Working with sensitive data

The University recognises three levels of sensitive data and information in its Information Classification Framework: Internal Use, Restricted and Highly Restricted. The latter two are defined as having a negative impact on the University in the event of an inappropriate disclosure.

In the context of research, the most common reasons for data being Restricted or Highly Restricted include

  • the involvement of human subjects, particularly where the research involves sensitive personal data such as health records;
  • the involvement of commercial collaborators, particularly where the data could be construed as competitive intelligence;
  • working under the terms of a non-disclosure agreement.

If you are working with sensitive data, you need to take extra precautions to ensure they can only be viewed by those with permission to do so. These may include encryption or other special measures when storing, transferring and disposing of data.

Encrypting sensitive data

Many of the techniques for dealing with sensitive data involve some form of encryption. Encryption is the process of obfuscating data so that only those with the correct decryption key or password are able to read them. The strength of encryption refers to how difficult it would be for an attacker to decrypt the data without knowing the key in advance, and this depends on both the method and the key used.

The tool you use for encryption should inform you of the method it will use and may give you a choice. The Information Commissioner's Office currently recommends using the AES-128 or AES-256 encryption methods, of which the latter is stronger.

Whenever setting the key to be used by an encryption method, be sure to use a strong password. You must keep the key safe, as if it is lost the data will be unrecoverable, and conversely if it is leaked the encryption will cease to offer protection.

For more information about encryption, contact your departmental IT supporter or consult the following resources:

Storing sensitive data

Using the University X Drive

It is possible to restrict access to folders on the X Drive, so that only certain individuals or groups are allowed to view and edit the contents. A typical configuration for project folders is to allow access only to members of the project team, but it is also possible to set up folders within the project folder that are restricted to fewer users. That said, it is strongly recommended to apply differences in access permissions to folders as early in the path as possible. For more information about this, please contact your departmental IT supporter.

For particularly sensitive data, the agreements reached with third parties may require that the data is also made inaccessible to system administrators. In such cases, it is possible to set up an encrypted folder on the X Drive such that only those with access permissions and a decryption password are able to view and edit the contents. For more information, please contact the University IT Security Manager.

Using external storage providers

While external services such as Dropbox, Google Drive and OneDrive are convenient, they do not comply fully with the University's data policies due to the following issues:

  • data may be stored in jurisdictions which do not provide the same level of privacy and data protection as the European Economic Area;
  • they do not interact well with existing University storage services;
  • they do not provide sufficient guarantee of continued availability;
  • extra precautions must be taken in order to ensure more than one person at the University has access to the data, in case of researchers leaving the University.

Cloud-based solutions should therefore be avoided for sensitive data. If you are considering using external storage providers nevertheless, perhaps because of conditions imposed by external collaborators, you must only consider those which will allow you to take the following security measures:

Securing computer equipment

Even if the data is stored securely, there is a risk that unauthorised persons might access the data using the credentials and equipment of authorised users. There are steps that can be taken to mitigate this risk:

  • Encrypt the hard drives of any laptops or other portable equipment used for accessing the data.
  • Ensure that desktop computers are locked with a password when left unattended.
  • Take reasonable precautions when entering passwords that others do not observe what is entered.

The University provides an online training course on Information Security. For more information about securing computer equipment, please contact the University IT Security Manager.

Further information about storing sensitive data

Transferring sensitive data

Transmission over standard HTTP or email is not secure, and may be intercepted and read by third parties. Extra precautions need to be taken when transferring sensitive data between collaborators:

  • Email can be made more secure by putting the sensitive data in an encrypted attachment. The encryption password should be transferred by other means.
  • Alternatively, the entire content of email can be made secure by encrypting it with a system such as PGP. If you wish to set this up for your University email account, please contact the University IT Security Manager.
  • Collaborators can be given a University computing account for up to twelve months at a time, subject to the completion of the necessary agreements. Through this account, they could be given permissions to transfer data directly into certain folders on the X Drive.
  • Data can also be transferred on removable media, such as an external hard drive, by a secure courier. The courier to be used should be agreed on and trusted by both parties. The data should be encrypted on the drive and the password sent separately.

Disposing of sensitive data

You should ensure that you dispose of sensitive data securely. For example, If you have collected personal data, you should ensure that your methods of disposal provide adequate protection for the identity of participants.

Furthermore, you might be required to demonstrate that you have complied with any requirements to destroy third-party data in accordance with their terms of use.

Digital data

Computing Services can provide assistance with deletion tools to ensure the secure erasure of data from computers and other digital storage.

Digital recording equipment loaned from the Audio Visual Unit undergoes a hard reformat once it is returned. The data on the memory card is deleted and overwritten, and the table of contents removed.

IT equipment can be disposed of by contacting Estates. Human Resources also provide guidance on the disposal of computers and media storage devices (PDF) that contain sensitive information.

Non-digital data

Paper-based sensitive data can be disposed of using the University's confidential paper waste disposal service. This service can also advise on the secure disposal of CDs, DVDs or other media.

Further information about disposing of sensitive data

Example case of working with sensitive data

A researcher in the school of management needed to write a data management plan for a research project. The project involved the analysis of highly sensitive commercial data from a consortium of industrial collaborators, which would be transmitted to the University by encrypted email in the first instance.

The plan identified nine types of data that would be collected by the project, and specified which of these would contain confidential data. It further specified different handling protocols for each type according to the anticipated level of confidentiality. For example, for the most confidential data, the researcher decided to use a dedicated computer with full-disk encryption, backed up to an encrypted directory on the University X Drive.

In addition, the plan set out the process that would need to be followed if access were requested to the confidential data, a process that respected the non-disclosure agreements reached with the collaborators. It also set out when and how the confidential data would undergo secure disposal.

Further information about securing sensitive data