Research data management
All researchers should think through at the outset of a project how data will be handled across its life course, including whether data will need to be archived, made available for further use by others, or securely disposed of.
Remember that researchers are personally responsible for any breach in data security arising from failures in relation to their data responsibilities.
UWE Bristol Research Data Management Policy (for staff research)
The Research Data Management Policy sets out the University’s requirements with regards to research data management, and should be read in conjunction with the more detailed guidance on research data management.
Research Data Security
This introductory guidance is drawn from a more detailed research governance Research Data Security Guidance document which researchers are encouraged to read (this document is only accessible to UWE Bristol staff and students).
UWE Bristol Project Manager responsibilities
A UWE Bristol Project Manager is responsible for:
- The security of project research data overall, and should ensure that appropriate data security measures are in place, according to University guidance.
- Determining what may or may not be done in relation to the data.
- Decisions about storage, retention archiving and disposal, including the timing.
- Adopt a 'life course' approach to your research data
- Produce a research data management plan for your research
- Be clear who has overall responsibility for research data, and what your own responsibilities are.
- Make sure all those who need to, and only those who need to, have secure access to the research data.
- Make sure that you and the University can deliver on any specific data security arrangements prior to applying for funding or otherwise entering into commitments.
- Think about what to do with your data at the outset not once it becomes a problem.
Research data storage at UWE Bristol
Research data can normally be securely stored on a researcher's H or S drive. Research data stored on the UWE Bristol H or S drive can be remotely accessed from your own (non UWE Bristol) home computer as long as it is not downloaded, and where your home computer has its own anti-virus and antispyware software, and its own firewall, in line with UWE Bristol IT services requirements.
Where personal data is collected, a privacy notice must be signed by research participants informing them to whom the data will be disclosed, the purpose for collecting the information, how long the information will be kept/when it will be destroyed, where the information will be stored and how secure it will be.
- Use the H and S drive (restricted area) or SharePoint (or OneDrive for students) for research data storage.
- Make sure you have appropriately considered backing up your data.
- Encrypt any files stored on a desktop PC or on removable media.
- Securely locate any removable media.
- Keep data access permissions up to date.
- Use strong passwords and store them securely away from the research data.
- Keep physical copies of research data only in secure environments.
- Store sensitive data in a safe (such as a small fireproof safe).
- Store research data on personal (i.e. not UWE Bristol owned) laptops or devices.
- Use removable media unless encrypted, password protected, and stored securely.
- Use Cloud storage (such as Dropbox) where data may move outside the European Economic Area.
- Download research data to your own personal devices.
- Forget your password, or allow it to fall into the wrong hands.
- Keep physical copies of research data longer than appropriate.
Research data storage outside UWE Bristol
Where personal data is collected by a UWE Bristol researcher, or under the auspices of UWE Bristol (such as where UWE Bristol is the data owner but the data is collected by others) but is stored at another organisation or on another organisation's server, even temporarily, a UWE Bristol Data Processing Agreement (only accessible within the university network) must be signed.
- Ensure that appropriate agreements are in place prior to storing research data on devices or servers not owned by UWE Bristol.
- Be aware that transferring personal data outside the EEA requires special care if data protection law is not to be breached - take advice from the Data Protection Officer (only accessible within the university network).
- Enter into any agreement, oral or in writing, with a third party before contacting the Contracts team (only accessible within the university network) .
Research data on removable media and in transit
The security of data in transit is an area of particular risk, whether in hard copy or electronically. Researchers should consider carefully the 'pathway' that this will take to avoid data being lost or falling into the wrong hands. Where electronic means of transfer are used, researchers should use secure mechanisms.
Research data should not normally be sent by email unless there is no other viable, more secure method available, such as the use of SharePoint.
If using emails, they must include 'confidential' in the title, and in the file names of any attachments.
Research data sent in this way should be encrypted, and password protected. The password should be sent separately by another means e.g. by text or telephone, not emailed. The use of 'options' in email should also be used to avoid emails being forwarded.
- Make sure data is immediately encrypted and password protected, and uploaded using a secure connection to UWE Bristol's servers, or uploaded using OneDrive, or brought to UWE Bristol to be uploaded, as soon as possible.
- Make sure you have appropriate arrangements in place for research data in transit.
- Remember to use your UWE Bristol email address in connection with UWE Bristol research.
- Use Dropbox (or similar) for identifiable personal data or sensitive data. Personal data placed in Dropbox (or similar) may cross national boundaries in such a way as to breach the Data Protection Act.
- Allow a non-UWE Bristol employee or anyone not authorised to access the information, such as a family member or friend, to use their UWE Bristol log in, or use any device while the researcher is logged in.
- Leave removable media containing research data unattended.
Sharing research data
Personal data should only ever be used, or shared, in accordance with the consent given by the individual concerned. Consent should make clear who will access personal data in unanonymised and anonymised form, and whether data can be passed outside UWE Bristol.
All non-UWE Bristol staff requiring access to personal information must sign a data security disclaimer or Data Processing Agreement (DPA).
Where research data is passed to a transcription service this must also be subject to a DPA, and should only happen where it is consistent with the consent. Personal or sensitive research data must only be processed on a UWE Bristol computer, or by a transcription company or contractor with whom UWE Bristol has a formal DPA.
- Consider who you will want to access research data and what you will want to do with it before you design your participant information sheet and consent form.
- Contact the Contracts team (only accessible within the UWE Bristol network) and make sure that appropriate agreements are in place prior sharing data.
- Share data without first checking that this is in line with consent.
- Pass research data for transcription without a formal Data Processing Agreement and unless the data privacy notice allows for this.
Secure disposal of research data
Where research data must be destroyed, this must be done securely. This is not just a matter of deleting it from a hard drive. Please contact the Waste and Resources Manager regarding asset disposal and secure destruction of data.
- Ensure that research data is held securely for the required period but then disposed of in a timely and appropriate way.