January 2021 – January 2022
The purpose of this Policy is to outline the Clinical School’s Secure Data Hosting Policy and general working practices in handling sensitive data. It should be read in conjunction with the School Information Governance Policy and the guidance of the specific Safe Haven the researcher wishes to use.
The Policy is designed to ensure that sensitive/identifiable personal information, required by research groups at the Clinical School, is secure from unauthorised modification or disclosure, either accidental or deliberate, and that the storage of this data complies with all required regulations.
The Policy has been developed, implemented and is managed by the University of Cambridge.
It is for use by Clinical School research groups.
Authorisation to use the service is provided by the Information Governance Officer (IGO).
The policy structure has been agreed by the Cambridge University Data Protection Officer and the Addenbrooke’s (Cambridge University Hospitals NHS Trust) Data Protection Officer.
All data is managed in accordance with the Data Protection Act 2018. The University of Cambridge is registered with the Information Commissioner’s office registration number Z6641083.
There are eight secure areas available to Clinical School researchers, two of which are open to all researchers and six for specific projects where a named individual is responsible for management of the area:
- Clinical School Secure Data Hosting Service (ISO27001 accredited) – open to all researchers
- University Information Services secure platform (currently in process of getting ISO27001 accreditation) – open to all researchers
- WBIC secure area for storage of WBIC images only (part of UIS platform)
- Cambridge Clinical Informatics (part of UIS platform)
- MRC Epidemiology Unit (air gapped system) for archive purposes only. Access limited to MRC Epid staff
- MRC Epidemiology Unit Secure Research Database access limited to MRC Epid staff
- MRC-CBU secure area – access limited to CBU staff
- NCITA XNAT repository for specified projects only
See attached individual Safe Haven guidance for technical infrastructure information.
For access to the Clinical School Secure Data Hosting Service or the UIS service (the Safe Havens) the policy below applies.
Applications for new studies
Applications for new studies must be approved by the IGO before being passed to either UIS or CSCS for implementation.
CSCS and UIS will report to the IGO if there are concerns arising from the implementation.
All researchers wishing to use the Safe Havens must have relevant information governance training.
All studies must have a designated data manager (DM)
All applications must include evidence of appropriate ethical approval and a copy of the study protocol
Clarifications and exceptions to the Policy
If the Data Manager or CI believes a study’s working practice is inadvertently or unjustly impacted by the technical implementation of this Policy, they may make a written request for clarification to the IGO. The IGO will discuss with the relevant IT Security manager.
Data Storage within the Safe Havens
All personally identifiable research data collected as part of a research project should be stored within the Safe Havens. The only exception is a list of names and email addresses required for the sole purpose of communicating with participants. Prior permission must be obtained from the IGO and it must be within the terms of the approved project protocol of data transfer agreement.
The NHS.net email system is designed to handle sensitive/identifiable data and should be used wherever possible if staff have access to an NHS.net email account. It can be used to receive and send sensitive/identifiable data to any appropriate source or destination under the terms of the research project.
If NHS.net e-mail is not available to researchers, then Transfer Services are available to fulfil this function. Please see separate attached safe haven guides for further information.
In the exceptional case that personal identifiable data has to be transferred via the Clinical School e-mail system it must be approved by the IGO and must be in line with the approved study protocol. Any data sent this way must be with the agreement of the relevant NHS trust and it MUST be encrypted in line with NHS and NHS Digital guidance. Any request to do so will be added to the CSCS risk register.
Consenting volunteers may email their own information to a Clinical School email address providing prior agreement has been arranged under the terms of the research project.
Sensitive data stored as plain text in emails should be recorded appropriately by the researcher, before being deleted and expunged.
Emails containing participant identifiable data must not be copied, or saved, from the University email systems onto personal data storage (e.g. laptop, USB stick or a mobile phone).
Received email attachments containing participant identifiable data must be removed – either deleted or imported into the SDHS through the Transfer Service.
Sharing data files with collaborators outside of the Clinical School
The distribution of data files, containing sensitive/identifiable information, to external collaborators must only be performed using a secure method of transfer, such as the Transfer Service provided by CSCS. Transfers of such data may only occur if in line with the approved study protocol and under an appropriate data transfer or collaboration agreement
Methods of Encryption
Sensitive data may be protected by encryption. 256bit AES is the minimum standard of encryption to be used in all cases. CSCS have best practice advice on data encryption to cover requests to encrypt data. It is the user’s responsibility to use appropriately complex encryption keys.
It is the user’s responsibility to securely store the encryption keys. Loss of the encryptions keys render the data unrecoverable and disclosure of the keys to unauthorised users may jeopardise the confidentiality of the data.
Auditing of Data
Audits will be carried out to determine compliance with ethics approvals/ISO standards, on a regular basis, by the IGO or designated individual responsible for the secure area.
Delegated individuals will report annually to the Information Governance Oversight Committee