Classification process#
Here we give an overview of the data classification process operated by the Turing, utilising our sensitivity tiers.
Caution
While organisations deploying their own Data Safe Haven instance are free to take inspiration from the Turing’s information governance processes, each organisation is responsible for instituting their own information governance processes appropriate to their own contexts.
Projects are divided into work packages. Each project may have one or more work packages, each of which will have an associated sensitivity tier. The sensitivity of any work package depends on both the sensitivity tier of the underlying data and the work that will be carried out on that data. Research for a given work package must only be undertaken in an environment suitable to the sensitivity tier of the work package and with the associated non-technical information governance controls in place.
Work Packages#
A work package is a distinct piece of work carried out as part of a project, with a specific outcome in mind. It can make use of one or more datasets. A work package should encompass: the analysis that the research team intend to carry out, the expected outputs and the tools they plan to use. We assume that classification will be carried out on work packages rather than individual datasets.
Caution
Classification to a tier is not a property of a dataset, because a dataset’s sensitivity depends on the data it can be combined with, and the use to which it is put.
Classification roles#
There are three key roles:
- Investigator
The research project lead, this individual is responsible for ensuring that project staff comply with the Environment’s security policies.
- Dataset Provider Representative
A representative of the organisation who provided the dataset under analysis. The Dataset Provider will designate a single representative contact to liaise with the Investigator, authorised to certify sharing of datasets with the researchers.
- Referee
A Referee volunteers to review code or derived data (data which is computed from the original dataset), providing evidence to the Investigator and Dataset Provider Representative that the researchers are complying with data handling practices.
To classify the data to be used in a project, each role representative will go through a series of questions to help understand the legal sensitivity of the data involved and the consequences of a data breach.
Initial classification process#
The Dataset Provider Representative and Investigator should classify each work package, based on a clear understanding of what the work involves. These two people should agree on a classification before the work can proceed. For Tier 2 and Tier 3 work packages the Referee must also agree on the classification. This classification will indicate which security controls should be applied when initialising the Secure Research Environment for the project.
In this documentation we will assume that the outcome of the classification is one of our sensitivity tiers, but your organisation may classify projects differently and require different technical and non-technical controls.