Research data storage outside UWE
This guidance relates to all circumstances when UWE data is
stored anywhere apart from UWE premises or on UWE servers. This
includes where a researcher could be based in another institution
such as a hospital, or is a visiting fellow at another institution,
or where data is collected via an online survey company, or is
collected on UWE’s behalf by an external survey organisation. All
research data is an asset of the University, and it is not just
personal data which may be confidential or restricted, or
Please refer to the Data definitions for further information.
- Make sure that appropriate agreements are in place prior to placing, collecting or storing research data on devices or servers not owned by UWE;
- Be aware that transferring personal data outside the EEA requires special care if Data Protection law is not to be breached. Take advice from the UWE Data Protection and Records Management Officer, if required;
- Always contact the Contracts Team or the Data Protection Office to arrange the necessary agreements;
- Before entering into any agreement, either orally or in writing, with a third party you must contact the UWE Contracts team;
- Make sure you are familiar with the provisions of the Data Protection Research Standard;
- Make sure you have sufficient evidence that any data collected on UWE’s behalf is lawful and consistent with UWE’s research ethics and governance requirements.
- Store any research data on the servers or devices of another organisation (or individual) unless a formal agreement has first been entered into, via the Contracts team (Intranet access only) governing the security and use of the data;
- Put in a research bid that you will store data on the servers or devices of another organisation without first seeking guidance as to whether this will be acceptable;
- Contravene the conditions you have set out in the Data Privacy notice – if you have only told participants the data will be held on UWE servers, then that is all you can do with it;
- Ever transfer data outside the EEA without ensuring you are compliant with the law. You may be personally liable.
Where UWE data is collected but is stored at another organisation or on another organisation’s server or devices, a formal Agreement will need to be set in place. Where the data is personal data, this will need to include a Data Processing Agreement (DPA). Such agreements must be signed by an approved UWE signatory, and can be set in place via the Contracts Team (or the Data Protection Office for ‘standard’ DPAs). For personal data, the data subjects (research participants) must also sign a Privacy Notice, which makes the storage arrangements clear.
Online surveys must only be hosted on the Qualtrics systems. UWE considers this tool to comply with data protection legislation, and the necessary Data Processing Agreements are in place. If you wish to make a case to use a different tool, please contact the UWE Data Protection and Records Management Officer (Intranet access only).
For details about how to access these, refer to the Online forms and survey tools (Intranet access only).
Personal Data outside the European Economic Area (EEA)
In the same way, researchers should only take or send personal data outside the European Economic Area (EEA) where the individual has consented to this by signing a consent form and has been provided with a Privacy Notice, and a Data Processing Agreement and appropriate security arrangements are in place.