Research data storage at UWE
- Use strong passwords and make sure they are stored securely away from the research data which they are protecting;
- Ensure that you lock your computer if you leave it temporarily unattended by pressing Ctrl-Alt-Del and clicking on ‘Lock Computer’;
- Keep physical copies of research data only in secure environments where only those who should access it can;
- Remember that identifiable personal information can be in any form (including digital, paper, audio and video);
- Consider digitising physical copies where appropriate as a backup or a replacement for paper copies;
- Collect only what personal data you need, and retain it only for as long as you need to;
- Consider whether to do a data impact assessment to ensure you meet GDPR requirements;
- Make sure that you and the University can deliver on any specific data security arrangements prior to applying for funding or otherwise entering into commitments (seek guidance if you are not sure);
- Remotely access data from a non-UWE PC only where you have adequate anti- virus, anti-spyware and firewall;
- Use the H and S drives (restricted area) or UWE OneDrive for Business for research data storage, and removable media only where there is a clear justification and appropriate security arrangements are in place;
- Make sure you have appropriately considered backing up your data;
- Only collect whatever personal data you actually need. If you do not need personal data, not collecting it is the most secure thing to do;
- Keep data access permissions up to date;
- Adopt a Life Course approach https://ukdataservice.ac.uk/manage-data/lifecycle.aspx approach to your research data;
- For archiving of research Data see the Guidance on Secure Disposal of Research Data.
- Forget your password, or allow it to fall into the wrong hands;
- Keep research data longer than appropriate;
- Confuse anonymised, pseudonymised and unanonymised data when stating how long you will retain data for (it needs to be clear what you will do when data is in each of these forms);
- Download research data to your own personal (or any non-UWE) devices;
- Use removable media unless it complies with the guidance referred to in this guidance;
- Pseudonymise in such a way that participants can be identified (e.g. part of name, age, gender, DOB);
- Say to research participants ‘your data will be held securely’ or ‘your data will be held on a UWE computer’ – be specific ‘your data will be held on a UWE networked drive’;
- Use other Cloud storage (such as Dropbox) - data may move outside the EEA, UWE only has the necessary Data Processing Agreements with UWE OneDrive for Business, and this is the only Cloud provision which is backed up.
Data Storage Principles
Any research data collected by a UWE staff member or student and/or stored on the University’s network or on a UWE owned device must comply with the University’s Data Protection Policy and Information Security Policy. Research data can be securely stored on a researcher’s personal H drive that can only be accessed by an individual. Research data can also be stored on the S drive in a restricted area, which can be set up by IT Services on request. The only other acceptable networked solution for storage of research data is the UWE OneDrive for Business. Research data can also be stored on a UWE SharePoint site, where rights management is carefully controlled, and where there is a clear justification for doing so. It is important to note that IT Services have access to all University networked storage, but the policy is that network administrators must not browse content. Research data should not be stored on a non-UWE owned device.
It is not appropriate to store research data on a desktop PC hard drive or a laptop – this is only appropriate as a transit measure. There will be exceptional occasions where it is necessary to use removable media for back up, such as where data is too large for networked storage. All removable media must be encrypted and password protected, and stored at the very least in a secure, locked cupboard. For highly sensitive data, this should be stored in a safe (such as a small fireproof safe). Options are available for individual files to be encrypted, where this is considered appropriate, but it is crucial that the encryption key is not forgotten and must be stored securely (and separately) if written down.
IT Services have produced additional guidance on encryption and encourages the use of strong passwords when sensitive data is encrypted. Researchers should consider and implement appropriate arrangements for storing passwords safely, such that they do not fall into the wrong hands but can be retrieved when needed – see UWE guidance about passwords.
