How to handle research data

Researchers often collect highly confidential information for their research. It is essential this data is stored securely and is collected following data protection legislation. Failure to collect data ethically can damage the reputation of the researcher and the University.

The General Data Protection Regulation (GDPR)

You may be a little fed up of hearing about GDPR, but it is vital legislation which helps to ensure data is collected ethically. During any research, you should ask yourself the following questions:

  • Have you obtained your data fairly and lawfully?
  • Is your data accurate, held securely, and no longer for than is necessary?
  • Will your data be transferred? If so, where?
  • Is your data held in line with the research participants’ rights, as the data subjects?

Collecting Sensitive Data

The General Data Protection Regulation lays out several requirements for collecting special category data. Special category data is personal data which the GDPR says is more sensitive, and therefore needs more protection. Examples include information about an individual’s: race, politics, religion, genetics or sexual orientation.

To lawfully process special category data, you must identify both a lawful basis for processing personal data and a separate condition for processing special category data. Both of these must be done before any data processing occurs.

Secure your data

Confidential data must be securely protected. Many contracts and ethics approvals will insist upon the encryption of sensitive data, especially if it has not been anonymised by removing all details that may identify participants.

Any backups made of confidential data may also need to be encrypted and physical copies (e.g. held on USBs or as paperwork) kept in lockable cabinets with limited keys and access.

Keeping data separate from the institution’s network

Some contracts will insist that research data is isolated from the network. You may even need to purchase additional equipment in order to comply with this.

Consult the Information Centre if you need to separate your data. They will be able to assist you with recommendations for equipment and the security measures you will need to put in place beyond the network.

Encrypt data for transfer

Data that must be transferred, for any reason, between yourself, the institution and/or a third party, must be done so with the utmost care and under the advice of IT Services.

Encrypting the data ensures that the data is useless if it falls into the wrong hands for any reason. However, even the loss of encrypted data could harm your reputation as a researcher and that of your institution. Encryption avoids the risk of data being made available to unintended or potentially malicious parties.