UCL Research Data Information Security Management System Scope #

Document Name: RISM01-Scope

Classification: Public

Author: Tim Machin

version: 10.2

Last Review Date: 11/04/2025

Last Reviewed by: Angharad Green

Approved by: IRGC

Approved date: 31/03/2025

Review Period: 3 Years

Sources: UCL-IG31

1. Scope Statement #

The scope of the ISMS covers the provision of UCL’s “Trusted Research Environments” to ensure the safe processing of Highly Confidential Research Data.  

2. Document Overview #

The following document details the scope of the research data information security management system covering clause 4 of the ISO/IEC 27001 standard. This document will explain the:

• Organisation context
• An overview of the scope
• Sources of Risk and Controls
• Needs and Expectations of Interested PartiesInterested Parties
• Legal and Regulatory Requirements
• Elements Out of scope elements

This document addresses the following requirements in the ISO 27001:2022 standard:

• Clause 4.1
• Clause 4.2
• Clause 4.3

3. Organisational context #

The UCL Research Data Information Security Management System (ISMS) exists to secure the data used for research by the university and its collaborators. UCL is a large research-intensive institution with a significant amount of research involving sensitive data within multiple data domains such as health, social sciences and education. UCL collaborates with multiple partners across academia, government, industry and the third sector including the hosting of data and projects within UCL. UCL is committed to the protection of data subjects, and to complying with the requirements of our partners and data providers, while improving lives through science and scholarship. Through the ISMS, UCL will meet the legal and regulatory requirements described in section 6.

UCL seeks to address the following issues through the establishment of the Research Data Information Security Management System (ISMS):

• UCL stores and processes a large amount of sensitive data for research purposes either provided by a third party or produced by researchers themselves.
• The wide variety of data UCL stores and processes, including sensitive personal and commercially sensitive research data.
• Research facilities must be adaptable to the evident growth in data volumes and advancements in high performance computing.
• UCL’s standard approach to information security is not adequate to support this requirement.

Delivery of the research data ISMS and associated technology services is operationalised by ARC (UCL Centre for Advanced Research Computing) in collaboration with ISD (Information Services Division). Both departments report to the Chief Information Officer. ISD and ARC do this on behalf of UCL’s leadership and the organisation’s top management as described below. Information about UCL, ISD and ARC can be found at the links below:

• www.ucl.ac.uk
• www.ucl.ac.uk/about/what/key-statistics
• www.ucl.ac.uk/isd
• www.ucl.ac.uk/advanced-research-computing

4. Scope Overview #

The Organisation is made up of:

• Trusted Research Environments (TREs) in the ISD and ARC. TREs are any tier 3 or 4 environment as defined in the Data Classification and Tiering Policy.
• Researchers who use TREs managed by ARC and ISD. These teams are comprised of members of staff, including honorary staff, and students along with external research collaborators.
• Members of the teams managing TREs from ISD and ARC.
• Subsets of the Research Data Team (Research Data Stewards) within the ARC team who provide information governance advisory services to UCL researchers.
• Subsets of UCL Human Resources and Estates divisions providing supporting services associated with TREs.

5. Sources of Risk and Controls #

Sources of risk and the approach to controlling risk is documented in Risk Assessment and Treatment Procedure.

Whilst some of the sources of risk come from the organisation itself (i.e. user deliberately or accidentally leaking information) some originate from sources outside of the organisation (e.g. hacking).

The controls which form part of the ISMS may be mandated and carried out by the organisation itself, mandated by an external party but carried out by the organisation, or mandated and carried out by an external party.

6. Needs and Expectations of Interested Parties #

UCL Wide Values and Strategies

The UCL Research Data ISMS is aligned to UCL’s broader values and strategies as documented below:

• UCL Vision
• UCL 2034 Strategy
• UCL Sustainability Strategy
• UCL Research Strategy

Within UCL

Details of these interested parties and their responsibilities can be found in the Roles and Responsibilities Document.

The UCL Information Security Group (ISG) and the Chief Information Security Officer (CISO) are part of ISD and responsible for setting the Information Security agenda across UCL. The ISG manage UCL-wide information security policies that are mandated across UCL; where these policies and processes are more restrictive, they will take precedence over ISMS specific policies. The Chief Information Security Officer is a member of the Information Risk Governance Committee (IRGC) to ensure that their views are represented in management review. UCL staff, across multiple teams, support trusted research environments run by ARC and ISD. The Operational Management Group (OMG), which formally coordinates and manages the ISMS, is formed of members of these support teams, as well as Information Governance professionals.

The organisation’s Top Management is the Information Risk Governance Committee (IRGC), chaired by the Senior Information Risk Owner (SIRO). The IRGC expects to receive reports from the OMG on the performance of the ISMS, and associated documentation for review and approval.