In statements made about security of data (e.g. to funders or participants), it should be made clear where data will be stored, what the security measures are, and who will have access to it and under what conditions. Please take care that you are not committing the University to measures, which cannot be implemented or are not in accordance with UWE policies. Where personal data is collected, a signed informed consent form must be obtained to meet ethical requirements, and to meet Data Protection requirements a Privacy Notice must be provided to data subjects (research participants) informing them to whom the data will be disclosed, the purpose for collecting the information, the legal basis for collecting the data, how long the information will be kept/when it will be destroyed, whether data is transferred overseas, where the information will be stored and how secure it will be. Personal data should only be accessed in line with the participant consent (this is an ethical issue, and also a GDPR issue, where consent is relied upon as the legal basis for processing). Your storage solution should ensure that this is always complied with.
It is the responsibility of the UWE Project Manager to ensure that restricted access to the S and H drives is kept current, particularly when staff leave or move to other roles. In these circumstances, where research data is stored on an individual’s H drive, they must, in conjunction with their line manager, ensure the data is moved (where appropriate to do so) for access by another individual, or securely disposed of, as appropriate. Where a researcher leaves UWE, they may not remove research data, or access it, without permission from the Information Owner (the Pro Vice Chancellor for Research and Business Engagement, usually delegated to the relevant Dean of Faculty), and only where permissible in relation to participant consent, funding and/or partnership agreements etc. If in doubt, consult the research governance team for guidance firstname.lastname@example.org.
Where research participants have been allocated a study number (to avoid using names) and a “key” is kept in case it is necessary to trace back (pseudonymisation), these must be kept separately from the data, when stored, and when in transit by any means. Where a key is used to pseudonymise data, this should not be comprised of items that might enable the participant to be identified (such as birth date, first three letters of surname), which, when added to other data collected, such as gender and age, might mean the individual can be identified by those using the data.
You should take a "life course" approach to your data, being clear about the "data journey". For example, if you are interviewing human participants, taking samples, or collecting measurements or other data in the field, how will the data be stored at all stages of the research, how will it be securely transported, backed up, anonymised or pseudonymised, archived, securely disposed of?
All UWE staff and students also have access to cloud storage via UWE OneDrive for Business, which provides an additional one TB of secure storage meeting the requirements of UK Data Protection legislation, and the University’s information security requirements. UWE OneDrive for Business can be accessed remotely as well as when at UWE. Researchers can also allow appropriate others at UWE, such as supervisors or relevant colleagues, to access their research data stored on their OneDrive for Business area.
Folders within UWE OneDrive for Business can also be shared externally, and this is the UWE recommended way of sharing data securely. Please see UWE OneDrive for Business guidance Please note that you will need to permit the external person to have a link, which could be forwarded, so you will need to obtain, and file, their prior agreement in writing that they will not do this, as a management control.
Personal and Third-Party Devices
Research data should never be stored on personal or third party (i.e. not UWE owned) laptops or devices, even in transit. This may breach what we have told the research participant in their consent form about their data being held at UWE, the fact that we cannot control the security of a non-UWE PC physically or in terms of access by others (including remote deletion of information if stolen), and the issues around secure deletion of data (you may need to have your PC reformatted by UWE). Such devices are also not backed up by UWE, so valuable data may be lost. Research data stored on the UWE H or S drive can be remotely accessed from a non-UWE computer as long as it is not downloaded, and where that computer has its own anti-virus and anti-spyware software, and its own firewall in line with the University's Data Protection Policy.
Hard Copy Information
Research data may be in hard copy form, and where this is the case should be secured in locked cabinets, with access only by those who have a legitimate right to see the data, in personal offices or a secure archive room, and where appropriate electronically backed up (i.e. where it would be critical if the original paper record was lost or damaged, for example lab books or consent forms, and where participant consent or other considerations such as copyright permit this). Only those who have a legitimate right to access the data should have access to open any physical cabinet. Consideration should be given at the outset to whether and when physical copies of research data should be destroyed. For example, it may be appropriate to destroy paper questionnaires once they have been transcribed, or information may be scanned in and held electronically.
When it is necessary to print or copy any confidential data, the device or printer used must be physically secure or attended, or secure printing used.
For further advice, researchers may wish to contact the UWE Data Protection and Records Management Officer (Intranet access only), the IT Service Desk or the Research Governance Team depending on the nature of the query. Alternatively, information relating to UWE OneDrive for Business can be found here.