Cookies on this website

We use cookies to ensure that we give you the best experience on our website. If you click 'Accept all cookies' we'll assume that you are happy to receive all cookies and you won't see this message again. If you click 'Reject all non-essential cookies' only necessary cookies providing core functionality such as security, network management, and accessibility will be enabled. Click 'Find out more' for information on how to change your cookie settings.

Accept all cookies Reject all non-essential cookies Find out more

Information Governance and Compliance

BMRC and Information Governance

Researchers in the biomedical sciences and related fields use a broad range of data types from personal and special category data (e.g. healthcare, genetic and biometric data), through anonymised data from external repositories, to data collected from deceased or non-human subjects. Over the years, BMRC has improved the security of their systems so many of these data can now be processed routinely on our platforms. 

BMRC requires that all University and departmental Information Governance (IG) and approvals procedures are followed before project data are brought to our platforms 

For PIs, typically this means working with their departmental IG team who will formally assess if the project contains data which are considered personal within the scope of the University of Oxford. The IG teams can advise and assist on the correct procedures to follow. 

 


IG Assessment

A typical decision tree might be: 

  • if the dataset does not contain data from living humans it will not be considered personal and further IG processes are usually not requiredthis will be confirmed by the departmental IGteam; 

  • if the dataset contains data from living humans but the data can be considered anonymous within the scope of the University of Oxford, then the departmental IG team should assess the anonymity of the data which they may do using the Data Subject Anonymity Assessment (DSAA); 

  • if the dataset contains data from living humans that are personal data, then the University data protection by design procedure, such as completing a Data Protection Impact Assessment (DPIA), must be followed with guidance from the departmental IG team. 


Contracts

BMRC needs to be made aware of any specific information security or other contractual requirements associated with the dataset so that we can ensure that we are able to meet them. These requirements are typically distinct from IG considerations. For example, accepting the terms and conditions when downloading data from websites often implies such extra requirements. It is important to note that some data from NIH now requires compliance with NIST 800-171 rev3. 


Data Register

BMRC require an entry in the BMRC data register (this is a short web-form) for data sets on BMRC systems. 

 

 

Compliance

BMRC has completed the NIST 800-171 rev3 assessment and submitted a plan of action and milestones which has been accepted as compliant by University Information Security and Research Services. BMRC is currently the only generally accessible facility that is recognised in this way, and therefore is the default platform for processing relevant data from NIH sources such as dbGaP. 

In addition to using BMRC for this research, the PI’s home departments may also be asked by Research Services to provide extra information on security controls that are out of scope for BMRC to answer (e.g., relating to departmental HR processes, training records and purchasing policies). 

BMRC can provide security information about its platforms to researchers to help them complete the appropriate risk assessment, e.g. DPIA or DSAA, to enable them to host their data on our platforms.