Data Privacy in Research
SREC is aware of the potential sensitivity of data and electronic databases containing personal or other data that may be potentially disclosive that are obtained as a result of research projects. In addition there are specific requirements in relation to the data protection Act. Please consult, Information Compliance Unit. Specific training on compliance with this Act is available on QOL. As a result this policy document sets out some points in relation to the physical security and handling of this data. Specifically:
- The physical security arrangements for the location where the information is to be: a) Processed and b) Stored;
- Whether data and or information can or cannot be printed in hard copy or written to removable media;
- The handling and control of any hard copy and/or removable media containing data; and
- Whether data and or information can or cannot be transmitted electronically, e.g. via e-mail.
Framework Policies on Data Handling
Electronic data will be processed and stored on the Network Server OR locally password protected Windows 7 (or later) machines with bit locker encryption. For those using Apple Macs, these machines will use the most up-to-date operating system, be password protected and machines must be encrypted using Firevault. Electronic data must not be stored or transported in any other format. If data is stored on a local machine with appropriate encryption it must be backed up on the Network server. If there is a requirement to store data on a removable devise specific permission must be obtained for this from the Head of School and the data storage device must be encrypted, stored in a secure location and maintained to preserve the data.
The stored location of physical data should be a high security Data Centre, with fire and intrusion alarms, using relevant sensors monitored 24 x 7 by security personnel. Any rooms housing data should have dual entry systems when out of hours e.g. involving card, key and/or pin code access doors. Physical data must be kept double locked at all times. This means that if there is open access to the main building during normal working hours physical data must be kept in a lockable room and within a locked cabinet when not attended. When data is not in everyday use it should be boxed and labelled. Arrangements will then be made to store the data in a lockable room, behind a secure access area in the School. Access to media devices is by authorised staff only and media removed off site is to high security safes with the permission of the Head of School. In applying for such permission staff/students must detail the full arrangements for security during any movement.
In-line with QUB policies on data retention then data must be stored securely by QUB for at least five years after the end of a research project. In the case of students these should be as electronic, scanned documents or data sets (that have been verified by their supervisor). For staff, the file formats for data storage should adhere to the criteria of the funder (whether electronic or in paper). It is recommended that storage is managed using OneDrive for small datasets and QUB’s Active data storage service for larger datasets. Supervisors/PIs are responsible for uploading data onto the relevant storage service and should consult, prior to data collection,with The Open Access Team who administer access to Active Data Storage services. Supervisors/PIs should also consult with The Open Access Team in relation to archiving datasets on QUB’s Pure platform once research is complete. Further information on data storage can be found at https://libguides.qub.ac.uk/ResearchDataManagement. The Open Access Team can be contacted by email: email@example.com.
Data will not be shared with researchers external to QUB unless there is a lawful basis to do so and research participants have been advised that information will be shared. At times when there is such a requirement to share data with other collaborating institutions or funders, staff will be required to have completed a Data Management Plan (DMP) in consultation with The Open Access Team. The transfer of data will then be managed via 64-bit encrypted point to point file sharing, such as QUB’s own Dropoff facility. Staff should refer to QUB’s policy on data management and consult with The Open Access Team before sharing any research data externally.
- AHSS Specific Policy Schedule
SREC handling and security policy is that no raw, or potentially disclosive data can be printed, written in hard copy or written to removable media or laptops (with the exception of those with secure encrypted discs and subject to point 6, below).
SREC handling and security policy is that such data cannot be shared internally via email. Users can only access the data via the corporate SharePoint or Novell systems which only permit access to those authorised to do so.
Data will not be shared with staff external to AHSS unless they have specific approval from the data supplier and/or explicit ethical consent to do so from research participants and/or data managers where relevant. At times when there is such a requirement to share data with other collaborating institutions or funders the transfer of data will be through encrypted email or via 64 bit encrypted point to point file sharing. If data is to be transferred or matched then specific informed consent must be sought for this at the point of data collection.
In the course of producing summary tables or other outputs for reports, publication or dissertations care shall be taken to ensure small cells cannot indirectly identify individuals, in particular:
- Tables must not report numbers or percentages based on only one or two cases. Cells based on one or two cases should be combined with other cells or when not appropriate, reported as zero. As a general rule then cells containing less than 10 cases should be considered potentially disclosive. Particularly if combined with data presented elsewhere in reports/assignments/dissertations. Careful advice should be sought about this from senior staff who are NILS or ESRC Safe Researcher trained/supervisors/the Ethics Committee.
- Tables and other outputs must not be published in a form where the level of geography would threaten the confidentiality of the data.
- It is strongly recommended that staff and students attend one of the ‘Safe Researcher’ training courses run by the Northern Ireland Longitudinal Study or ESRC if they are handling data that is potentially disclosive.
The above policy supplements the QUB policies on safe data use and storage. These can be found at http://www.qub.ac.uk/directorates/InformationServices/Services/Security/ . All staff and students should be familiar with these policies.
If you have any specific queries in relation to data protection or information governance more generally, please contact the Information Compliance Unit for advice. If you have any specific queries in relation to information security, please contact the IT service desk.