Skip to main content

Working with data: Sensitive data

Guide on working with data

Image for decorative purposes

On this page you will find guidance on who to ask for advice about working with sensitive data, encryption of files and folders, storage of sensitive data, transferring sensitive data, disposing of sensitive data and anonymisation. 

Who to ask about working with sensitive data

This guide will help to ensure that you manage any sensitive research data securely and, for personal data, ensure that you adhere to data protection legislation.

We run a two-hour workshop on managing sensitive data each academic year. If your research group or department would like to request a bespoke training session please contact us at research-data@bath.ac.uk

The Data Protection team provide detailed guidance on managing personal data in accordance with the Data Protection Act.

Working with sensitive data

The University recognises three levels of sensitive data and information in its Information Classification Framework:

  • highly restricted, for example sensitive personal data, salary information, bank details, research data with significant commercial value or obligations. 
  • restrictedfor example personal data that is not classified as 'sensitive', student/alumni contact details, staff contact details.
  • internal, for example non-confidential internal correspondence, working group minutes, internal policies and procedures. 

In the context of research, the most common reasons for data being Restricted or Highly Restricted include:

  • the involvement of human participants, particularly where the research involves sensitive personal data such as health records
  • the involvement of commercial collaborators, particularly where the data could be construed as competitive intelligence
  • working under the terms of a non-disclosure agreement
  • data on the location of vulnerable groups such as endangered species or vulnerable ecosystems
  • data on the location of animal research facilities or GM crops

Sensitive personal data (special category data) are defined in the Data Protection Act as those relating to an individual's: 

  • race
  • ethnic origin
  • politics
  • religion
  • trade union membership
  • genetics
  • biometrics (where used for ID purposes)
  • health
  • sex life
  • sexual orientation

If you are working with sensitive data, you need to take extra precautions to ensure that they can only be viewed by those with permission to do so. These may include encryption or other special measures when storing, transferring and disposing of data. 

Encryption is the process of obfuscating data so that only those with the correct decryption key or password are able to read them. The strength of the encryption refers to how difficult it would be for an attacker to decrypt the data without knowing the key in advance, and this depends on the method and the key used. Ensure that you always use strong password for any encrypted files or folders and that you keep the key safe. If you lose the decryption key the data will be unrecoverable even by Computing Services. 

Encryption can be applied to folders (Computing Services can set up encrypted folders on the X:Drive), to files or to entire devices such as laptops, external drives and USB sticks. You can order an encrypted USB stick (Kingston Data Traveller Locker+ G3) from the IT shop by emailing ITP@bath.ac.uk.

There is more information on encryption on the following webpages: 

You can also contact your local IT supporter for more information on encryption. 

University X: Drive

It is possible to restrict access to folders on the X drive and to request for an encrypted folder to be set up by your local IT supporter. If you are working with sensitive data you should consider: 

  • storing identifiable personal data in an encrypted folder on the X: Drive
  • storing related non-identifiable anonymised or pseudoanonymised data in a separate restricted access folder on the X: Drive. 

Both the NHS and ESRC require identifiable personal data to be stored in an encrypted folder separately from anonymised or pseudoanonymised study data. 

You only need to request that an encrypted folder is set up where the data need to be made inaccessible to system administrators. 

 

External storage providers

While external services such as Dropbox, Google Drive and OneDrive are convenient, they do not comply fully with the University's data policies due to the following issues: 

  • data may be stored in jurisdictions outside the European Economic Area and therefore are unlikely to be compliant with EU Data Protection legislation (General Data Protection Regulation, GDPR)
  • they do not interact well with existing University storage services
  • they do not provide sufficient guarantee of continued availability
  • extra precautions must be taken in order to ensure that more than one person at the University has access to the data, in case of researchers leaving the University.

Cloud-based storage solutions must not be used for sensitive data. 

 

Securing computer equipment

If you are working away from the University during your research and the only option is to store sensitive data on an external device, such as a laptop, you should take the following precautions: 

  • your laptop and any external hard drives should be encrypted, you can contact the University IT Security Manager for advice on encrypting your laptop
  • ensure that any devices holding sensitive data are stored separately from each other and are locked away when not in use
  • take reasonable precautions when entering passwords that others do not observe what is entered
  • transfer data onto the University X:Drive when you have access to a secure internet connection (HTTPS or SFTP)
  • when you no longer need to keep sensitive data on your laptop or external hard drive ensure that the data are deleted securely or that your device is disposed of in a secure way. You can contact Estates for the secure disposal of hardware and Computing Services for the secure deletion of files from your hard drives. 

