Sensitive research data usually includes one or more of the following:
If you are working with sensitive data, you need to take extra precautions to ensure the data can only be viewed by those with permission to do so. These may include encryption or other special measures when storing, transferring and disposing of data.
Sensitive personal data (sometimes referred to as special category personal data) as defined in the GDPR, comprises personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, information concerning health or relating to a natural person's sex life or sexual orientation and criminal records and proceedings.
Whilst adopting a proportionate risk based approach, the entire lifecycle of the research information needs to be considered, from creation to destruction. Minimum controls for highly restricted information to remain secure include user access controls, encryption, identifying and guaranteeing the location of the information, legitimate sharing / appropriate contracts.
It is possible to restrict access to folders on the University's research filestore, so that only certain individuals or groups are allowed to view and edit the contents. A typical configuration for project folders is to allow access only to members of the project team, but it is also possible to set up folders within the project folder that are restricted to fewer users. For more information contact your Faculty's Business Relationship Managers (BRMs)
You can share data which is stored on your Office 365 One Drive for Business, however for data which contains direct and indirect personal identifiers, we recommend you use Research Filestore. See the iSolutions website for more information about Office365 and more information on how to share files safely.
While external services such as Dropbox, Google Drive and OneDrive are convenient, they do not comply fully with the University's data policies due to the following issues:
Cloud-based solutions should therefore be avoided for sensitive data. If you are considering using external storage providers nevertheless, perhaps because of conditions imposed by external collaborators, you must only consider those which will allow you to take the following security measures:
If you want to share data with external collaborators, even if they are part of the same research project, you must have a data sharing agreement in place. Contact riscontracts@soton.ac.uk for more information. When you share the data with others, they will be data processors
but the University will still be the data controller and therefore responsible for how the data is used.
Extra precautions need to be taken when transferring sensitive data between collaborators:
Data that is to be published should have all direct identifiers removed, those include:
Data for publication should also not have two or more indirect identifiers (listed below) as that can lead to re-dentification through a process called 'triangulation'. You should remove or modify one or more of the indirect indentifier until the risk of re-identification is neglible. If you are unsure or require more advice, please contact researchdata@soton.ac.uk. Indirect identifiers include:
(List courtesy of University of Bristol (2017), Sharing Data Concerning Human Participants guide)
Many of the techniques for dealing with sensitive data involve some form of encryption. Encryption obfuscates the data so that only those with the correct decryption key or password are able to read them. The strength of encryption refers to how difficult it would be for an attacker to decrypt the data without knowing the key in advance, and this depends on both the method and the key used.
The tool you use for encryption should inform you of the method it will use and may give you a choice. The Information Commissioner's Office currently recommends using the AES-128 or AES-256 encryption methods, of which the latter is stronger.
Whenever setting the key to be used by an encryption method, be sure to use a strong password. You must keep the key safe, as if it is lost the data will be unrecoverable, and conversely if it is leaked the encryption will cease to offer protection.
For more information about encryption contact InfoSec via serviceline@soton.ac.uk
The UK Data Service have created video tutorials on how to use a variety of encryption software programs:
See the Research Data Management: Destruction webpage for more information on how to securely destroy electronic and printed data.
Under GDPR Data Protection Impact Assessment ('DPIA') (the new term for a Privacy Impact Assessment) is compulsory for any project that is likely to be 'high risk' to the rights and freedoms of individuals. The GDPR does not define what high risk is, however examples include 'large-scale' processing so it is likely that DPIA will be required for some research projects. The ICO has created a series of DPIA checklists that you should use if you are unsure if you will need a DPIA. Even if a DPIA is not necessary, you need to be able to demonstrate that you have proactively addressed data protection implications in your research to comply with the GDPR's requirements for accountability and privacy by design.
The University's Information Security Team have produced the following resources to help you:
Thanks to the Universities of Bath, Manchester and Bristol whose webpages informed the content.