This guide will help to ensure that you manage any sensitive research data securely and, for personal data, ensure that you adhere to data protection legislation.
We run a two-hour workshop on managing sensitive data each academic year. If your research group or department would like to request a bespoke training session please contact us at firstname.lastname@example.org.
The Data Protection team provide detailed guidance on managing personal data in accordance with the Data Protection Act.
The University recognises three levels of sensitive data and information in its Information Classification Framework:
In the context of research, the most common reasons for data being Restricted or Highly Restricted include:
Sensitive personal data (special category data) are defined in the Data Protection Act as those relating to an individual's:
If you are working with sensitive data, you need to take extra precautions to ensure that they can only be viewed by those with permission to do so. These may include encryption or other special measures when storing, transferring and disposing of data.
Encryption is the process of obfuscating data so that only those with the correct decryption key or password are able to read them. The strength of the encryption refers to how difficult it would be for an attacker to decrypt the data without knowing the key in advance, and this depends on the method and the key used. Ensure that you always use strong password for any encrypted files or folders and that you keep the key safe. If you lose the decryption key the data will be unrecoverable even by Computing Services.
Encryption can be applied to folders (the Digital, Data and Technology Group can set up encrypted folders on the X:Drive), to files or to entire devices such as laptops, external drives and USB sticks. You can order an encrypted USB stick (Kingston Data Traveller Locker+ G3) from the IT shop by emailing ITP@bath.ac.uk.
There is more information on encryption on the following webpages:
You can also contact your local IT supporter for more information on encryption.
It is possible to restrict access to folders on the X drive and to request for an encrypted folder to be set up by your local IT supporter. If you are working with sensitive data you should consider:
Both the NHS and ESRC require identifiable personal data to be stored in an encrypted folder separately from anonymised or pseudoanonymised study data.
You only need to request that an encrypted folder is set up where the data need to be made inaccessible to system administrators.
While external services such as Dropbox, Google Drive and OneDrive are convenient, they do not comply fully with the University's data policies due to the following issues:
Cloud-based storage solutions must not be used for sensitive data.
If you are working away from the University during your research and the only option is to store sensitive data on an external device, such as a laptop, you should take the following precautions:
Transmission over a standard HTTP or email is not secure, and may be intercepted and read by third parties. Extra precautions need to be taken when transferring sensitive data between collaborators:
If you are sharing identifiable or pseudoanonymised (containing a participant identifier that can be used to re-identify the participant) between collaborators there may need to have a data transfer agreement or data sharing agreement between the data controller and the institution that the data are being transferred to. If the University of Bath has been identified as data controller in a project then you should contact the Data Protection team to determine whether a data transfer agreement is needed.
In order to comply with the Data Protection Act you should avoid transferring personal data (such as audio files) or sensitive personal data (such as video files) to a transcription service that is based outside the European Economic Area (EEA).
Transferring identifiable personal data outside the EEA may result in a breach of the Data Protection Act. Therefore, personal data that has not been fully anonymised must not be transferred out of the European Economic Area (EEA). Transfer of personal data (securely) is permitted for the following countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lichtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.
Transfers of data to Andorra, Argentina, Guernsey, Isle of Man, Isreal, Jersey, New Zealand, Switzerland and Uruguay are considered by the EU Commission to be 'adequate' in terms of their data protection. If you are unsure about whether or not you can transfer identifiable personal data please contact the Data Protection team for advice.
The UKRI guidance on best practice in the management of research data stipulates that 'any reasonable steps should be taken to ensure that research data are not held in any jurisdiction where the available legal safeguards provide lower levels of protection than are available in the UK.
You should should ensure that you dispose of sensitive data securely and you may need to provide a certificate of data destruction to comply with the terms of some third party data providers.
The Digital, Data and Technology Group can provide assistance with deletion tools to ensure the secure erasure of data from computers and other digital storage.
Digital recording equipment loaned from the Audio Visual Unit undergoes a hard reformat once it is returned. The data on the memory card is deleted and overwritten, and the table of contents removed.
Paper-based sensitive data can be disposed of using the University's confidential paper waste disposal service. This service can also advise on the secure disposal of CDs, DVDs, and other media.
If you fully anonymise personal data they are no longer considered to be personal data, and therefore do not fall under Data Protection legislation. However, fully anonymising data can be complex because you need to consider the risk of re-identification of data subjects - not just from the dataset itself, but from other available data, including data sources that may be available online.
One test that can be used to think about whether your data can be, or have been, anonymised is the 'motivated intruder' test. According to the Information Commissioners Office guidance, the 'motivated intruder' ' is taken to be a person who starts without any prior knowledge but who wishes to identify the individual from whose personal data the anonymised data has been derived'. The motivated intruder would be assumed to 'be reasonably competent, has access to resources such as the internet, libraries, and all public documents, and would employ investigative techniques such as making enquires of people who may have additional knowledge of the identity of the data subject or advertising for anyone with information to come forward'.
The UK Data Service provides extensive and detailed guidance on anonymising quantitative and qualitative data. The table below summarises processes for anonymising quantitative and qualitative data from the UK Data Service guidance.
|Quantitative data||Qualitative data|
|Remove direct identifiers||Don't collect disclosive information unless necessary|
|Aggregate or reduce the precision of a variable||Plan anonymisation at time of transcription|
|Generalise the meaning of a detailed text variable||Use pseudonyms or replacements that are consistent throughout the project|
|Restrict the upper and lower ranges of a continuous variable||Use 'search and replace' techniques with caution as they miss typos|
|Anonymise relational data||Identify replacements in text clearly|
|Anonymise geo-referenced data||Keep unedited versions for use within the research team|
|Create an anonymisation log||Create an anonymisation log|
Audio-visual data are highly labour intensive and expensive -
consider if you really need to keep them
If you do not think that you can confidently anonymise data do not make it openly available to the public. Instead, share it using access restrictions.