Skip to Main Content

Research Data Management: Security

Research Data Management (RDM) Library guide

Data minimisation and storage limitation

Keeping data secure is much easier if you follow the GDPR principles of data minimisation and storage limitation. Data minimisation means only collecting personal data needed for your research and no more.

  • For example, if you need to know how old a participant is for your research study, collect their age and not their date of birth. This reduces the risk to the participant if data is disclosed in error.

Storage limitation means only keeping personal data for as long as it is needed and no longer. If security is compromised, risks will be limited if data has already been securely disposed.

When retention periods have passed the data should be securely destroyed. Deleting files and reformatting a hard drive will not securely erase information. The UK Data Service provide guidance on secure data disposal.

Any personal data (GDPR) which is planned for retention beyond the end of the project, should be documented and justified in the DMP.

Anonymisation

Anonymisation of data should be considered throughout a research project to reduce risks to participants in the event of a data breach. 

The UK Data Service has a very useful guide to anonymisation and how to assess and minimise risks of disclosure.

If it is necessary to keep non-anonymised versions of data, make sure these are stored in a separate file location. This will reduce the risk of inadvertently sharing the identifiable versions of datasets. The same applies to any documents containing the 'keys' to re-identify pseudonymised data.

Data security measures

The measures articulated in BU's Data Protection Policy (Section 17) must be in place to keep data secure.

University-owned devices

Where possible, BU owned storage such as OneDrive for Business or SharePoint should be used to store data as these offer secure data storage. To keep data secure within OneDrive for Business and SharePoint, consider:

  • Adding password protection to documents.
  • Assign access to specific people only.
  • Limit permissions to share documents to an assigned individual.
  • Keep sensitive data in a separate, secure folder.
  • Keep pseudonymised data and the data to re-identify participants in separate folders.

Contact IT Services for any support with implementing any of these measures.

BU's Mobile Device Security Guide should be followed to keep data on mobile devices issued by BU secure.

Personally-owned devices

If using personal devices, ensure that you comply with BU's Mobile Computing Policy.

Additional guidance