Research Lifecycle Programme and Dr Kath Watson, Biological Studies Group, School of Biological Sciences, FBMH

In late 2021, Dr Kath Watson from the Biological Studies Research Group (BSG), led by Professor Kimme Hyrich, approached the Research Lifecycle Programme (RLP) team to ask for support in developing a protocol, to enable the BSG to use MS Teams for internal and external online meetings which discussed highly restricted data. 

Dr Watson’s research group routinely collects rheumatology healthcare data to help the pharmaceutical companies and the regulators (MHRA, EMA, FDA) to monitor the long-term safety in the real world of biologics and other new drugs prescribed to treat inflammatory conditions.

Although the study has been active for over 20 years, the rheumatology healthcare data has been stored in an online database since 2019. The data captured in the BSRBR-RA is sensitive patient healthcare data, classified under the University Data Classification System as Highly Restricted. All University of Manchester requirements for the appropriate governance and security of this database (including the Data Management Plan, the SLSP, IGMF Quarterly Reports, and other necessary agreements) are adhered to. Data is handled in accordance with the University Information Classification, Ownership and Secure Handling processes and guidance.

All NHS and University staff that have access to the BSRBR-RA database have all been through ID checking and all users have either an NHS or University of Manchester email account. The database has end-to-end encryption meaning the data is encrypted on the sender’s computer and decrypted on the receiver’s computer, therefore it is fully protected in transit and only the sender/receiver can view or edit the data.

The main questions Dr Watson needed answers for were (i) does MS Teams provide a level of encryption security that can be relied on, (ii) could the discussions be intercepted, and (iii) could the data be compromised. After discussion with IT colleagues and Microsoft, it was confirmed that MS Teams calls are encrypted, but that full end-to-end encryption had not been switched on at The University of Manchester. The calls are safe and secure but that the data itself should not be stored on the MS Teams site. It was agreed that the current level of encryption is secure enough for day-to-day BSG activity (as outlined below) and was the best option for the group to enable them to work collaboratively.

After discussions with the Internal Governance Office and Ethics teams, the following was agreed as a protocol for research groups to use MS Teams over calls and meetings for research groups who work with highly restricted data.

If other research groups would find this use of MS Teams within their day-to-day work, the protocol below can be adapted to suit specific needs.

For further guidance please contact Anthony Allen (Business Change Manager, RLP Project E).

Further information:

• Protocol for using MS Teams for online meeting and calls when discussing Highly Restricted Data Policy
• Background information about the Biological Studies Research Group

Related