Data security is essential to comply with ethical and legal requirements. A Data Management Plan must document the safeguards that will be put in place to ensure security.
All the measures outlined in this guide are designed to reduce the risk of unlawful disclosure by either:
These should be documented in the following sections/questions of the BU Data Management Plan (DMP) template:
Ethical and legal compliance
Storage, back-up, and security
Online and electronic storage
Only storage solutions approved by IT Services can be used to store personal or other sensitive data. Our storage guidance specifies the pros and cons of different solutions, and specifies whether a storage solution is secure or not.
To keep data secure, consider:
Contact IT Services for any support with implementing any of these measures.
BU's Mobile Device Security Guide should be followed to keep data on mobile devices issued by BU secure.
Physical storage
Paper-based sensitive or confidential records or data should be kept in a secure on campus location. For example, a lockable office.
Measures should also be in place to keep sensitive documents secure while in transit (e.g., between the site where the data was collected and the secure office). For example, the use of tamper proof bags.
Data can be kept secure by restricting access to authorised persons/organisations only.
These would include members of the project team or external partners.
Data might also need to be shared with 3rd party services. For example:
It must be documented in a Data Management Plan (DMP) who will have access to what data. This will help to:
BU Transfer should be used to send and receive files containing personal or sensitive data. Email should never be used, because it is no-where near as secure. Tick the option to 'Encrypt every file' when sending personal or confidential data.
Sensible file names and well-organised folder structures:
The UK Data Service has guidance on file naming and structure.
Data minimisation means only collecting personal data needed for your research and no more. It is not acceptable to collect more than is strictly needed on the off-chance it might be helpful in the future.
It's a requirement of GDPR and designed to increase data security by reducing the risk of unlawful disclosure. It will reduce the scale of a breach and its potential impact on participants if only a minimum amount of personal data is handled to begin with.
You will be required to provide a justification in your Data Management Plan for any personal data you plan to collect. It's a reflective exercise to assess whether you're collecting the right amount of personal data to comply with the principle of data minimisation.
Anonymisation of data should be considered throughout a research project to reduce risks to participants in the event of a data breach.
Research data intended for publication must also be anonymised in line with participant agreements.
The UK Data Service has a very useful guide to anonymisation and how to assess and minimise risks of disclosure.
Common steps to anonymise data include:
If it is necessary to keep non-anonymised versions of data, make sure these are stored in a separate file location. This will reduce the risk of inadvertently sharing the identifiable versions of datasets. The same applies to any documents containing the 'keys' to re-identify pseudonymised data, or logs of any changes made to datasets.
Techniques that replace, remove or transform identifiers in data (such as names) with pseudonyms (such as a reference number). The original identifiers are linked to their pseudonyms in a document (the key) that must be kept separately from the pseudonymised data. Only with access to the key will anyone be able to access information about participants in the data.
Pseudonymisation enhances security of the data because it reduces the probability of participants being identified in the event of data loss or theft.
Unlike data that has been truly anonymised, pseudonymised data is still personal data as defined by UK GDPR.
The Information Commissioner's Office have produced a guide to pseudonymisation.
The Storage limitation principle in UK GDPR specifies that personal data must be kept for as long as it is needed and no longer. If security is compromised, risks will be reduced if data has already been securely disposed.
It will usually be necessary or appropriate to retain research data which forms the basis of published research findings for a significant period after the end of the active research period. This may be due to funder or auditing requirements, or perhaps for future research.
In other cases, it may not be necessary to retain data. For example, interview audio recordings could be deleted once transcriptions have been produced (or after the viva for postgraduate researchers), if the audio files are no longer needed.
Retention periods specify how long data and associated documentation are to be kept. They must be documented in the Data Management Plan (DMP).
Retention periods
Unless funder requirements specify otherwise, research data underpinning findings in publications should be accessible for at least 10 years. This is in line with Principle 2 of UKRI's Common principles on research data as specified in their Guidance on best practice in the management of research data.
As a rule, project documentation (consent forms, protocols, ethical review forms, administrative documentation, participant details, health and safety records etc.) should be retained in line with the research data.
Once the retention period has ended, data and documentation will need to be reviewed to decide whether to extend retention, or to securely destroy them.
It is necessary to specify in a Data Management Plan how you plan to securely destroy data when it is no longer needed. The UK Data Service has advice on secure disposal.