What you need to do
Before you embark on a DSP Toolkit application, make sure you check whether you’re based in a department that already has a toolkit in place.
How to do this:
What to do:
If you have a toolkit in place in the Department: speak to your unit’s IG lead about being included in the scope for the toolkit.
If you do not have a toolkit in place in your unit: continue reading to assess whether the University toolkit would be a suitable alternative.
Selecting IT Systems:
The DSP toolkit for the Medical Sciences Division is primarily designed for studies who wish to become compliant with the requirements for the toolkit for the purposes of limited processing of identifiable data without consent (i.e. with a Section 251 approval). The primary requirement for this is that you receive and process the datasets within the MSD IT’s High Compliance System. Read about the service here, and apply for a project space here. Please note that the High Compliance System is currently not intended to be a repository or archive of sensitive data, but rather a controlled environment within which sensitive data can be manipulated and de-classified for further processing as required by regulatory bodies.
If your requirements for data use is not compatible with the MSD IT’s High Compliance System offering, please get in touch with your Departmental IG lead to request support for a DSP Toolkit application as soon as possible. Limited support for this can be provided to IG leads as per our guide here.
Defining the scope:
The first question to ask is whether you’re already in the throes of a data application or IRAS/Section 251 application process, or whether you’re considering this at an earlier stage in your study. If you’re in need of a toolkit application in order to renew an existing data sharing agreement which was previously approved through other means, please let us know at email@example.com.
In any case, the scope for the toolkit application would be strictly limited to the data that is shared under a Data Sharing Agreement with NHS Digital. If you are requesting data from Public Health England (PHE) or another data provider under the toolkit application, these datasets would also need to sit within MSD IT’s High Compliance System in order to be included in the scope for the toolkit.
That being said, it’s worth considering the project data flows, and data management at a project level in order to help you assess which of the data flows would and wouldn’t fall under the requirements for the DSP Toolkit.
So how do you decide which data flows would fall under toolkit scope?
You define the requirements for Confidentiality, Integrity, and Availability of the datasets collected and processed throughout the project lifecycle. Some of the data flows would inevitably have a higher requirement than the others, due to conditions from the sponsors, the funders, data providers, and/or clinical partners. For research handling personal identified or identifiable data from NHS England, it is a requirement that you define also the legal basis under GDPR, as well as the legal basis under Common Law Duty of Confidentiality, for all processing of data.
Your departmental or divisional Data Privacy champion can help you understand your obligations for data privacy for research under GDPR.
All research which includes processing personal identified or identifiable data (including pseudonymised data) should undertake a Data Privacy Screening Assessment and, subsequently, as indicated by the screening, either a Data Privacy Impact Assessment or a lighter touch Data Privacy Asessment. For new applications this procedure is likely to be integrated into the ethical review or sponsorship process.
You will also be expected to provide privacy notices (also termed transparency information) either within the context of participant information sheets or as stand alone notices on your study website.
If you process identifiable or pseudonymised data in order to anonymise it then you should undertake a screening and assessment. If you receive de-identified (i.e. anonymous) data from some providers the agreement may require you to publish a privacy notice.
Common Law duty of Confidentiality
For Common Law, the legal bases for research are either participant consent, or Section 251 approval from Confidentiality Advisory Group (CAG). Get in touch with your sponsor, and research contracts specialists team, to find out more information on making data applications and planning your research data applications early on in research.
Good practice guide on data protection and confidentiality for research as defined by CUREC advocates the de-identification of participant information at the earliest opportunity possible.
Please contact us at firstname.lastname@example.org if you need help with drafting data flows and clarifying requirements for confidentiality, integrity, and availability for your project datasets or for clarifying contact points for your research paperwork.
Once the relevant privacy requirements are completed, you need to complete the following asset register, to be answered at the project level, and verified by the Information Security Team via email@example.com.
The asset register is intended to be a repository of information around the project. Covering people, processes, and technology, the scope of asset register should include information about project, the data, the staff who will handle the data, transparency information location, as well as records of checks and reviews on the training status, system updates, and data retention requirements for the data flows within the scope of the DSP toolkits.
The Projects tab requires you to note down the objectives, data requirements, as well as funders, data providers, and transparency information links.
The Roles and Training tab will need you to note down the staff involved in the handling of patient information, their roles in the project, and their requirements and records of training in Information Security and Privacy. Using the template Training Needs Analysis document, read through and complete the activity with support from your IG lead or the Information Security Team. Once you’ve identified and allocated the necessary IG roles and responsibilities, ensure your staff complete the available training and provide you with a copy of the certificate. This will need to be kept in a restricted location, and its link provided in the asset register in the required field.
The Data Holdings tab should include information on all the data sources included in the project. This should include data requested from data custodians both national and international, even if only NHS Digital, or Public Health England datasets may fall within the scope of this application. Including the Data Sharing Agreement references relating to the various data flows would help you draft the requirements for data security, processing, and destruction.
Systems and Software tab should include, by staff member within the project, a list of all the systems and software used in your research. For those wishing to be included in the University DSP Toolkit scope, you should only be using MSD IT High Compliance System. When requesting project space within the MSD IT High Compliance System, do note down your requirements for data destruction and encryption from the onset. Include the project roles assigned to the system, including privileges.
Last but not least, the Incidents tab is an ongoing record of any data security incidents and near misses. For Personal data breaches, you are required to report this immediately to firstname.lastname@example.org, who are the authority for investigating and reporting data breaches on behalf of the University. For any security incidents, report to email@example.com and complete the asset register to investigate root cause and add mitigating controls to prevent recurrence as part of good practice in research.
Once all but the last of the tabs are completed, send this to firstname.lastname@example.org. We will then reply to request access to review and verify the information you gave us in the asset register. This may be as a minuted meeting, or email correspondence, typically. We may conduct additional checks, policy reviews, and/or security risk assessments before including your project in scope of the DSP toolkit for the division. This will be typically an email confirmation of the toolkit scope expansion. NHS Digital shall be verifying the scope of the DSP toolkit for each relevant DARS or CAG application, and we shall respond accordingly with verification email and supporting documents on your behalf, so please ensure all relevant documents are completed, kept up to date, and kept safe for review.
As an ongoing activity for the duration of the project data requirements, there shall be annual reviews and compliance checks as well as your requirement to maintain the asset register information, and update it as required. End of the data retention period would need you to renew the data application, or request data destruction from the MSD IT team.
You are required to update the asset register when:
- When staff roles, and responsibilities change, or
- When staff joins, moves, or leaves the project or department,
- Annually for training data,
- As and when there are data breaches or near-misses,
- At the end of data retention periods or when data provider requirements change,
- When systems and software used are updated,
- When project data requirements change,
- When data is archived or destroyed,
- When project closes.
What we will do:
Information Security team will work through and double check your Training Needs Analysis documentation, Completion of Training, your Business Continuity Planning for Research, and refer to Data Privacy and Information Compliance Team for completion of Data Privacy by Design Procedures before confirming that your project has been added to the scope of the toolkit.
Get in touch with us at email@example.com for more information and support.