LibGuides: Research Data Management: Storage

Data Management Plans (DMPs) - Storage

It is necessary to document in a Data Management Plan where data will be stored.

This is to prevent data being stored in places that would breach ethical or legal requirements. For example, it is not permitted to store any personal data in any 3rd party cloud storage solutions that haven't been approved by IT Services (e.g. Google Drive, Dropbox).
Consideration must be given not just to where you store data, but also to where anyone else associated with the project will store it. For example, if you use a data collection tool like JISC Online Surveys, or a transcription service provider (etc.), then you will need to document where those third parties are hosting the data.

These should be documented in the following sections/questions of the BU Data Management Plan (DMP) template:

Ethical and legal compliance

Will anyone else have access to any of the data at any point? > Restricting access to authorised persons and organisations
Will any of the data be received from partners outside of the UK? > International data transfers
Briefly list the countries/partners where data will be received from.
Will any of the data be sent to partners outside of the UK? > International data transfers
Briefly list the countries/partners where data will be sent to.
Provide brief details of anyone else who will have access to any of the data. > Restricting access to authorised persons and organisations

Storage, back-up, and security

Where will your non-digital research data or project documentation be stored, short or long-term? > Physical storage
Where will your digital research data or project documentation be stored, short or long-term? > Electronic storage
Do you plan to keep identifiable participant data after the study has finished? > Storage limitation and retention periods
Provide a justification if you plan to keep identifiable participant data after the study has finished.
How and when will personal or other sensitive data be deleted/destroyed? > Data destruction > Storage limitation and retention periods
What security measures will be put in place to prevent unauthorised disclosure of data, both during and after the study?

Online storage

BU’s Information Classification webpage specifies how data should be handled and stored depending on the classification assigned to it.

BU recommends storing your research data and documentation in a project specific BU SharePoint site which has been approved as compliant with the required standards. If this is not appropriate for your data, contact IT Services for advice.

Note that BORDaR is not a storage solution for live data that is being worked on during the course of a project. It is BU's research data repository for the long-term storage and access of completed datasets. Choosing a data repository after project completion.

Portable electronic storage

BU’s Information Classification webpage specifies how data should be handled and stored depending on the classification assigned to it.

Contact IT Services to discuss your portable storage needs and to estimate costs.

Portable storage devices such as laptops, hard drives, memory sticks, tablets and recorders are more vulnerable to being lost or subject to security threats. Appropriate measures need to be in place to keep data secure:

Guidance on keeping data secure.

Online and electronic storage options

This table summarises how different electronic storage solutions compare against requirements for safe data storage. Any storage needs requiring services/solutions not covered in this table should be raised with IT Services. For most research projects, SharePoint is recommended.

Storage solutions for live research data
	OneDrive (BU)	SharePoint / Teams (BU)	Non-BU cloud-based services (Dropbox, Google Drive etc.)	Network storage (H and I-Drives)	Local drives (BU or personally owned devices	BU owned portable device (e.g., USB drive)	Personally owned portable device
Storage capacity How much storage and how large can individual files be?	1TB	1TB	Variable		Variable	Variable	Variable
Security measures How secure is the storage solution? What standards does it meet?	Assessed and managed by IT. Assurances in place regarding the functionality and security of the system.	Assessed and managed by IT. Assurances in place regarding the functionality and security of the system.	IT services can assess the service and confirm is there are appropriate assurances in place regarding the functionality and security of the service.	Assessed and managed by IT. Assurances in place regarding the functionality and security of the system.	Variable	Variable	Variable
Access and control measures Is it deemed secure by BU? What measures can be implemented to protect personal or sensitive data?	Choose whether folders of files are kept private or shared. If shared, options to limit who can access the files/folders. Options to restrict documents to ‘view only’ and ‘block downloads’ Options to change permissions.	Choose whether folders of files are kept private or shared. If shared, options to limit who can access the files/folders. Options to restrict documents to ‘view only’ and ‘block downloads’ Options to change permissions.	Variable	H: Drive is generally private and only accessible by the owner. In justified circumstances IT-Services can access the drive. I:drive files/folders can be restricted to authorised users only.	Generally, only accessible by the owner. Remote access to the device by IT-Services might be possible., but unlikely on personal devices.	Generally, only accessible by the owner.	Generally, only accessible by the owner.
Data protection Is it appropriate for storing personal data in line with GDPR and BU policy?	Yes - with appropriate access and control measures in place.	Yes - with appropriate access and control measures in place.	No storage permitted. Only centrally procured storage solutions should be used which have contracts in place and have been verified by BU as compliant with data protection legislation.	Yes - with appropriate access and control measures in place.	No storage or creation permitted.	No permanent storage (USBs, external hard drives). No storage on mobile phones or tablets.	No storage or creation permitted
Collaboration Does it support collaboration?	Yes	Yes	Unknown. Depends on the service.	Limited. Not really.	No	No	No
Back-ups Are backups managed by BU IT-Services?	Not backed up by either Microsoft or BU. Contact IT Services for any specific backup requirements.	Not backed up by either Microsoft or BU. Contact IT Services for any specific backup requirements.	Unknown. Depends on the service.	Yes	No	No	No
Version control Is there automatic versioning control?	Yes	Yes	Unknown. Depends on the service.	No	No	No	No
Data deletion Is data securely destroyed when deleted?	Yes – retained in Office365 for further 93 days from deletion.	Yes – retained in Office365 for further 93 days from deletion. (Teams messages) Yes – retained in Office365 for further 17- days from deletion	Unknown	Yes – retained in backs up for further up to 8 weeks after deletion.	No	No	No
What happens when I leave BU? What happens to the data if no action is taken? What should happen to the data before leaving BU?	Data and documentation deleted 30 days after the account owner leaves BU. Files should be transferred to BU SharePoint to meet data access and retention requirements.	A project site on SharePoint will remain after you leave BU, satisfying data access and retention requirements. A copy of your Data Management Plan, detailing data retention periods should be saved on the site.	Data and documentation are not accessible if the account owner is ill or leaves BU. Files should be transferred to BU SharePoint to meet data access and retention requirements, and then deleted from the non-BU cloud-based service.	Data and documentation stored in your H-drive are deleted 30 days after the account owner leaves BU. Data and documentation stored on the I: Drive will remain. Files should be transferred to BU SharePoint to meet data access and retention requirements.	Data and documentation are not accessible if the account owner leaves BU. Device will be wiped and deployed. Files should be transferred to BU SharePoint to meet data access and retention requirements, and then deleted from the local drive.	Data and documentation are not accessible if the account owner leaves BU. Device will be wiped and deployed. Files should be transferred to BU SharePoint to meet data access and retention requirements, and then deleted from the portable device.	Data and documentation are not accessible if the account owner leaves BU. Files should be transferred to SharePoint to meet data access and retention requirements and then deleted from the portable device.

Physical storage

BU’s Information Classification webpage specifies how data should be handled and stored depending on the classification assigned to it.

Please contact the relevant team within your Faculty if additional physical storage is required.

Physical data such as paper based consent forms, interview transcripts etc are vulnerable to being lost or subject to security threats. Appropriate measures need to be in place to keep data secure:

Guidance on keeping data secure.

Additional guidance

UK Data Service Guide - Store your data