Research Governance

Research data on removable media and in transit

Do

  • Encrypt any personal data on UWE laptops and portable devices;
  • Where research data has been collected ‘in the field’, make sure the data is immediately encrypted and password protected, and uploaded using a secure connection to UWE’s servers, or uploaded using UWE OneDrive for Business, or brought to UWE to be uploaded, as soon as possible;
  • Where data is ‘in transit’ for example on a UWE laptop, securely store it and ensure no-one else has access to the device;
  • Make sure you have appropriate, secure arrangements in place for research data in transit;
  • Remember to use only your UWE email address in connection with UWE research including in communication with research participants;
  • Use encrypted recording devices, and do not share hard drives/Memory cards.

Don’t

  • Store or transport confidential or restricted data on a non-UWE device (It is sometimes permissible in specific circumstances to store research data on a device owned by a third party, such as an NHS Trust, but this must always be governed by an contractual agreement that must be set in place via the UWE Contracts Team);
  • Transport, unencrypted, non-password protected sensitive personal data or unanonymised personal data on UWE devices outside the University;
  • Delay contacting the IT Service Desk if you suspect UWE data has been lost or compromised;
  • Ever share or disclose your UWE login credentials to anyone;
  • Leave UWE devices, including removable media, containing research data unattended, such as in the boot of a car;
  • Ever use Drop box (or other similar Cloud based provision apart from One Drive for Business) for personal information (or otherwise sensitive or valuable information). This will breach the Data Protection Act and you may be personally responsible for your actions;
  • Email confidential or restricted research data to colleagues or external contacts;
  • Ever send personal and/or sensitive research data by email. Research data should be shared via OneDrive for Business, or where there is a specific justification, via SharePoint with appropriate rights management turned on;
  • Ever use Cloud based storage other than UWE OneDrive (including DropBox) for confidential or restricted data, including personal data or other sensitive data, or valuable data, which you would not wish to be compromised, or lost.

Encryption

Any UWE related personal data, including research data, that is held on portable media and all University allocated laptops, must be appropriately encrypted. Non-UWE devices must not be used to store UWE personal data, or other confidential or restricted, or otherwise valuable, data.

IT Services provides encryption support for UWE owned devices. Please contact the IT Service Desk for further assistance or guidance regarding this topic.

It is the researcher’s responsibility to ensure the UWE device being used to store confidential or restricted data is appropriately encrypted and password protected. In cases of doubt, contact the IT Service Desk.

Transportation of encrypted data must be guided by the University's policies. Researchers should consider very carefully whether it is appropriate to hold research data on a UWE laptop, or other removable device which is not secured within UWE.

Storage in transition

Where research data, such as interview data, is collected using a UWE device, it is important to upload this information to UWE networked storage using a secure connection as soon as possible.

Research data can be uploaded to the H or S drives using external web access, or UWE OneDrive for Business can also be used. Researchers should also familiarise themselves with UWE’s Remote Access Policy.

Where recording devices are used, for example when interviewing research participants, these should be encrypted, and a model chosen which uses removable storage media such as an SD card. Management controls should be in place such that an SD card is only ever accessed by those who have legitimate access to the data (such as one SD card per interviewer or project). SD card access should be recorded (signed in and out and a clear record kept). Once data has been securely uploaded to UWE servers, the SD card should be inserted into a UWE computer and formatted, which will delete the encryption keys, then re-encrypted. Each user of the SD card must use a unique password to encrypt the SD card each time they use it, preferably a long phrase or combination of random words - don't re-use UWE login passwords.

Cloud Services

The University’s approved Cloud provision is UWE OneDrive for Business, and that should always be used where Cloud provision is needed to store confidential and restricted research data, including personal data. This should also be used for research data which is otherwise sensitive. Please refer to the Data definitions for further information.

Personal data placed in other Cloud provision (including Dropbox) may cross national boundaries in such a way as to breach the Data Protection Act. In addition, only UWE OneDrive for Business is backed up by the University, so this is the safest solution to ensure you do not lose valuable research data. UWE OneDrive for Business should be used to enable sharing with those outside the University. If this is not possible for any reason please contact the IT Service Desk as to the best approach.

Further Information

Researchers may be personally liable for any breach in data security arising from a failure in carrying out their data responsibilities. Researchers who believe that the security of a UWE device may have been lost or compromised, or that a data breach may have occurred, must inform the IT Service Desk immediately.

Back to top