RISM15 Study Agreement

UCL Research Data Information Security Management System #

Classification: Public

Author: Tim Machin

version: 1.1

Last Review: 10/04/2025

Last Reviewed by: Jack Hindley

Approved by: OMG

Approved date: 12/03/2025

Review Period: 3 years

Study Agreement #

As the Information Asset Owner (Owner) of a “Study” you are accountable for any confidential information processed by the members of your team. The purpose of this form is to gain your confirmation of this accountability. A public copy of this agreement can be found here.

The Information Asset Owner is equivalent to the Data Owner as defined in the UCL Data Protection Policy. This will usually be the Principal Investigator or the holder of the research funding award. The Information Asset Owner must be a full member of UCL staff (not honorary staff). If the Principal Investigator is not employed by UCL then an equally senior UCL staff member should be appointed as the Information Asset Owner.

This agreement aligns with the 5 Safes Framework and Documented Information for the Research Data Information Security Management System including:

Agreement #

I confirm that I am the Information Asset Owner in UCL of the following study.

Confirm study number (IG/-xxxxx)

I understand that as Information Asset Owner, I must:

Safe Projects #

  • be accountable to the Senior Information Risk Owner (‘SIRO’) for ensuring information risks are properly managed,
  • be in a position to secure resources to ensure information will be properly handled,
  • be accountable for reporting information security incidents,
  • be accountable for managing information risks within the Study,
  • be accountable for maintaining standard operating procedures (or ‘the study protocol’) for handling confidential information,
  • ensure compliance with UCL Data Protection and Information Security policy,
  • understand and be able to account for the legal basis of information assets held,
  • ensure that contractual requirements on handling confidential information are agreed, documented and adhered to,
  • be accountable for maintaining records of information assets,
  • be accountable for the transfer or sharing of information assets,
  • be accountable for providing access to suitable information for audits,
  • be accountable for the transfer of these requirements to a suitable staff member if/when relinquishing the role of Information Asset Owner,
  • ensure that any corrective actions within the control of the study are completed in the event of an information security incident or audit finding,

Safe Researchers #

  • undertake suitable information security training regularly,
  • be in a position to mandate that responsibilities such as training are undertaken,
  • ensure that team members undertake suitable information security training (as detailed in Roles and Responsibilities);
    • at onboarding,
    • when a change in role and/or responsibilities occurs,
    • before training has expired,
  • ensure any background checks required are completed on the team members,
  • ensure all team members have suitable UCL contracts for handling confidential information,
  • ensure that new starters and team members joining from other roles are given access in accordance with the Access Control Policy,
  • ensure that access is revoked in accordance with the Access Control Policy,
  • ensure that team members understand their responsibilities with regard to confidential information,
  • ensure that a training needs analysis is implemented if/when team members need additional information security training,
  • ensure that appropriate disciplinary action is taken if/when information security non-compliance is not rectified,
  • be accountable for keeping team members up to date with changes in policy and guidance concerning confidential information,

Safe Data and Safe Outputs #

  • ensure Study data is held in an Environment appropriate for the level of risk in accordance with the Data Classification and Tiering Policy,
  • ensure that all reasonable measures are taken to prevent unauthorised re-identification of anonymised and pseudonymised personal data,
  • be accountable for ensuring outputs exported from a Trusted Research Environment are “Safe”, and
  • be accountable for secure deletion of information assets.