Applications for new studies must be approved by the IGO before being passed to either UIS or CSCS for implementation.

CSCS and UIS will report to the IGO if there are concerns arising from the implementation.

All researchers wishing to use the Safe Havens must have relevant information governance training.

All studies must have a designated data manager (DM)

All applications must include evidence of appropriate ethical approval and a copy of the study protocol

If the Data Manager or CI believes a study’s working practice is inadvertently or unjustly impacted by the technical implementation of this Policy, they may make a written request for clarification to the IGO. The IGO will discuss with the relevant IT Security manager.

All personally identifiable research data collected as part of a research project should be stored within the Safe Havens. The only exception is a list of names and email addresses required for the sole purpose of communicating with participants. Prior permission must be obtained from the IGO and it must be within the terms of the approved project protocol or data transfer agreement.

The NHS.net email system is designed to handle sensitive/identifiable data and should be used wherever possible if staff have access to an NHS.net email account. It can be used to receive and send sensitive/identifiable data to any appropriate source or destination under the terms of the research project.

If NHS.net e-mail is not available to researchers, then Transfer Services are available to fulfil this function. Please see separate attached safe haven guides for further information.

In the exceptional case that personal identifiable data has to be transferred via the Clinical School e-mail system it must be approved by the IGO and must be in line with the approved study protocol. Any data sent this way must be with the agreement of the relevant NHS trust and it MUST be encrypted in line with NHS and NHS Digital guidance. Any request to do so will be added to the CSCS risk register.

Consenting volunteers may email their own information to a Clinical School email address providing prior agreement has been arranged under the terms of the research project.

Sensitive data stored as plain text in emails should be recorded appropriately by the researcher, before being deleted and expunged.

Emails containing participant identifiable data must not be copied, or saved, from the University email systems onto personal data storage (e.g. laptop, USB stick or a mobile phone).

Received email attachments containing participant identifiable data must be removed – either deleted or imported into the SDHS through the Transfer Service.

The distribution of data files, containing sensitive/identifiable information, to external collaborators must only be performed using a secure method of transfer, such as the Transfer Service provided by CSCS. Transfers of such data may only occur if in line with the approved study protocol and under an appropriate data transfer or collaboration agreement

Sensitive data may be protected by encryption. 256bit AES is the minimum standard of encryption to be used in all cases. CSCS have best practice advice on data encryption to cover requests to encrypt data. It is the user’s responsibility to use appropriately complex encryption keys.

It is the user’s responsibility to securely store the encryption keys. Loss of the encryptions keys render the data unrecoverable and disclosure of the keys to unauthorised users may jeopardise the confidentiality of the data.

Audits will be carried out to determine compliance with ethics approvals/ISO standards, on a regular basis, by the IGO or designated individual responsible for the secure area.

Delegated individuals will report annually to the Information Governance Oversight Committee

• SDHS Security Policy v5 March 2015 (PDF)
• SDHS Policy March 2016 – February 2017
• SDHS Security Policy Mar 2017 – Feb 2019 (PDF)