Clinical Masters' projects present similar risks to information compared to multi-year, Grant funded medical research. This page explains how to make best use of the UCL Data Safe Haven for students.
When Masters' students begin their research projects, the timeframe for creating projects, getting ethical approval and data protection registration will be limited. Students are not employed on UCL staff contracts so accountability must reside with the student supervisor for handling sensitive research data, as information asset owners.
Student supervisors can take advantage of the assurance of the UCL Data Safe Haven by taking forward steps prior to ethical approval and data protection registration. The Data Safe Haven assurance process is detailed in full here.
Assuming that rules can be set in relation to how information will be stored, transferred and analysed, the student supervisor can create a project on the SLMS Information Governance Advisory service which will underpin the series of Masters' projects. Examples of the rules that may be set at a group level are seen below:
- Confidential information may only be collected using a particular survey tool which is known to have adequate data protection arrangements including a data processing agreement
- Working environments are assessed as having a low risk of eavesdropping and have strong access controls
- Paper or other media for recording data are kept in a secure physical environment or with the person collecting the data at all times
- Only laptops and computers with a supported operating system may be used to collect/store confidential information
In this way, third party software used to collect data, working environments used to operate on data and information risk arising from transfers can be subject to governance, designed and enforced by the supervisor in order to raise compliance.
The UCL Data Safe Haven allows for multiple folders ('shares') to be created under one case reference from Information Governance services' records. Each share will have its own list of users who can access data saved in that share. These shares will need to be requested by the owner when the student projects are designated to individual students.
Please note that third parties providing access to participant information such as a GP or hospital may set their own restrictions on the information provided if it is held in UCL so special account should be taken for these kinds of external requirements.
If student supervisors can register themselves as an information asset owner with SLMS Information Governance Advisory service at least six weeks before the student research projects are due to begin, then it should be easy enough to complete the assurance process for a group in time for the collection of data to begin with suitable assurance in place. The requirement for each student will then be to complete information governance training on (i) the agreed local procedures setup by the owner and (ii) the NHS Digital Data Security Awareness Level 1, which takes up to three working days to register for and usually around two hours to complete.
Note that the information governance assurance process in full still applies to every research project but registering with the SLMS Information Governance Advisory service, risk assessments and contracts requirements will be met at a group level thus saving discussion and time required.