Skip to Main Content

Research Data Management (old April 2019): Sensitive Data

Guidance and support to staff, researchers and students at the University of Southampton

Sensitive Data

Sensitive research data usually includes one or more of the following:

  • the involvement of human subjects, particularly where the research involves sensitive personal data such as health records;
  • the involvement of commercial collaborators, particularly where the data could be construed as competitive intelligence;
  • working under the terms of a non-disclosure agreement.

If you are working with sensitive data, you need to take extra precautions to ensure the data can only be viewed by those with permission to do so. These may include encryption or other special measures when storing, transferring and disposing of data.

Sensitive personal data (sometimes referred to as special category personal data) as defined in the GDPR, comprises personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, information concerning health or relating to a natural person's sex life or sexual orientation and criminal records and proceedings.

Whilst adopting a proportionate risk based approach, the entire lifecycle of the research information needs to be considered, from creation to destruction. Minimum controls for highly restricted information to remain secure include user access controls, encryption, identifying and guaranteeing the location of the information, legitimate sharing / appropriate contracts.

Sensitive Data

Using the University's Research Filestore

It is possible to restrict access to folders on the University's research filestore, so that only certain individuals or groups are allowed to view and edit the contents. A typical configuration for project folders is to allow access only to members of the project team, but it is also possible to set up folders within the project folder that are restricted to fewer users. For more information contact your Faculty's Business Relationship Managers (BRMs)

Using the University's One Drive

You can share data which is stored on your Office 365 One Drive for Business, however for data which contains direct and indirect personal identifiers, we recommend you use Research Filestore. See the iSolutions website for more information about Office365 and more information on how to share files safely.

Using external storage providers

While external services such as Dropbox, Google Drive and OneDrive are convenient, they do not comply fully with the University's data policies due to the following issues:

  • data may be stored in jurisdictions which do not provide the same level of privacy and data protection as the European Economic Area;
  • they do not interact well with existing University storage services;
  • they do not provide sufficient guarantee of continued availability;
  • extra precautions must be taken in order to ensure more than one person at the University has access to the data, in case of researchers leaving the University.

Cloud-based solutions should therefore be avoided for sensitive data. If you are considering using external storage providers nevertheless, perhaps because of conditions imposed by external collaborators, you must only consider those which will allow you to take the following security measures:

Sharing data during research

If you want to share data with external collaborators, even if they are part of the same research project, you must have a data sharing agreement in place. Contact riscontracts@soton.ac.uk for more information. When you share the data with others, they will be data processors
but the University will still be the data controller and therefore responsible for how the data is used.

Extra precautions need to be taken when transferring sensitive data between collaborators:

  • SharePoint provides a safe way to share documents collaboratively with other researchers both internal and external to the University. You simply need to create a new Sharepoint site and use the external registration website to add and manage access for your collaborators. For more information see:
  • Collaborators can be given a University computing account as part of their visitor status, subject to the completion of the necessary agreements. Through this account, they could be given permissions to transfer data directly into certain folders on the Research Filestore.
  • Use the Dropoff service in preference to email. The service allows you to easily move files of up to 50Gb in and out of the University. All files are transferred across the network securely encrypted. All files uploaded and temporarily stored on Dropoff are held on equipment owned and operated at the University's own Data Centre. Dropoff is in not a cloud service; everything is stored on equipment directly owned by the University, and managed by its own IT staff. All access to data is very tightly and strictly controlled by the University; all accesses to data on Dropoff are logged and can be easily checked if you are ever concerned that a 3rd party might have gained access to your data. Files are automatically deleted from Dropoff 32 days after you upload them. No backups are taken of the uploaded data (it's only a transitory stopping point), so after an uploaded file has been deleted, there is no way of recovering the file.

Publishing Data

Data that is to be published should have all direct identifiers removed, those include:

  • name
  • Initials
  • Address, including full or partial postal code
  • Spatial location (e.g. latitude and longitude units with enough precision to potentially locate the subject)
  • Telephone or fax numbers or contact information
  • Email addresses
  • Vehicle identifiers
  • Medical device identifiers
  • Web or internet protocol addresses
  • Biometric data
  • Facial photograph or comparable image
  • Un-anonymised audio or video recordings
  • Names of relatives
  • Dates relating to an individual (e.g. date-of-birth)

Data for publication should also not have two or more indirect identifiers (listed below) as that can lead to re-dentification through a process called 'triangulation'. You should remove or modify one or more of the indirect indentifier until the risk of re-identification is neglible. If you are unsure or require more advice, please contact researchdata@soton.ac.uk. Indirect identifiers include:

  • Place/location of treatment, education, service use
  • Name of professional or business/service
  • responsible for healthcare, education, service
  • Gender
  • Rare disease, condition, experience, treatment, or other characteristic
  • Risky behaviours (e.g. Illicit drug use)
  • Place of birth
  • Socioeconomic data, such as occupation or place of work, income, or education level
  • Household and family composition
  • Body measures (e.g. height, weight)
  • Multiple pregnancies
  • Ethnicity
  • Year of birth or age
  • Verbatim responses or transcripts
  • Dates of sensitive events
  • Small sample sizes i.e. when the number of subjects with a certain characteristic is small

(List courtesy of University of Bristol (2017), Sharing Data Concerning Human Participants guide)

 

Many of the techniques for dealing with sensitive data involve some form of encryption. Encryption obfuscates the data so that only those with the correct decryption key or password are able to read them. The strength of encryption refers to how difficult it would be for an attacker to decrypt the data without knowing the key in advance, and this depends on both the method and the key used.

The tool you use for encryption should inform you of the method it will use and may give you a choice. The Information Commissioner's Office currently recommends using the AES-128 or AES-256 encryption methods, of which the latter is stronger.

Whenever setting the key to be used by an encryption method, be sure to use a strong password. You must keep the key safe, as if it is lost the data will be unrecoverable, and conversely if it is leaked the encryption will cease to offer protection.

For more information about encryption contact InfoSec via serviceline@soton.ac.uk

Video Tutorials

The UK Data Service have created video tutorials on how to use a variety of encryption software programs:

See the Research Data Management: Destruction webpage for more information on how to securely destroy electronic and printed data.

  • A data protection impact assessment (DPIA) is a process to help identify and minimise the data protection risks of a project.
  • You must do a DPIA for certain listed types of processing, or any other processing that is likely to result in a high risk to individuals’ interests.
  • It is also good practice to complete a DPIA for any other major project which will require the processing of personal data.​

Under GDPR Data Protection Impact Assessment ('DPIA') (the new term for a Privacy Impact Assessment) is compulsory for any project that is likely to be 'high risk' to the rights and freedoms of individuals. The GDPR does not define what high risk is, however examples include 'large-scale' processing so it is likely that DPIA will be required for some research projects. The ICO has created a series of DPIA checklists that you should use if you are unsure if you will need a DPIA. Even if a DPIA is not necessary, you need to be able to demonstrate that you have proactively addressed data protection implications in your research to comply with the GDPR's requirements for accountability and privacy by design.

The University's Information Security Team have produced the following resources to help you:

Credits

Thanks to the Universities of Bath, Manchester and Bristol whose webpages informed the content.