IG Process UCL and Turing

UCL

Thanks to #436

• UCL IG process.pdf
• IAO: https://www.ucl.ac.uk/isd/it-for-slms/research-ig/articles/information-asset-owner-owner
• IAA:https://www.ucl.ac.uk/isd/it-for-slms/research-ig/articles/information-asset-administrator
• More on the information risk assessment: https://www.ucl.ac.uk/isd/it-for-slms/research-ig/articles/sharepoint-guide/information-risk

Turing

Thanks to #411

Turing flowcharts for determining the classification tier for a work package (data + what we plan to do with it).

• Data classification overview
• Full flowchart
• Simplified flowchart

Note: Turing currently processes data up to relatively strongly pseudonymised data, and we're keen to get input from organisations that process more sensitive data on where the boundaries should be for higher tiers (3 and 4, should there be something above 4?). There have been some recent discussions about the boundary between tiers 3 and 4 / whether there should be an additional tier between these when it comes to non-pseudonymised data (we don't currently handle any non-pseudonymised data).

Cambridge

People

• School of clinical Medicine - Victoria Hollamby - vph20@medschl.cam.ac.uk

NHS Data Classification

• School of clinical Medicine, research governance office
  • School policy - personal identifiable research data from safe havens
  • Routinely connected data without patient consent (may be de-identified)
  • NHS Local trust and University
• Massively helpful to have a data classification tool to systematize

Terms

• DPAI - Data protection impact assessments
• ISRA - information security risk assessment

Impact-driven classification

• Data -> Impact -> Value
• Risk to university (not just the data subjects in DPAI classification) matrix
• Classification directly assigned from impact assessment
• Links

App

• Impact analysis section
  • Impact areas
  • select impact type
    • rate impact from 1 (none) - 5 (very high/critical)
• Likelihood -> Containers, threat scenario and controls