UCL has four Research and Development offices, linked to its partner NHS trusts: Great Ormond Street, Moorfields, The Royal Free and University College London Hospital. UCL also works with other NHS bodies, such as Central and North West London (CNWL) NHS Trust, Camden & Islington NHS Trust along with others. The R&D offices work with researchers in relation to funding and areas of regulatory compliance, which the ISMS is designed to meet.

Researchers and research support staff within the organisation depend upon the ISMS to meet contractual requirements relating to research data and are required to undertake information governance training, with a refresher on expiry. Users of the TREs are informed of developments and inform continuous improvement of technical environments, processes and the operation of the ISMS.

Internal auditors require an audit schedule and expect to have access to documented information and personnel associated with the ISMS.

Researchers are supported in the safe use of sensitive data by other parts of UCL including UCL Ethics, the library (through data management plans) and UCL legal services.

External to UCL

UCL’s partner NHS trusts have many data sharing agreements with UCL researchers, who manage the highly confidential information that they provide. The Head of Clinical Research Governance and Compliance, from the UCL / UCLH Joint Research Office, is a member of the Information Risk Governance Committee, this is to ensure that the views and requirements of NHS partners are represented.

NHS England manages access to national healthcare datasets. The Research Information Governance Lead (IG Lead) maintains regular contact with NHS England to understand changing requirements and to manage compliance with NHS England’s mandated Data Security & Protection Toolkit assurance mechanism. The IG Lead is a member of the Information Risk Governance Committee.

Research is fundamentally about enquiry, therefore users of the ISMS are encouraged to investigate data from an ever-expanding list of third-party sources. Each data source is typically governed by a set of requirements which the ISMS may be asked to support. Such research data providers seek assurance that UCL meets its obligation through the ISMS.

Suppliers of technical equipment, software and hosting services (such as public cloud providers) are required to meet standards as set out in UCL Research Data ISMS and provide evidence of their conformity.

Suppliers of non-technical resources, such as external audits, require documented information relating to the ISMS.

7. Relevant Legal and Regulatory Requirements #

Relevant Legislative and Statutory:

• The Data Protection Act 2018 (DPA18), is enacted by the Information Commissioner’s Office (ICO). The UCL Data Protection Officer acts as a point of liaison between UCL and the ICO on these matters. The UCL Data Protection Office is responsible for the data protection registration of studies within the organisation and for ensuring compliance with the DPA18 and Common Law Duty of Confidentiality. The Data Protection Officer is a member of the Information Risk Governance Committee to advise on DPA matters and to report on developments in this area.
• The Freedom of Information Act 2000 applies to all data held by UCL unless covered by an exemption.
• The Computer Misuse Act 1990 covers the unauthorised use of computer systems and data.
• The Human Rights Act 1998 covers the right to privacy.
• Contact with authorities in relation to cyber crime, such as the National Cyber Security Centre, is managed by the UCL Information Security Group (ISG). The Chief Information Security Officer is a member of the Information Risk Governance Committee to advise on matters relating to information risk and security.
• The Confidentiality Advisory Group (CAG), under the Health Research Authority (HRA), oversees applications for data under the Health Service (Control of Information) Regulations 2001 - Section 251 of the NHS Act 2006. The IG Lead has regular contact with the HRA.
• The Department for Education provides data used by UCL Researchers under The Education (Individual Pupil Information) (Prescribed Persons) (England) Regulations 2009 and related legal powers.
• Right to work and DBS checks are managed through the UCL HR Employment Contract Administration Office.

Regulatory:

• NHS England manages research access to a range of NHS data sources, including Hospital Episode Statistics (HES). NHS England also manages the Data Security and Protection (DSP) Toolkit, which is a requirement for applications under Section 251 (see legislative and statutory section above), also for HES and in many cases, for working with data from other sources within the NHS. The DSP Toolkit is revised and is required to be completed annually, so processes and documentation need to be kept up to date.
• The organisation’s Information Security Management System conforms to ISO/IEC 27001:2022.
• Medical trials are subject to audit by the Medical and Healthcare products Regulatory Agency (MHRA) which includes audit of information security.

8. Out of scope #

The scope defines a clear boundary within which risks are managed. Data transfers outside of the boundary are outside of this scope. The following are examples of elements outside of the scope of the ISMS:

• Data, once exported from the boundaries of a TRE. These boundaries are defined within the Data Classification and Tiering Policy and the definition document for a specific environment.
• Endpoint devices used to connect to a TRE.
• Any unclassified Technical Environment or any Environment with a classification lower than Tier 3.