Read the latest news, blogs and reports from the UK LLC and across the longitudinal population data community.
By Katharine Evans and Hannah Woodward, UK LLC Information Security Team
16th Mar 2023
Protecting the confidentiality and security of study participant data is of critical importance to UK Longitudinal Linkage Collaboration (UK LLC).
For that reason, UK LLC has invested heavily in developing a comprehensive ‘Information Security Management System’. This involves undertaking independent audits to make sure our security and safeguards are robust.
We know from our public involvement work that this is of great importance to study participants. We are proud that we can demonstrate the robustness of what we do through independent audit.
This blog tells the story of how we approached this.
Katharine and I joined UK LLC in October 2021 and our first key task as UK LLC’s new Information Security Team was to obtain ISO 27001 certification of UK LLC’s Trusted Research Environment (TRE).
Designing an Information Security Management System (ISMS) from scratch is an intensive and complex process. This is because these systems work by being embedded in all parts of the organisations and by developing a work culture where every member of staff understands security issues and builds these into their thinking and work.
We had some help though!
I had previously worked in Information Security at the ALSPAC birth cohort study. This meant I was familiar with the processes and language, and this also gave me a very useful perspective as to what a longitudinal study needs from its data partners, such as UK LLC, and a very clear understanding of what a robust system looks like.
Finally, our system had to be integrated with the University of Bristol’s security system as they provide a lot of our infrastructure – fortunately, we had the support of the University’s security team and could build on the good work they had done on ensuring we were already accredited to Cyber Essentials.
Certification of an ISMS to the ISO 27001 standard is recognised worldwide to indicate that an organisation’s management system is aligned with international Information Security best practices. It’s seen as the ‘gold standard’ and demonstrates that Information Security – the confidentiality, integrity and availability of data – is considered and built into everything an organisation does.
UK LLC’s TRE contains de-personalised data about people enrolled in contributing longitudinal population studies (LPS). Protecting the confidentiality and security of study participants’ data and maintaining the integrity and availability of data accessed by approved researchers, are of critical importance to UK LLC.
Information Security relies on strong teamwork and clear communications. We had countless meetings with everyone across our team to understand everyone’s roles and created new policies and SOPs (standard operating procedures); including what we do should things go wrong. We created a structure which is incorporated into every part of UK LLC’s work and then we had to test or audit it to check everything worked as expected.
An audit is normally cyclical and we follow the Plan, Do, Check, Act way of working. To check that our ISMS worked as planned, we completed an audit of our entire ISMS. This involved a lot of spot checks and internal audits on all the teams within UK LLC and all of the suppliers we interact with. The results from these audits and spot checks enabled us to identify and address gaps and to help us prepare for external audit by independent ISO 27001 assessors.
We were audited twice in March and July 2022. The first audit was an online interview across two days and the second audit was on site at our office in Canynge Hall (University of Bristol) over three days. It was intense with lots of meetings and interviews. We were delighted when we found out that we had achieved ISO 27001 certification of UK LLC’s TRE.
Information Security is an ongoing commitment and we continue to follow our schedule and audit cycle and are already planning for the next ISO 27001 surveillance audit in May 2023. Following this, there will be a further surveillance audit in 2024 and a full five day external audit in 2025 to be certified for the next three years.
After receiving the certificate, we didn’t rest on our laurels. We started to work on the next task, which is to be an accredited processor under the Digital Economy Act (DEA). This exacting standard is specifically designed to ensure organisations in the UK have a sufficiently robust ISMS to include data from Government Departments in their TREs. This is a much bigger piece of work than ISO 27001 and we are hoping to gain accreditation in early 2023 – watch this space for our next blog.
UK LLC team: firstname.lastname@example.org
Follow us on Twitter: @UKLLCollab
Animation explaining UK LLC: https://youtu.be/QfyaG3zemcs