Data Handling

Data classification

Before any project starts, it should go through an assessment process to classify it into a sensitivity tier. A full overview of the classification process can be found here.

Data sharing agreement

A formal data sharing agreement should be drawn up between the Data Provider and the Hosting Organisation. This should be drafted with the benefit of legal advice and signed before any dataset is transferred.

Hint

Your organisation might have a template agreement that can be used to minimise the turnaround time and legal effort required.

User lifecycle

Projects should be recorded in a centralised system. Once a user’s involvement with a project or work package ends their access should be revoked promptly.

Data security training requirements

We recommend requiring data security awareness training for the following categories of person:

• Anyone with administrator access to the Data Safe Haven codebase. This is to ensure integrity of the code supply chain.

• Anyone responsible for deploying a Data Safe Haven.

• System Managers administering a deployed Data Safe Haven.

• Anyone who has administrator access to the Azure subscriptions hosting any deployed Data Safe Haven.

• Programme and project managers.

• All Researchers with access to any data in scope of the NHS Data Security and Protection Toolkit (DSPT) held in a Data Safe Haven.

• Data Provider Representatives, Investigators and Referees for any project containing data in scope of DSPT.

Hint

The exact training requirements for each organisation will depend on their own information governance processes.

Data security incident process

We recommend that System Managers follow the data security incident process of the Hosting Organisation. You may additionally want to consider developing an additional data security policy specific to your own Data Safe Haven instance on top of this.