Safe Haven Services: enhanced security for sensitive data

EPCC Safe Haven Services

A Safe Haven is a highly secure data and compute infrastructure where Information Governance functions make sensitive data available to authorised users for analysis.

EPCC operates a secure, air-gapped computational environment upon which independent organisations can create and control their own Safe Haven service to provide access to sensitive data. Each Safe Haven is isolated from all other Safe Havens.

Information Governance

The Safe Haven foundational use is lawful access to special-category personal data for research. Each Safe Haven Controller must design and implement an Information Governance function. Under the guidance of the Five Safes model, this function manages:

• The Controller-Processor relationship with the EPCC Safe Haven Services as the Safe Setting, and the relationship with the Data Providers
• The lifecycle of Safe Projects
• The conduct of Safe People
• The provision of Safe Data to researchers
• The elicitation of Safe Outputs.

EPCC provides a documented set of Information Governance processes that define the day-to-day relationship between the Controller and the Safe Setting. EPCC does not perform Information Governance functions for the Safe Havens.

Accreditation

The EPCC Safe Haven Services are covered by EPCC’s ISO27001 accreditation for information security practices. They are also self-certified under Cyber Essentials and NHS England’s Data Security and Protection Toolkit.

In addition, the EPCC Safe Haven Services in partnership with the electronic Data Research and Innovation Service (eDRIS) and the National Records of Scotland (NRS) are an accredited processor under the Digital Economy Act 2017 by the UK Statistics Authority for the delivery of the Scottish National Safe Haven Service, and we operate all Safe Havens to the same standard.

Standard Safe Haven services

Our standard Safe Haven service offers a secure data sharing and analysis environment that allows researchers access to sensitive data under the terms and conditions prescribed by the data providers. Researchers access the services through a virtual desktop infrastructure (VDI) and access to the internet is controlled.

The prevalent computational resource is virtual machines, dedicated to each Safe Haven. Safe Havens also have shared access to a large shared-memory, high-performance compute cluster and a compute cluster with GPU accelerators to enable large-scale analyses such as image processing tasks. The EPCC Safe Haven Services are operated at EPCC’s Advanced Computing Facility, which is located in Edinburgh, UK.

EPCC services for a standard Safe Haven:

• Operate and maintain the hosting infrastructure, IT equipment and system software
• Maintain the virtual desktops and a standard suite of analytical software on these desktops
• Resolve queries from Safe Haven Controllers on behalf of data owners and researchers
• Provide 14-day rolling backups.

Additional Safe Haven services

The following services can be requested separately and will be priced based on the staff effort required.

• Facilitate access to bespoke analytical software
• Perform data ingests
• Create data catalogues and perform quality checks
• Perform data deidentification
• Perform data analysis
• Generate synthetic data
• Develop new analyses and analysis pipelines to perform studies at large scale
• Develop an analysis dashboard to perform recurring analyses on data.

Safe Havens at EPCC

Safe Havens hosted in the EPCC Safe Haven Services include the Scottish National Safe Haven, a governed trusted research environment for accredited researchers to work on approved projects of public benefit, using deidentifed, linked, health and administrative data. It is one of twelve Safe Havens in the UK to support such research.

Our other tenants include: the Smart Data Foundry (financial data); DataLoch (health and social care data); and ODAP (health and genomic data for outbreak analysis).

Contact

To discuss hosting your Safe Haven with us, please contact us at: eidf@epcc.ed.ac.uk