Skip to main content

Creating, collecting and classifying data and information

Learn how to create and classify data and information responsibly by following legal guidelines, minimising collection and ensuring security.

Before you start working with data and information, you should understand the Data Protection Act 2018 sets out seven principles that must be adhered to when collecting, using, and reusing any data or information: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.

Personal data

These principles apply to all data and information, whether personally identifiable or not. However, when creating or collecting personal data or information you must:

  1. have a lawful basis for processing
  2. inform data subjects of your purpose
  3. collect only the minimum data needed

If using data or information you did not collect yourself, you must check that the data can be re-used; the reuse must be compatible with the original purpose for collection.

Furthermore, if working with special category data, then stricter regulations apply.

Classifying data and information

Understanding how to classify and handle data is crucial for maintaining security and compliance. The University’s Information Classification Scheme categorises data and information into three levels:

  • highly restricted
  • restricted
  • internal

These classifications determine how data should be labelled, handled, and protected.

When handling any data or information that is not Public, safeguard it like you would a password. Use strong, secure passwords (Cyber Aware suggests using three random words) and never store them in easily accessible places. When sharing password-protected files, send passwords separately via another medium (e.g., text or call) and ensure passwords are accessible to more than one person to avoid data loss if access is restricted unexpectedly.

Data Management Plans (DMPs) for research

Every research project should begin with a Data Management Plan (DMP). A DMP outlines your data management approach, helps identify potential issues early, and is particularly valuable for collaborative research efforts, ensuring smooth and compliant data management throughout your project.

Researchers must also be mindful of the University’s Research Data Policy, especially when working on funded projects (e.g. UKRI, Wellcome, EU) and in fields that may be subject to export controls.

In STEM fields, always ask, “is my data controlled?” and consult the export control policy checklist to identify and adhere to legal obligations. Further support can be found via the Research Governance and Compliance team.

Find out who to contact for support

Find the right team

On this page