clinical School sensitive/identifiable personal research data. One is specifically for the storage of WBIC identifiable imaging data and the other is the main Clinical School tenancy which is open to all Clinical School researchers.  Both areas are for the storage of NHS and healthy volunteer identifiable/sensitive data;
3. The MRC Epidemiology Unit for MRC Epidemiology staff only has two areas. One air-gapped system for archive purposes only and one Secure Research Database.
4. The NCITA XNAT repository for specified projects only
5. The UIS Ronin platform for specified project only

The MRC Cognition and Brain Sciences Unit (MRC CBU) have a secure area for storage of identifiable research data available for MRC CBU project only. At the current time, the MRC CBU secure area is not covered by the NHS England Data Security and Protection Toolkit. 

The School promotes effective confidentiality and security practice to its staff through policies, procedures and training.

The School will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security.

Management of Data Transfers

All data, whether anonymous or identifiable, entering the University from any third parties (commercial or academic) , or leaving the University to third parties (commercial or academic), must be received or sent under a Data Transfer Agreement (DTA). A DTA clearly states how the data can be used and how the data must be stored and must be signed off by the Research Operations Office.

Information Quality Assurance

The Clinical School, the University Information Compliance Office and the Research Integrity Office will provide advice and policies on the effective management of research data.
Chief Investigators and local Principal Investigators are expected to take ownership of, and seek to improve, the quality of information within their teams.
Wherever possible, information quality should be assured at the point of collection.
Data standards will be set through clear and consistent definition of data items, in accordance with national standards.
The School will promote information quality and effective records management through policies, procedures/user manuals and training.

Responsibilities and Accountabilities

It is the role of the Council of the School to define the School’s Policy in respect of information governance, taking into account legal, University and NHS requirements. The Council is also responsible for ensuring that sufficient resources are provided to support the requirements of the Policy.
The Secretary of the School of Clinical Medicine has responsibility for all Information Governance protocols, for communication of such policies within the School and for ensuring that they are managed responsibly.
The Research Governance Office is responsible for overseeing day-to-day information governance issues, including developing and maintaining policies, standards, procedures and guidance, co-ordinating information governance in the School and raising awareness of information governance.
Investigators and departmental data managers are responsible for ensuring that the Policy and its supporting standards and guidelines are built into local processes, and provide evidence of compliance when requested by either the Research Governance Officer or their authorised representative, as part of any audit..
All staff, whether permanent, visiting, temporary or contracted, and students, are responsible for ensuring that they are aware of the requirements incumbent upon them and for ensuring that they comply with these on a day to day basis.

June 2023