Introduction

This Policy sets out the approach undertaken by The School of Clinical Medicine in order to provide a robust Information Governance framework for the management of research related identifiable information. The purpose of the Policy is to put in place the structure, resources and processes necessary to ensure the information needed to support the research carried out by members of the Clinical School, is appropriately collected and stored in line with all current legislation and guidance. This Policy should be read in conjunction with the Clinical School Secure Data Hosting Policy.
Under the Policy all identifiable research data – from both NHS and healthy volunteer participants must be held in one of the named approved Clinical School safe havens or on NHS computers

Scope of the Policy

This Policy relates to sensitive/identifiable personal information collected and stored by Clinical School employees for the purposes of research. It does not relate to University staff and student data which should be stored and collected under the University of Cambridge guidelines.
This Policy applies to all members of the Clinical School and other members of the University or external researchers who are working in collaboration with Clinical School Investigators.
This Policy does not apply to identifiable research data held on NHS computers or to the storage of anonymous data.

Legal Compliance

The Clinical School regards all identifiable personal information relating to research participants as confidential. It is only to be used in line with the ethical approval and consents received for use of the data.
All participant data collected and stored by Clinical School researchers must be stored and used in line with the Data Protection Act 2018 and the Common Law of Confidentiality.

Information Security

The Clinical School has established safe haven areas for the effective and secure management of personal/sensitive identifiable information used for research purposes. There are eight safe havens which comply with the NHS Digital Data Security and Protection Toolkit requirements:

1. The Clinical School Secure Data Hosting Service which is open to all Clinical School staff;
2. The UIS Secure Platform for Storage of Research Data.  This has three tenancies for the storage of Clinical School sensitive/identifiable personal research data. One is specifically for the storage of WBIC identifiable imaging data, one for Cambridge Clinical informatics team and the third is the main Clinical School tenancy which is open to all Clinical School researchers.  All three areas are for the storage of NHS and healthy volunteer identifiable/sensitive data;
3. The MRC Epidemiology Unit for MRC Epidemiology staff only has two areas. One air-gapped system for archive purposes only and one Secure Research Database.
4. The NCITA XNAT repository for specified projects only
5. The UIS Ronin platform for specified project only

The MRC Cognition and Brain Sciences Unit (MRC CBU) have a secure area for storage of identifiable research data available for MRC CBU project only. At the current time, the MRC CBU secure area is not covered by the NHS Digital Data Security and Protection Toolkit. 

The School promotes effective confidentiality and security practice to its staff through policies, procedures and training.

The School will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security.

Information Quality Assurance

The Clinical School, the University Information Compliance Office and the Research Integrity Office will provide advice and policies on the effective management of research data.
Chief Investigators and local Principal Investigators are expected to take ownership of, and seek to improve, the quality of information within their teams.
Wherever possible, information quality should be assured at the point of collection.
Data standards will be set through clear and consistent definition of data items, in accordance with national standards.
The School will promote information quality and effective records management through policies, procedures/user manuals and training.

Responsibilities and Accountabilities

It is the role of the Council of the School to define the School’s Policy in respect of information governance, taking into account legal, University and NHS requirements. The Council is also responsible for ensuring that sufficient resources are provided to support the requirements of the Policy.
The Secretary of the School of Clinical Medicine has responsibility for all Information Governance protocols, for communication of such policies within the School and for ensuring that they are managed responsibly.
The Research Governance Office is responsible for overseeing day-to-day information governance issues, including developing and maintaining policies, standards, procedures and guidance, co-ordinating information governance in the School and raising awareness of information governance.
Investigators and departmental data managers are responsible for ensuring that the Policy and its supporting standards and guidelines are built into local processes, and provide evidence of compliance when requested by either the Research Governance Officer or their authorised representative, as part of any audit..
All staff, whether permanent, visiting, temporary or contracted, and students, are responsible for ensuring that they are aware of the requirements incumbent upon them and for ensuring that they comply with these on a day to day basis.

June 2022