Keeping data secure is much easier if you follow the GDPR principles of data minimisation and storage limitation. Data minimisation means only collecting personal data needed for your research and no more.
Storage limitation means only keeping personal data for as long as it is needed and no longer. If security is compromised, risks will be limited if data has already been securely disposed.
When retention periods have passed the data should be securely destroyed. Deleting files and reformatting a hard drive will not securely erase information. The UK Data Service provide guidance on secure data disposal.
Any personal data (GDPR) which is planned for retention beyond the end of the project, should be documented and justified in the DMP.
Anonymisation of data should be considered throughout a research project to reduce risks to participants in the event of a data breach.
The UK Data Service has a very useful guide to anonymisation and how to assess and minimise risks of disclosure.
If it is necessary to keep non-anonymised versions of data, make sure these are stored in a separate file location. This will reduce the risk of inadvertently sharing the identifiable versions of datasets. The same applies to any documents containing the 'keys' to re-identify pseudonymised data.
The measures articulated in BU's Data Protection Policy (Section 17) must be in place to keep data secure.
University-owned devicesWhere possible, BU owned storage such as OneDrive for Business or SharePoint should be used to store data as these offer secure data storage. To keep data secure within OneDrive for Business and SharePoint, consider:
Contact IT Services for any support with implementing any of these measures.
BU's Mobile Device Security Guide should be followed to keep data on mobile devices issued by BU secure.
Personally-owned devicesIf using personal devices, ensure that you comply with BU's Mobile Computing Policy.
Additional guidance