Information Governance Policy and Airwave Study Data
Posted8th December 2016
When participants were recruited into the Airwave Health Monitoring Study, we stated in the Information Leaflet that the long-term store for all data obtained from the Study will be a Private Network, and we provided a brief outline of its security features. Operation of the Private Network is governed by a policy that was approved both by the Study’s Steering Group and the NHS, and it has operated successfully since we began recruiting in 2004.
In order for the Study to keep operating, the NHS now requires us to adopt a different standard for information governance, one that brings it into line with the requirements placed on all organisations that holds identifiable patient data. In order for us to meet this standard, we need to relocate the Study’s data to a new network. This new network, which we are calling an Enclave, is currently in development and is intended to meet the NHS standard. The Airwave Study team are making substantial inputs into the policy being developed for the Enclave, and are confident that the standard of information security will be at least as good as that provided by our current arrangement.
There are differences of detail between the Private Network and the Enclave. The main one is that, whilst access to and from the Enclave will be strictly controlled, it will not be physically disconnected (air-gapped) from other networks. Instead, the Enclave will share a heavily-guarded infrastructure which will also be used by researchers working on other projects that have similarly stringent security requirements. Governance of the Enclave will be according to a policy defined by the Imperial College School of Public Health and this will replace the Study's existing security policy. It provides a framework for bringing together all the legislative and regulatory requirements, standards and best practice that apply to the handling of information.
Within the Enclave, we will benefit from a new team of professionals dedicated to keeping it operating safely, and this will be in addition to our existing Database Manager. Also, a senior clinician from within the NHS Trust, known as the Caldicott Guardian, will be ultimately responsible for protecting the confidentiality of participants’ information. Finally, the Enclave will be subject to much more rigorous internal and external audit than we have been hitherto able to implement. Overall, we are confident that the risk to the security of participants’ data will not increase when the migration has completed.
I would emphasise that the new arrangement affects only the technical infrastructure and its governance. The governance process that grants access to participant’s data is not changing, and will continue to be strictly controlled.
Our current plan is for the Enclave to be implemented in quarter one of 2017, at which point we will migrate the Study’s data to it. If you have any questions about the new arrangement, please contact Andy Heard (Database Manager) at [email protected] or Professor Paul Elliott on [email protected]mperial.ac.uk (Principal Investigator).