Guidance on storing sensitive data

What classes as sensitive/special category data?

Personal data is information that could be used directly or indirectly to identify a person such as a name or address. Special category data is personal data that needs more protection because it is sensitive. The General Data Protection Regulation (GDPR) defines sensitive data as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, health and/or genetic data, a person's sex life and/or sexual orientation. In addition, data relating to rare or endangered animal/plant species and data generated under a commercial research funding agreement will need to be treated with extra protection. 

Any projects that involve working with human participants and/or animals will need to have gone through a University Ethics Review. Projects in the Arts and Social Sciences may also produce sensitive personal data eg. when interviewing a person you will often get their political, religious and/or philosophical opinions which are all classed as sensitive data. 

Legal Services at the University provides guidance on personal data (University login required) including on processing personal data for research. Projects that will process personal data are required to complete a Data Protection Impact Assessment (DPIA) which will help identify data protection risks and reduce them.

Note too that non-personal data may also be classed as sensitive for a number of reasons e.g. commercial sensitivities or because of intellectual property rights.

Medical data

Guidelines for storage of medical data which is patient identifiable should be provided by the Research Funder and usually requires data encryption and/or pseudo-anonymisation, where a code is used to identify patients and the code is kept separate from the medical data. When you are working with medical data, please consult your local College IT Services team for advice on encryption and whether you can use BEAR DataShare or the Research Data Store.

Interview data

Interview data requires careful management as even if a subject discussed is not classed as sensitive, the individual is likely to be identifiable – this can be managed depending on how the data is recorded:

  1. A video recording will be the most identifiable and hence most sensitive data, which will require the highest level of protection.

  2. An audio recording will still contain the voice of an individual (unless disguised) so even if they do not disclose any identifying information such as their name, it is still classed as sensitive data because their voice is an identifying characteristic.

  3. A transcript of an interview is the safest way to store data as it can be anonymised by removing identifying information or replacing with pseudonyms. The UK Data Service provides guidance and tools for anonymising data. However, there may be occasions when the tone of the voice used is important and data can be lost when transcribed eg. in Psychology.

Storage of sensitive data on BEAR

The Birmingham Environment for Academic Services (BEAR) is managed by Advanced Research Computing and amongst other things, provides resilient data storage holding research data in University data centres on campus. The service includes routine backup across multiple data centres for disaster recovery purposes. The data stored in BEAR is not encrypted so if you wish to store sensitive data then there are some considerations to be made (see 'Risk assessment of data encryption' below).

Which BEAR storage should I use?

Although BEAR DataShare is more secure than using external Cloud sync and share services, it is not intended as a secure store for the retention of research data. Our most secure storage where valuable research data should be stored is the Research Data Store. This is because:

  1. Access to the data is controlled by the Principal Investigator of the project or a designated Data Manager only;
  2. The data can only be accessed on campus or through the two-factor authentication remote access service (see https://kb.bham.ac.uk/KB13628).

However, there may be times when it is appropriate and you need to send sensitive research data to external collaborators eg. to get interviews transcribed. In this case we would advise encrypting or at least password-protecting your data before uploading it and sharing it using BEAR DataShare.

When shouldn't I use BEAR storage?

When handling personal sensitive data, follow any guidance provided by your Funder or any organisations that you are working with and any procedures agreed in the Ethics application for the project. You can also get advice from your local College IT Services team.

Please note: BEAR storage cannot be used for NHS clinical data.

Research Data Matrix

We have compiled some detailed examples and guidance on what can and cannot be stored on BEAR storage in collaboration with the Legal Office, Research Governance and Ethics - see our Research Data Matrix

Risk assessment of data encryption

The University provides guidance and policies on the use of encryption products on their IT policy and procedures webpage: https://collaborate.bham.ac.uk/it/itas/Published/Guidelines/Guidelines%20-%20Encryption%20Products.pdf (University login required)

If data encryption is not required by your Research Council or commercial funder, you may still choose to encrypt it if it is important to keep the data confidential.

Before you decide whether to encrypt your data, there are some risks to be aware of;

  1. If the owner of the data loses the decryption key or password, then the data will be lost and cannot be restored from backups.
  2. The encryption product used can affect how secure the data is.
  3. Consider continuity of data access by securing a backup or escrow key (where an authorised third party can access the decryption key under certain circumstances). Please consult Legal Services for more information.
  4. When data is stored on any central system without encryption, it is possible for system administrators in IT Services to be able to access your data. However, misuse of data or unauthorised disclosure would be a breach of contract and subject to University disciplinary procedures, therefore this risk is generally considered to be very low.

Some encryption products can be installed via the ‘My Apps’ link on your desktop (Windows only). If you are unsure on which encryption product to choose after reviewing the online guidance from IT Services, then talk to your local College IT Services team.

Colleges

Professional Services