If you work with personal data or commercially-sensitive data, you will need to ensure that you manage this research data securely and adhere to any relevant data protection legislation or contractual obligations to protect this data.
On this page, you’ll find basic guidance and links to further guidance on storing sensitive data, controlling access to sensitive data, encrypting sensitive data, anonymising sensitive data, transferring sensitive data, and disposing of sensitive data.
Storing sensitive data
The University has identified four information categories (intranet login to access) which determine where you should store your data. Special category personal information (as defined by law) and commercially sensitive data are classified as Highly Confidential and must only be stored on OneDrive and Sharepoint. You must not use your personal Google Drive to store sensitive data.
If you have to use external storage providers, perhaps because of conditions imposed by external collaborators, you must only use those which provide the following security measures:
- The data is encrypted in transit between your local network and the external storage, for example, by using protocols such as HTTPS or SFTP.
- The data is encrypted at rest in the remote storage.
- The data is stored only in data centres operating in jurisdictions which provide the same level of privacy and data protection as the European Economic Area, or that are contractually bound by EU data protection rules.
If you need to share confidential data with external collaborators, a solution must be agreed in consultation with the Information Compliance Team. Log a ticket with the IT Service Desk outlining your requirements to access additional support.
In many cases, you may wish to restrict access to your data to a specific list of individuals. You can find guidance on how to set access permissions at file and folder level in OneDrive and Sharepoint on the Microsoft Office 365 support pages.
Encrypting sensitive data
You may wish to encrypt data in your storage space, if you have highly confidential information which requires additional security controls or measures.
Encryption is the process of obfuscating data so that only those with the correct decryption key or password are able to read them. The strength of encryption refers to how difficult it would be for an attacker to decrypt the data without knowing the key in advance, and this depends on both the method and the key used.
The tool you use for encryption should inform you of the method it will use and may give you a choice. The Information Commissioner's Office currently recommends using the AES-128 or AES-256 encryption methods, of which the latter is stronger.
Whenever setting the key to be used by an encryption method, be sure to use a strong password.
You can find further guidance on data encryption at the UK Data Service.
Anonymising or pseudonymising data provides an additional level of security to mitigate against the accidental release of personally sensitive information. Anonymised data should remove both direct identifiers (names, addresses) and indirect identifiers (workplace, age), so that identifiers cannot be combined to reveal an individual’s identity.
You can find detailed and extensive guidance on the processes for anonymising data at the UK Data Service.
Transferring sensitive data
You may sometimes need to send data to people who don't have access to your secure storage space. Encrypting a file before you send it via an insecure means such as email ensures that the contents can only be read by someone who has the key.
You can find further information on email encryption options on our protecting your data page (intranet login to access).
Data can also be transferred on removable media, such as an external hard drive, by a secure courier. The courier to be used should be agreed on and trusted by both parties. The data should be encrypted on the drive and the password sent separately.
Disposing of sensitive data
You should ensure that you dispose of sensitive data securely. For example, If you have collected personal data, you should ensure that your methods of disposal provide adequate protection for the identity of participants.
You should also familiarise yourself with the University of Westminster Records Management Policy.
If you are collecting or using research data about individuals, you should read the University’s Code of Practice for the Ethical Conduct of Research (PDF).
The Information Security and Compliance team have written guidance on protecting your data (intranet login to access) and handling and storing work-related information.
You can find further guidance on working with sensitive research data at the UK Data Service.
For further guidance and support, contact the Research Data Management Officer at [email protected].