Information Governance Policy and Airwave Study Data
When participants were recruited into the Airwave Health Monitoring Study, we stated in the Information Leaflet that the long-term store for all data obtained from the Study will be a Private Network, and we provided a brief outline of its security features. Operation of the Private Network is governed by a policy that was approved both by the Study’s Steering Group and the NHS, and it has operated successfully since we began recruiting in 2004.
In order for the Study to keep operating, the NHS now requires us to adopt a different standard for information governance, one that brings it into line with the requirements placed on all organisations that holds identifiable patient data. In order for us to meet this standard, we need to relocate the Study’s data to a new network. This new network, which we are calling an Enclave, meets the NHS standard. The Airwave Tissue Bank team have made substantial inputs into the Information Governance policy developed for the Enclave, and are confident that the standard of information security is at least as good as that provided by the Private Network.
There are differences of detail between the Private Network and the Enclave. The main one is that, whilst access to and from the Enclave is strictly controlled, it is not physically disconnected (air-gapped) from every other network. Instead, the Enclave shares a heavily-guarded infrastructure which is used by researchers working on other projects that have similarly stringent security requirements. Governance of the Enclave is according to a policy defined by the Imperial College School of Public Health and this will replace the Study's existing security policy. It provides a framework for bringing together all the legislative and regulatory requirements, standards and best practice that apply to the handling of sensitive information.
Within the Enclave, we benefit from a new team of professionals dedicated to keeping it operating safely, and this is in addition to our existing Database Management team. Also, a senior clinician from within the NHS Trust, known as the Caldicott Guardian, will be ultimately responsible for protecting the confidentiality of participants’ information. Finally, the Enclave is subject to more rigorous internal and external audit than we have been hitherto able to implement. Overall, we are confident that the risk to the security of participants’ data is not impaired by the move from the Private Network to the Enclave.
The new arrangement affects only the technical infrastructure and its governance. The governance process that grants access to participant’s data is not changing, and will continue to be strictly controlled.