Working with data: Sensitive data

If you are working with commercially sensitive data, personal data or restricted data, you need to take extra precautions to ensure that they can only be viewed by those with permission to do so. These may include encryption or other special measures when storing, transferring and disposing of data. 

Encryption is the process of obfuscating data so that only those with the correct decryption key or password are able to read them. The strength of the encryption refers to how difficult it would be for an attacker to decrypt the data without knowing the key in advance, and this depends on the method and the key used. Ensure that you always use strong password for any encrypted files or folders and that you keep the key safe. If you lose the decryption key the data will be unrecoverable even by Computing Services. 

Encryption can be applied to folders (the Digital, Data and Technology Group can set up encrypted folders on the X:Drive), to files or to entire devices such as laptops, external drives and USB sticks. You can order an encrypted USB stick (Kingston Data Traveller Locker+ G3) from the IT shop by emailing ITP@bath.ac.uk.

Note: if you need to access files stored in an encrypted folder on the University managed servers (X: or H: Drive) you will need to do so by mapping the drive to your local PC or laptop and accessing the University network via VPN. You will also need VeraCrypt installed on your local PC or laptop. It is not possible to access files stored in encrypted folders on the University system via files.bath or UniApps. 

There is more information on encryption on the following webpages: 

• Information Commissioners Office guidance on encryption
• UK Data Service guidance on encryption

You can also contact your local IT supporter for more information on encryption. 

The following advice relates to your University of Bath file storage options, although before processing, storing or transferring any research data, it is recommended that you check your grant, partner or contractual agreements in case you are obligated to store your research data on a storage option not listed below. However, wherever you store your research data, it must be secure and if you are dealing with personal data, the storage must be compliant with UK Data Protection legislation.

University X: Drive

It is possible to restrict access to folders on the X drive and to request for an encrypted folder to be set up by your local IT supporter. If you are working with personal data, or commercially sensitive data, you should consider: 

• storing commercially sensitive or identifiable personal data in an encrypted folder on the X: Drive
• storing related non-identifiable anonymised or pseudoanonymised data in a separate restricted access folder on the X: Drive. 

Both the NHS and ESRC require identifiable personal data to be stored in an encrypted folder separately from anonymised or pseudoanonymised study data. 

You only need to request that an encrypted folder is set up where the data need to be made inaccessible to system administrators. 

Cloud storage: enterprise vs. personal

When contemplating the use of cloud storage for research and the storage of sensitive data, it is important to differentiate between cloud storage that is enterprise-grade (e.g. provided by an institution/ university account) vs. a non-institutional (personal) account.

While personal accounts for external cloud services such as Dropbox, Google Drive and OneDrive are convenient, they do not comply fully with the University's data policies due to the following issues: 

• data may be stored in jurisdictions outside the European Economic Area and therefore are unlikely to be compliant with EU Data Protection legislation (General Data Protection Regulation, GDPR)
• they do not interact well with existing University storage services
• they do not provide sufficient guarantee of continued availability
• extra precautions must be taken in order to ensure that more than one person at the University has access to the data, in case of researchers leaving the University.

Personal cloud-based storage solutions must not be used for sensitive data. 

However, when using cloud storage, the above issues can be addressed via the use of enterprise-grade cloud storage provided for by the university as they are resilient and meet the NCSC’s 14 cloud security principles. Computing Services provide advice on storing information in the cloud.

If you are working with external research partners and they propose the use of cloud storage, ensure that this storage is enterprise-grade.

Securing computer equipment

If you are working away from the University during your research and the only option is to store sensitive data on an external device, such as a laptop, you should take the following precautions: 

• your laptop and any external hard drives should be encrypted, you can contact the University IT Security Manager for advice on encrypting your laptop
• ensure that any devices holding sensitive data are stored separately from each other and are locked away when not in use
• take reasonable precautions when entering passwords that others do not observe what is entered
• transfer data onto the University X:Drive when you have access to a secure internet connection (HTTPS or SFTP)
• when you no longer need to keep sensitive data on your laptop or external hard drive ensure that the data are deleted securely or that your device is disposed of in a secure way. You can contact Estates for the secure disposal of hardware and the Digital, Data and Technology Group for the secure deletion of files from your hard drives. 

Transmission over a standard HTTP or email is not secure, and may be intercepted and read by third parties. Extra precautions need to be taken when transferring personal data between collaborators:

• email can be made more secure by putting the personal data in an encrypted attachment. The encryption passwords should be transferred separately from the files and by other means
• the entire content of an email can be encrypted with a system such as PGP. If you wish to set this up for your University email account, please contact the IT Security Manager
• collaborators can be given a University computing account for up to 12 months at a time. Through this account they can be given permissions to transfer data directly into certain folders on the X:Drive
• data can also be transferred on removable media, such as an external hard drive, by a secure courier. The courier used should be agreed on and trusted by both parties. The data should be encrypted on the drive and the password sent separately. It is good practice to double package the data, with the inner packaging marked 'confidential' and the outer packaging only marked with the recipient's address. 

