Skip to main content

ResMAP: Data Security

Mapping the research journey for Post Graduate and Doctoral Researchers


Information Commissioner on Research Data

Data Security and Storage

Birmingham City University includes the following statement in the GUIDELINES AND PROCEDURES FOR GOOD RESEARCH PRACTICE

"Research Councils expect data to be securely held for a period of ten years after the completion of a research project. Data generated in the course of research must therefore be kept securely in paper or electronic form. The means of data storage should be appropriate to the task. Primary electronic data should be stored on a central server, in addition to any storage that is maintained at the local level. If individuals responsible for generating the data relocate, a set should be maintained in the University. This is important for research that is funded by research councils but it also applies to research that is funded from other sources."

Principle 7 of the Data Protection Act states "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

Whatever the source of your data the following advice should be heeded:

Keep Data Safe IMAGE
  1. Check the Information Commissioner web site to ensure that the intended method of data storage complies with legislative guidelines.
  2. Check the Information Commissioner web site to ensure that any personal information either collected as part of the data harvesting process or held for administrative purposes is stored in compliance with the guidelines.
  3. Check with any sponsoring / funding organization for any procedures they have with which you may need to comply.
  4. Make sure there are written and legally enforceable agreements in place regarding ownership of the data, particularly where there may be Patent or commercial applications.
  5. Consider who will have access to the data. What access rights will stakeholders have. Ensure that there are systems in place that make it impossible for those who are not entitled to gain access.
  6. Ensure that stakeholder access and any use they may want to make of the project data after the end of the project is covered by legally enforceable agreements and such agreements are available to research participants before consent to participation is given.
  7. If you have raw data stored on a personal device, consider what will happen at the end of your research. Deleting files is not a secure method of data destruction. The only effective method for removing data is to physically destroy the storage medium (hard disk, USB drive, etc). A large hammer or very powerful industrial magnet can be effective!
  8. ALWAYS HAVE A BACKUP OF ANY DATA YOU COLLECT and create a backup at regular intervals! A mobile device such as a laptop, ipad or external memory/hard disc are not good backup devices. They can be lost or stolen. They fail. Some organizations provide central server space for research data which will also be backed up. Also be careful in using Google Docs or Drive, etc for the storage of research data, especially if this includes personal information. Many cloud based services do not provide high levels of security and therefore may not meet Principle 7 of the Data Protection Act.