Transmission over a standard HTTP or email is not secure, and may be intercepted and read by third parties. Extra precautions need to be taken when transferring sensitive data between collaborators:

  • email can be made more secure by putting the sensitive data in an encrypted attachment. The encryption passwords should be transferred separately from the files and by other means
  • the entire content of an email can be encrypted with a system such as PGP. If you wish to set this up for your University email account, please contact the IT Security Manager
  • collaborators can be given a University computing account for up to 12 months at a time. Through this account they can be given permissions to transfer data directly into certain folders on the X:Drive
  • data can also be transferred on removable media, such as an external hard drive, by a secure courier. The courier used should be agreed on and trusted by both parties. The data should be encrypted on the drive and the password sent separately. It is good practice to double package the data, with the inner packaging marked 'confidential' and the outer packaging only marked with the recipient's address. 

 

Data transfer or sharing agreements

If you are sharing identifiable or pseudoanonymised (containing a participant identifier that can be used to re-identify the participant) between collaborators there may need to have a data transfer agreement or data sharing agreement between the data controller and the institution that the data are being transferred to. If the University of Bath has been identified as data controller in a project then you should contact the Data Protection team to determine whether a data transfer agreement is needed.  

 

Transferring data to a transcription service

In order to comply with the Data Protection Act you should avoid transferring personal data (such as audio files) or sensitive personal data (such as video files) to a transcription service that is based outside the European Economic Area (EEA).

  • Be especially careful if you are transferring personal data to an online transcription service because the location of the servers might be outside the EEA.
  • If you are transferring identifiable data you might need to set up a data transfer agreement with the transcription service, depending on their terms and conditions. If you are unsure please contact the Data Protection team for advice.
  • Ensure that you transfer data only using a secure connection (HTTPS/ SFTP) and ensure that all links to the service are password protected. 

 

Transferring personal data outside the European Economic Area

Transferring identifiable personal data outside the EEA may result in a breach of the Data Protection Act. Therefore, personal data that has not been fully anonymised must not be transferred out of the European Economic Area (EEA). Transfer of personal data (securely) is permitted for the following countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lichtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom. 

Transfers of data to Andorra, Argentina, Guernsey, Isle of Man, Isreal, Jersey, New Zealand, Switzerland and Uruguay are considered by the EU Commission to be 'adequate' in terms of their data protection. If you are unsure about whether or not you can transfer identifiable personal data please contact the Data Protection team for advice.

The UKRI guidance on best practice in the management of research data stipulates that 'any reasonable steps should be taken to ensure that research data are not held in any jurisdiction where the available legal safeguards provide lower levels of protection than are available in the UK. 

You should should ensure that you dispose of sensitive data securely and you may need to provide a certificate of data destruction to comply with the terms of some third party data providers. 

 

Digital data

Computing Services can provide assistance with deletion tools to ensure the secure erasure of data from computers and other digital storage. 

Digital recording equipment loaned from the Audio Visual Unit undergoes a hard reformat once it is returned. The data on the memory card is deleted and overwritten, and the table of contents removed. 

IT equipment is disposed of by contacting Estates. Human Resources also provide guidance on the disposal of computers and media storage devices (PDF) that contain sensitive information. 

 

Non-digital data

Paper-based sensitive data can be disposed of using the University's confidential paper waste disposal service. This service can also advise on the secure disposal of CDs, DVDs, and other media. 

Anonymisation and the Data Protection Act

If you fully anonymise personal data they are no longer considered to be personal data, and therefore do not fall under Data Protection legislation. However, fully anonymising data can be complex because you need to consider the risk of re-identification of data subjects - not just from the dataset itself, but from other available data, including data sources that may be available online. 

One test that can be used to think about whether your data can be, or have been, anonymised is the 'motivated intruder' test. According to the Information Commissioners Office guidance, the 'motivated intruder' ' is taken to be a person who starts without any prior knowledge but who wishes to identify the individual from whose personal data the anonymised data has been derived'. The motivated intruder would be assumed to 'be reasonably competent, has access to resources such as the internet, libraries, and all public documents, and would employ investigative techniques such as making enquires of people who may have additional knowledge of the identity of the data subject or advertising for anyone with information to come forward'.

 

Processes for anonymising data

The UK Data Service provides extensive and detailed guidance on anonymising quantitative and qualitative data. The table below summarises processes for anonymising quantitative and qualitative data from the UK Data Service guidance. 

Quantitative data Qualitative data
Remove direct identifiers Don't collect disclosive information unless necessary
Aggregate or reduce the precision of a variable Plan anonymisation at time of transcription
Generalise the meaning of a detailed text variable Use pseudonyms or replacements that are consistent throughout the project
Restrict the upper and lower ranges of a continuous variable Use 'search and replace' techniques with caution as they miss typos
Anonymise relational data Identify replacements in text clearly
Anonymise geo-referenced data Keep unedited versions for use within the research team
Create an anonymisation log Create an anonymisation log
 

Audio-visual data are highly labour intensive and expensive -

consider if you really need to keep them

If you do not think that you can confidently anonymise data do not make it openly available to the public. Instead, share it using access restrictions. 

Loading ...