Security and governance

EIDF services can have different security levels depending on the needs of individual data projects. We offer standard, everyday security through protected data access environments and, in partnership with external controllers, full safe haven services in the EPCC Trusted Research Environment (TRE). EIDF services are covered by EPCC's ISO27001 accreditation for information security practices, and by the National Cyber Security Centre Cyber Essentials self-certification. The EPCC TRE is additionally covered by the NHS England Data Security and Protection Toolkit self-certification. The Scottish National Safe Haven service is accredited by the UK Statistics Authority under the Digital Economy Act 2017 as a safe haven for sensitive research data and we operate all our Safe Haven services in the EPCC TRE to the same standard.

EIDF's approach to data security is built on three principal foundations: data protection law; the Five Safes model; and the Scottish Government Charter for Safe Havens.

EPCC's services, including EIDF, are accredited for information security and quality management in a variety of ways.

EIDF is managed in the same way as our other national services and systems at EPCC, all of which follow standard computer security practices and are covered by our ISO 9001 accreditation for service quality and ISO 27001 accreditation for information security management.

A “Safe Haven” is a particular area of EIDF that is subject to additional security measures and external information governance, within which approved users can work with particularly sensitive data such as medical or financial records, survey microdata, or other kinds of personal information. EPCC operate Safe Haven environments for a number of partners who provide the overall information governance and control.