Secure Data Service

In developing the Secure Data Service, we spoke with secure data enclaves around the world to find out how and why breaches occur.

We learned that the weakest link is not the technology, the data handling or procedural issues. Instead, the greatest potential for a security breach lies in the actions of human beings.

In these cases, breaches stem from two basic causes:

• users who aren't aware of proper statistical disclosure control and data handling procedures
• users who want to escape the limitations of restricted onsite access for the sake of convenience

Our security philosophy

For these reasons, we've built the Secure Data Service on a four-point security philosophy:

• state-of-the-art secure data technology and procedures
• training and convenience for approved researchers
• standards backed by a professional code of practice
• meaningful penalties for breaches

Secure data technology and procedures

The UK Data Archive has been certified for its secure data handling procedures under the international ISO 27001 standard for information security.

The Secure Data Service has been declared 'fit for purpose' by a CHECK 'green light' company on the basis of both internal and external penetration testing and has received government technical accreditation.

Trained staff, who have been through security checks and who have signed non-disclosure agreements, process data using documented and audited procedures on encrypted machines. Access is restricted to particular staff.

Our service uses Virtual Private Network Citrix™ technology. A controlled network prevents outsiders from reading data transmitted between the researcher's computer and the host network.

Researchers are unable to transfer or download any data from the secure server to a local computer. Similarly, users can't use the 'cut and paste' feature to move data into a spreadsheet or document on the local computer. Finally, researchers are prevented from printing data to a local computer.

Citrix™ also has sophisticated auditing tools so that remote usage can be monitored.

Finally, data owners may choose from different remote access options that ensure that each dataset receives the appropriate level of security controls.

Training and convenience for approved researchers

Training is fundamental - all members attend face-to-face training on data security, data handling, statistical disclosure control and penalties for security breaches. Data owners are invited to attend training to be reassured that their data are being accessed responsibly.

Once a member, researchers can access a 'home away from home' analytical environment from their home institution. We maintain that providing remote secure access actually increases service security by removing the motivation to remove data for use in a more comfortable or convenient location.

Licensing arrangements

All of this is underpinned by a licensing arrangement that requires our members to be ONS Approved or ESRC Accredited Researchers with a research purpose that's appropriate for the data they wish to access. In addition researchers sign-up to our User Agreement, which requires an institutional counter-signature.

Meaningful penalties

Our breaches policy includes penalties of up to five years sanction against researchers and their institutions from receiving ESRC research funding, as well as potential criminal proceedings should the user be in breach of the Statistics and Registration Services Act of 2007.