Summary of NHS Lothian data sharing requirements For identifiable Patient Data a remote Trusted Research Environment (e.g. Safe Haven) and University managed device with no administrator access is recommended to most easily comply with these requirements. Advice on how to meet the Information Security Standards for the technical infrastructure that you are using is available from the Information Security team, and help on how to implement changes to meet the requirements it is available from your Local IT team. Email the Information Security Team View support available from IS and find Local School Helpdesks For all new research or data sharing arrangements with NHS Lothian, University researchers must comply with the following as a minimum: As of 8 November 2022 Caldicott Principles 2012 NHS Scotland Code of Practice on Protecting Patient Confidentiality Data Protection: Data Protection Act 2018 & UK GDPR Data Protection Impact Assessments (or Project Risk Assessment (contained in ethics application)) Baseline University Security Principles: Patient Data is only stored and Processed in a secure networked environment (in the secure University enterprise infrastructure) controlled by the University; access to the Patient Data is provided only to authorised employees and consultants of the University working on the Research Project; authorised employees and consultants of the University with access to the Patient Data keep passwords and usernames secret and do not disclose or share these in any manner; authorised employees and consultants of the University with access to the Patient Data will set passwords of at least 12 characters with sufficient complexity and secrecy that it would be impractical for an attacker to guess or discover the correct secret value; authorised employees and consultants of the University will operate in line with the principle of least privilege, granting the minimum permission for the role and being denied local administrator accounts by default; access to the secure networked environment controlled by the University where Patient Data is stored is limited to individual user accounts and only authorised employees and consultants of the University have access to such accounts; Patient Data is never stored on personally-owned devices, and personally-owned devices may not be used to access Personal Data; University supported laptops may only be used to store Patient Data where they have automatic whole disk encryption, are maintained as fully supported devices (not extended security updates) and always use a secure connection (e.g. virtual private network or DirectAccess) to connect to the secure networked environment within the University’s IT infrastructure; software is kept up to date by the University considering vulnerability management and patch management; when Patient Data is transmitted it must be encrypted to accepted industry standard; controls are in place by the University to avoid unauthorised physical access or loss, e.g. computer locks or secure storage cupboards; and up-to-date anti-virus and anti-malware software is installed and active at all times on all devices being used to access Patient Data. After 8 August 2023 The University will also be required to meet all of the applicable University Information Security Standards. View University of Edinburgh Information Security Standards (UoE staff only) After 8 November 2023 The Scottish Public Sector Action Plan: Cyber Resilience Framework NHS Scotland Mobile Data Protection Standard (2012) Scottish Government Records Management: Health and Social Care Code of Practice (Scotland) 2020 NHS Lothian eHealth Security Policy April 2018 (UoE staff only) View full Framework Agreement (UoE staff only) This article was published on 2024-01-24
