What is the Data Safe Haven?
The Data Safe Haven (DSH) provides an infrastructure for the secure management and processing of personal, sensitive and confidential information. It is a repository for data for the following types of studies:
- All NHS-Digital data users who need to be NHS Data Security and Protection Toolkit (DSPTK) compliant, unless there are reasons this cannot proceed.
- Other non NHS-Digital data users who also need to be DSPTK compliant, including section 251 approval.
- Other non NHS-Digital data users where the data is highly sensitive and their security requirements could only be met by a DSH.
- Defence data.
PLEASE NOTE: For data that meets the above criteria, but which cannot be stored in the DSH, procedures within the SOP for ‘Information Security Classification, Ownership and Secure Information Handling’ must be followed;
The DSH is built using a ‘walled-garden’ environment. It is a secure environment with auditable access controls, secure data transfer, it also penetration-tested on a regular basis. All of this allows the University to provide the required assurances to NHS Digital and other data providers. There are a number of installed applications that are available to use within the DSH for the purposes of processing data, such as SPSS, Matlab R2016a, StataIC 14, NVIVO 11, Stats Direct, R (Project R), ArcGIS, SAS, Endnote, VLC, MS Office 2010.
Access is restricted only to on-site computers and is protected by strict project level access controls and multi-factor authentication. The DSH utilises a Virtual Desktop Infrastructure (VDI) to ensure the data is only processed within the DSH.
The Data Safe Haven can only be used on campus with the permission of the IG Lead for the Data Safe Haven, who is also the Head of the Research Governance, Ethics and Integrity Team. The following procedure must be followed by all UoM employees who require use of the DSH, including requests by supervisors for the storage of data for student projects. Requests will not be accepted from students or non-UoM employees. The procedure is as follows:
- The researcher should complete a Data Management Plan which flags up the requirement for usage of the DSH to Research IT and Research Governance, Ethics and Integrity team (RGEIT).
- Researchers are then expected to complete a request for use of the DSH to Research IT via the appropriate Data Safe Haven IT Support Portal Form (found under Research IT Services). From the dropdown, select ‘Request access to DSH’. On receipt, Research IT will forward a copy of the support request to the RGEIT.
- The RGEIT will collect the following details from the support request:
- Identity of the PI and username
- Identity of the Study IG Lead and username
- Identity of all users, including username
- Name of the project
- And other such information around Information Governance and service requirements
Before approving use of the DSH, the following conditions must be met for all users:
- Completion of the University’s Data Protection Training.
- A data sharing contract must be in place between the UoM and the data provider which confirms authorised users and the specific data they are entitled to access. This must be checked by the RGEIT.
- An SLSP written by Research IT with the PI, based on the requirements of the data provider and detailing those users who require access to the data.
- An Information Governance Risk Review will need to be completed by the PI and submitted to the Information Governance Office for review.
- An IG master file will need to be developed which outlines the quality assurance processes that must be put in place in order to use the DSH. This will be overseen by RGEIT.
- An Investigator Agreement signed by the PI which states the responsibilities of the PI and the Study IG Lead, where appropriate. This will be overseen by RGEIT.
Only when these conditions are met will RGEIT request Research IT to take the required steps to provision users and projects into the DSH. It is understood that data users may work on more than one project and therefore require access to different project folders in the DSH. In this instance, users will only be provided access to the project folder for which all the above conditions are met. Access to one project will not automatically grant access to other projects. In addition, the same process will apply to external collaborators who require access to a project folder.
Research IT will notify the RGEIT and the users when they have been granted access to the DSH by copying in RGEIT to all emails issued to DSH users.
For more information on the DSH please contact firstname.lastname@example.org