LibGuides: Research Data Management: Security

Data Management Plans (DMPs) - Security

Data security is essential to comply with ethical and legal requirements. A Data Management Plan must document the safeguards that will be put in place to ensure security.

All the measures outlined in this guide are designed to reduce the risk of unlawful disclosure by either:

Putting in place barriers to unauthorised access (e.g. encryption and password protection)
Making it easier to keep data secure (e.g. good file management practices)
Or reducing or removing risk altogether (e.g. data minimisation, anonymisation, storage limitation and secure destruction)

These should be documented in the following sections/questions of the BU Data Management Plan (DMP) template:

Ethical and legal compliance

Briefly describe why the personal data you're handling is needed. > Data minimisation
Will any of the data be received from partners outside of the UK? > International data transfers
Briefly list the countries/partners where data will be received from.
Will any of the data be sent to partners outside of the UK? > International data transfers
Briefly list the countries/partners where data will be sent to.
Provide brief details of anyone else who will have access to any of the data. > Restricting access to authorised persons and organisations

Storage, back-up, and security

Where will your non-digital research data or project documentation be stored, short or long-term? > Physical storage
Where will your digital research data or project documentation be stored, short or long-term? > Electronic storage
Do you plan to keep identifiable participant data after the study has finished? > Storage limitation and retention periods
Provide a justification if you plan to keep identifiable participant data after the study has finished.
How and when will personal or other sensitive data be deleted/destroyed? > Data destruction > Storage limitation and retention periods
What security measures will be put in place to prevent unauthorised disclosure of data, both during and after the study?

Secure storage

Online and electronic storage

Only storage solutions approved by IT Services can be used to store personal or other sensitive data. Our storage guidance specifies the pros and cons of different solutions, and specifies whether a storage solution is secure or not.

To keep data secure, consider:

Adding password protection to documents.
Encrypting devices or encrypting files while using BU File Transfer
Assign access to specific people only.
Limit permissions to share documents to an assigned individual.
Keep sensitive data in a separate, secure folder.
Keep pseudonymised data and the data to re-identify participants in separate folders.

Contact IT Services for any support with implementing any of these measures.

BU's Mobile Device Security Guide should be followed to keep data on mobile devices issued by BU secure.

Physical storage

Paper-based sensitive or confidential records or data should be kept in a secure on campus location. For example, a lockable office.

Measures should also be in place to keep sensitive documents secure while in transit (e.g., between the site where the data was collected and the secure office). For example, the use of tamper proof bags.

Restricting access to authorised persons and organisations

Data can be kept secure by restricting access to authorised persons/organisations only.

These would include members of the project team or external partners.

Consider, however, whether it is necessary to give access to every member of the team. The greater number of people with access to data, the greater potential risk of unintentional disclosure.

Data might also need to be shared with 3rd party services. For example:

A transcription service provider
3rd party services used to collect or host data (e.g. JISC Online Surveys)

It must be documented in a Data Management Plan (DMP) who will have access to what data. This will help to:

Ensure data is only accessible to those who need it.
Flag where IT Services or Legal Services need to be involved to make sure only authorised providers are used, and appropriate agreements are in place.

Secure file transfer

BU Transfer should be used to send and receive files containing personal or sensitive data. Email should never be used, because it is no-where near as secure. Tick the option to 'Encrypt every file' when sending personal or confidential data.

Organisation

Sensible file names and well-organised folder structures:

Make it easier to find and keep track of data files.
- It saves time... ("Where did I put it again?" or "Why o why did I call all these files data1, data2, data3... Which one has the data I need!")
- Makes it easier for BU to find and identify data and documentation it is ultimately responsible for, long after projects have finished or individuals have left BU.
Improve the security of the data by:
- Keeping sensitive data separate from anything else that can be shared more widely.
- Making it easier to keep track of retention or disposal of data.

The UK Data Service has guidance on file naming and structure.

Data minimisation

Data minimisation means only collecting personal data needed for your research and no more. It is not acceptable to collect more than is strictly needed on the off-chance it might be helpful in the future.

It's a requirement of GDPR and designed to increase data security by reducing the risk of unlawful disclosure. It will reduce the scale of a breach and its potential impact on participants if only a minimum amount of personal data is handled to begin with.

For example, if you need to know how old a participant is for your research study, collect their age and not their date of birth. This reduces the risk to the participant if data is disclosed in error.

You will be required to provide a justification in your Data Management Plan for any personal data you plan to collect. It's a reflective exercise to assess whether you're collecting the right amount of personal data to comply with the principle of data minimisation.

Anonymisation

Anonymisation of data should be considered throughout a research project to reduce risks to participants in the event of a data breach.

Research data intended for publication must also be anonymised in line with participant agreements.

The UK Data Service has a very useful guide to anonymisation and how to assess and minimise risks of disclosure.

Common steps to anonymise data include:

Removing direct identifiers
Re-categorising. For example, changing references to a specific job to a broader title ('Brick layerer' becomes 'Construction worker').
Aggregation. For example, an age range not a specific age ('29' becomes '21-30')
Removing outliers or anomalies
Generalising qualitative data

If it is necessary to keep non-anonymised versions of data, make sure these are stored in a separate file location. This will reduce the risk of inadvertently sharing the identifiable versions of datasets. The same applies to any documents containing the 'keys' to re-identify pseudonymised data, or logs of any changes made to datasets.

Pseudonymisation

Techniques that replace, remove or transform identifiers in data (such as names) with pseudonyms (such as a reference number). The original identifiers are linked to their pseudonyms in a document (the key) that must be kept separately from the pseudonymised data. Only with access to the key will anyone be able to access information about participants in the data.

Pseudonymisation enhances security of the data because it reduces the probability of participants being identified in the event of data loss or theft.

Unlike data that has been truly anonymised, pseudonymised data is still personal data as defined by UK GDPR.

The Information Commissioner's Office have produced a guide to pseudonymisation.

Storage limitation and retention periods

The Storage limitation principle in UK GDPR specifies that personal data must be kept for as long as it is needed and no longer. If security is compromised, risks will be reduced if data has already been securely disposed.

It will usually be necessary or appropriate to retain research data which forms the basis of published research findings for a significant period after the end of the active research period. This may be due to funder or auditing requirements, or perhaps for future research.

In other cases, it may not be necessary to retain data. For example, interview audio recordings could be deleted once transcriptions have been produced (or after the viva for postgraduate researchers), if the audio files are no longer needed.

Retention periods specify how long data and associated documentation are to be kept. They must be documented in the Data Management Plan (DMP).

Retention periods

Unless funder requirements specify otherwise, research data underpinning findings in publications should be accessible for at least 10 years. This is in line with Principle 2 of UKRI's Common principles on research data as specified in their Guidance on best practice in the management of research data.

As a rule, project documentation (consent forms, protocols, ethical review forms, administrative documentation, participant details, health and safety records etc.) should be retained in line with the research data.

Once the retention period has ended, data and documentation will need to be reviewed to decide whether to extend retention, or to securely destroy them.

Data destruction

It is necessary to specify in a Data Management Plan how you plan to securely destroy data when it is no longer needed. The UK Data Service has advice on secure disposal.