Working with sensitive data
Protecting your Data (intranet login to access) provides useful guidance on handling and storing work-related information as does the University’s IT Security & Use Policy. Our Store files page (intranet login to access) also has advice on classifying information and what areas of storage are suitable.
Encrypting sensitive data
Encryption is the process of obfuscating data so that only those with the correct decryption key or password are able to read them. The strength of encryption refers to how difficult it would be for an attacker to decrypt the data without knowing the key in advance, and this depends on both the method and the key used.
The tool you use for encryption should inform you of the method it will use and may give you a choice. The Information Commissioner's Office currently recommends using the AES-128 or AES-256 encryption methods, of which the latter is stronger.
Whenever setting the key to be used by an encryption method, be sure to use a strong password.
Information about encryption options can be found within the protecting your data section (intranet login to access) under my IT. For further information see Encryption – Information Commissioner's Office.
Storing sensitive data
Using external storage providers
While external services such as Dropbox are convenient, they do not comply fully with the University's data policies due to the following issues:
- data may be stored in jurisdictions which do not provide the same level of privacy and data protection as the European Economic Area;
- they do not interact well with existing University storage services;
- they do not provide sufficient guarantee of continued availability;
- extra precautions must be taken in order to ensure more than one person at the University has access to the data, in case of researchers leaving the University.
Such solutions should therefore be avoided for sensitive data. If you are considering using external storage providers nevertheless, perhaps because of conditions imposed by external collaborators, only consider those which will allow you to take the following security measures:
- Encrypt the data in transit between your local system and the external storage, for example by using protocols such as HTTPS or SFTP.
- Encrypt the data stored remotely.
- Store the data only in data centres operating in jurisdictions which provide the same level of privacy and data protection as the European Economic Area, or that are contractually bound by the EU Model Clauses.
Securing computer equipment
Even if the data are stored securely, there is a risk that unauthorised persons might access the data using the credentials and equipment of authorised users. There are steps that can be taken to mitigate this risk:
- Encrypt the hard drives of any laptops or other portable equipment used for accessing the data.
- Ensure that desktop computers are locked with a password when left unattended.
- Take reasonable precautions when entering passwords that others do not observe what is entered.
- Protecting your Data (intranet link log in to access)
- Information Security A-Z (intranet link login to access)
- Research ethics: Useful resources and tool-kit for applicants (intranet login to access)
- University Data Protection guidance
Transferring sensitive data
Transmission over standard HTTP or email is not secure, and may be intercepted and read by third parties. Extra precautions need to be taken when transferring sensitive data between collaborators:
- Email can be made more secure by putting the sensitive data in an encrypted attachment. The encryption password should be transferred by other means.
- Alternatively, the entire content of email can be made secure by encrypting it with a system such as PGP.
- Data can also be transferred on removable media, such as an external hard drive, by a secure courier. The courier to be used should be agreed on and trusted by both parties. The data should be encrypted on the drive and the password sent separately. See Protecting your Data (intranet link log in to access) for further information.
Disposing of sensitive data
You should ensure that you dispose of sensitive data securely. For example, If you have collected personal data, you should ensure that your methods of disposal provide adequate protection for the identity of participants.
Paper-based sensitive data can be disposed of using the labelled bins found in all office areas.
See also the University of Westminster Records Management Policy.
A researcher in the Westminster Business School needed to write a data management plan for a research project. The project involved the analysis of highly sensitive commercial data from a consortium of industrial collaborators, which would be transmitted to the University by encrypted email in the first instance.
The plan identified nine types of data that would be collected by the project, and specified which of these would contain confidential data. It further specified different handling protocols for each type according to the anticipated level of confidentiality. For example, for the most confidential data, the researcher decided to use a dedicated computer with full-disk encryption, backed up to an encrypted directory on the University P Drive.
In addition, the plan set out the process that would need to be followed if access were requested to the confidential data, a process that respected the non-disclosure agreements reached with the collaborators. It also set out when and how the confidential data would undergo secure disposal.