The Secure Data Hosting Service (SDHS) has been developed by the Clinical School Computing Service (CSCS) at the request of the School of Clinical Medicine (SCM). It may be used by research groups of the SCM whose trials have been approved by the Information Governance Office (IGO) to store sensitive or participant identifiable data.
The SDHS provides a data ‘safe haven’ accredited by the NHS Information Governance Toolkit. The SDHS provides technical solutions to protect against data theft, and can reduce the risk of data loss, however the effectiveness of any safe haven relies on users understanding and working within the associated security policy.
The SDHS is a Safe Haven for computer data only and its policies apply only within this remit. CSCS cannot provide advice or resource outside of this remit. Studies are expected to have separate policies and accreditation covering the use of participant identifiable data in other media, such as phone calls, voicemails, faxes, post, Dictaphones etc.
As part of its obligations, CSCS audits and monitors data access within the SDHS. Any users of the SDHS found to be in breach of the security policy will be reported to the Clinical School information governance officers. You must read this policy and confirm on application to the SDHS that you have read and understood this document, the SDHS Security Policy and that you are aware of your obligations as a user of this service. If any aspects are unclear, seek clarification from CSCS or the IGO.
Access to the SDHS
To use the SDHS, the study must have been approved by the IGO and a copy of the template consent form must have been received by CSCS. Only staff requiring storage for PID should apply for access to the SDHS. Anonymised data may be stored on the normal CSCS networks. Wherever feasible, it is expected that anonymised data is used for analysis.
All users of the SDHS must have read the SDHS Security Policy.
Data flows
All data flows that involve participant identifiable data must be fully and accurately described to CSCS and IGO during the application and consultation process. Where data flows are not compliant with the security policy, users must work with CSCS and IGO to identify feasible data flows which are compliant.
Data flows will be regularly reviewed by CSCS and IGO.
When new flows are required, a request must be made for authorisation. CSCS and IGO will risk assess the flow and either approve the flow or provide advice.
If either CSCS or IGO identify risks inherent in data flows, these will be recorded on the risk register. Work flows on the risk register will be reviewed regularly for opportunities to reduce risk.
Data Storage
All participant identifiable data must be stored on the secure network drive within the SDHS.
Data exported from the SDHS should be encrypted as per the Security Policy
Breaches
Any breach of data protection rules or breach of an ethically approved research protocol must be reported immediately to the University data protection officer as per Clinical School guidelines set out below
Where applicable, it is also important to liaise with the relevant R&D office.
