MSD IGO- A Year On

A year ago the Information Security Team introduced the Information Governance Office as a service to the Medical Sciences Division. Aimed at providing expertise in information security and governance to our colleagues in the Division, there was a clear requirement for support. We were working to not only develop and maintain a divisional information governance framework and help unlock the red tape around accessing research data (more on that here). 

We have: 

  • Engaged with research community and departmental stakeholders, making over 54 visits
  • Established internal and external processes to streamline data application processes for research staff, and helped 16 research projects obtain data from NHS Digital
  • Responded to over 100 support calls relating to information governance
  • Delivered face to face training sessions to over 90 people, and saw the online training uptake rise to over 3700 attempts
  • Set up an online platform to share good practice and guidance from external bodies

We began our service by engaging with key stakeholders in the division, and gauging not only the information asset and risk landscape, but also by understanding the research activities, which was a new territory for those of us outside the health and social care sector.  

The point of contact between non-research and research activities in the department mostly flows through the departmental administrators. The drafting of contracts and approval of agreements is managed by Research Services, and the support for anything technical comes from departmental IT staff and/or MSD IT Services. Our role is to bring these parties together to make life easier for our researchers, and to promote the existing good practice in place across the Division. 

From the terminology to the regulations, research compliance was a relatively new territory for us. Not necessarily because we weren’t able to translate regulatory requirements but knowing when and where they apply. In a world where the academic was a clinician and a researcher, and had both an NHS contract as well as a University one, we saw the need to change our view of the world. We could not view the world as neat data flows and processes but something more like a jigsaw puzzle, to be broken down and then re assembled, with information not just from academics, but also other stakeholders involved, before we could truly understand. 

We’ve found that only a few people, both within the University and in the wider sector, have the knowledge we need and these subject matter experts have helped us increase our understanding and get to a stage where we could see the difference in research project types, and what requirements applied when (as well as understanding the stages of clinical research). Medical Research Council (MRC) proved to be a great source of guidance, and support for its researchers, and we were able to contribute to the wider conversation around Common Law duties, and GDPR, as well as in the development of their new training materials for the Research sector (due to be released over Summer). 

Having passed this initial barrier, we were quickly in a position to gain clarity on where we can offer the most value, and indeed where our expertise can be translated into the division. We know that research projects often need the approach we take with projects in IT Services, which is based on industry good practice for embedding security in IT projects. 

That alone is not enough. We find projects, with extraordinary research questions, requiring complex and out of the box thinking to comply with the data protection and security requirements for the University, their collaborators, the country of research, and GDPR. We have translated these into non-functional requirements for service providers and developers. We have also provided guidance on third party due diligence knowing what we know, and flagged up relevant technical and security requirements as defined in protocol (and applications to ethics bodies and data providers). 

We’re navigating new territory, where corporate laws are catching up with the research sector’s embedded practices; and we’re all required to not just be aware of our research projects and the risks within, but also navigate the national data custodians and their requirements in response to the changes to law and a diminishing public trust. All of this overlays the uncertainties and unwritten, but important, laws of medical science that govern practitioners worldwide.