Data transfer or sharing agreements

Before getting to the stage of sharing research data, researchers should consider the suitability and potential risks of research data transfer to collaborators and whether the appropriate safety measures are in place before any agreements are signed. It is recommended that you understand how to protect you and your research and are aware of the University's Export Control Policy.

If you are sharing identifiable or pseudoanonymised (containing a participant identifier that can be used to re-identify the participant) between collaborators there may need to have a data transfer agreement or data sharing agreement between the data controller and the institution that the data are being transferred to. If the University of Bath has been identified as data controller in a project then you should contact the Data Protection team to determine whether a data transfer agreement is needed.  

Transferring data to a transcription service

In order to comply with the Data Protection Act you should avoid transferring personal data (such as audio files) or special category personal data (such as video files) to a transcription service that is based outside the European Economic Area (EEA).

• Be especially careful if you are transferring personal data to an online transcription service because the location of the servers might be outside the EEA.
• If you are transferring identifiable data you might need to set up a data transfer agreement with the transcription service, depending on their terms and conditions. If you are unsure please contact the Data Protection team for advice.
• Ensure that you transfer data only using a secure connection (HTTPS/ SFTP) and ensure that all links to the service are password protected. 

Transferring personal data outside the European Economic Area

Transferring identifiable personal data outside the EEA may result in a breach of the Data Protection Act. Therefore, personal data that has not been fully anonymised must not be transferred out of the European Economic Area (EEA). Transfer of personal data (securely) is permitted for the following countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom. 

Transfers of data to Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay are considered by the EU Commission to be 'adequate' in terms of their data protection. If you are unsure about whether or not you can transfer identifiable personal data please contact the Data Protection team for advice.

The UKRI guidance on best practice in the management of research data stipulates that 'any reasonable steps should be taken to ensure that research data are not held in any jurisdiction where the available legal safeguards provide lower levels of protection than are available in the UK. 

Transferring data from outside the EEA to the UK

If you are collecting your data abroad in a country outside the EEA you should ensure that you do the following: 

• find out about local data protection legislation from a collaborator or relevant embassy and make sure that you are working at all times within the local data protection laws.
• at all times manage your data according to UK Data Protection legislation. 
• check whether you need permission to transfer personal data (identifiable data) to the UK or whether you are only permitted to transfer anonymised data. 
• transfer the data to the University managed servers (X: or H: Drive) as soon as possible after collection via files.bath when you have a secure internet connection that will allow the data transfer. 
• check that the data are on the University managed servers before you delete it from your portable devices. 
• remember that once personal data are on the University managed servers that they are subject to UK data protection legislation. If you need to transfer personal data to a collaborator you will (a) need a Data Sharing Agreement and (b) should consult with the Data Protection Team if the collaborator is outside the EEA. 

You should should ensure that you dispose of sensitive data (commercial or personal) securely and you may need to provide a certificate of data destruction to comply with the terms of some third party data providers. 

Digital data

The Digital, Data and Technology Group can provide assistance with deletion tools to ensure the secure erasure of data from computers and other digital storage. 

Digital recording equipment loaned from the Audio Visual Unit undergoes a hard reformat once it is returned. The data on the memory card is deleted and overwritten, and the table of contents removed. 

IT equipment is disposed of by contacting Estates. Human Resources also provide guidance on the disposal of computers and media storage devices (PDF) that contain sensitive information. 

Non-digital data

Paper-based sensitive data (commercial or personal) can be disposed of using the University's confidential paper waste disposal service. This service can also advise on the secure disposal of CDs, DVDs, and other media. 

Anonymisation and the Data Protection Act

If you fully anonymise personal data they are no longer considered to be personal data, and therefore do not fall under Data Protection legislation. However, fully anonymising data can be complex because you need to consider the risk of re-identification of data subjects - not just from the dataset itself, but from other available data, including data sources that may be available online. 

One test that can be used to think about whether your data can be, or have been, anonymised is the 'motivated intruder' test. According to the Information Commissioners Office guidance, the 'motivated intruder' ' is taken to be a person who starts without any prior knowledge but who wishes to identify the individual from whose personal data the anonymised data has been derived'. The motivated intruder would be assumed to 'be reasonably competent, has access to resources such as the internet, libraries, and all public documents, and would employ investigative techniques such as making enquires of people who may have additional knowledge of the identity of the data subject or advertising for anyone with information to come forward'.

Processes for anonymising data

The UK Data Service provides extensive and detailed guidance on anonymising quantitative and qualitative data. The table below summarises processes for anonymising quantitative and qualitative data from the UK Data Service guidance. 

If you do not think that you can confidently anonymise data do not make it openly available to the public. Instead, share it using access restrictions.