Guidance on Storing Sensitive Data

What classes as sensitive data?

Personal data is information that could be used directly or indirectly to identify a person such as a name or address. Special category data is personal data that needs more protection because it is sensitive. The General Data Protection Regulation (GDPR) defines sensitive data as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, health and/or genetic data, a person's sex life and/or sexual orientation. In addition, data relating to rare or endangered animal/plant species and data generated under a commercial research funding agreement will need to be treated with extra protection. 

Any projects that involve working with human participants and/or animals will need to have gone through a University Ethics Review. Projects in the Arts and Social Sciences may also produce sensitive personal data eg. when interviewing a person you will often get their political, religious and/or philosophical opinions which are all classed as sensitive data. 

Legal Services at the University provides guidance on personal data (University login required), including on processing personal data for research. Projects that will process personal data are required to complete a Data Protection Impact Assessment (DPIA) which will help identify data protection risks and reduce them.

Note too that non-personal data may also be classed as sensitive for a number of reasons e.g. commercial sensitivities or because of intellectual property rights.

Medical data

Guidelines for storage of medical data which is patient identifiable should be provided by the Research Funder and usually requires data encryption and/or pseudo-anonymisation, where a code is used to identify patients and the identifying code is kept on a separate storage system from the research data, e.g. the University of Birmingham's Microsoft 365 storage. Microsoft 365 User Guidelines (University login required) state that it can be used for personal data, subject to contractual agreements for data storage. When you are working with medical data, please consult your local College IT Services team for advice on encryption and whether you can use the Research Data Store.

Clinical Trial data

No BEAR storage service (including support) has been funded or designed for use in clinical trials. The RDS is Birmingham's research data store and although robust, is built for capacity and performance over any guarantee of availability and will be subject to periodic downtime for maintenance. Data stored in the RDS is backed up as a matter of routine but only archived on request and for a period of 10 years after which it is automatically deleted (see retention information here). Active steps will need to be taken by the PI or their successor within that 10 year period if an extension to the archive is required. It is the responsibility of the requesting PI to satisfy themselves that the requirements of their project and funder are adequately met by this service and that all data is anonymised.

Interview data

Interview data requires careful management as even if a subject discussed is not classed as sensitive, the individual is likely to be identifiable – this can be managed depending on how the data is recorded:

  1. A video recording will be the most identifiable and hence most sensitive data, which will require the highest level of protection.

  2. An audio recording will still contain the voice of an individual (unless disguised) so even if they do not disclose any identifying information such as their name, it is still classed as sensitive data because their voice is an identifying characteristic.

  3. A transcript of an interview is the safest way to store data as it can be anonymised by removing identifying information or replacing with pseudonyms - see section on 'Medical data' above for guidance on where to store the identifying information, which must not be in the RDS. The UK Data Service provides guidance and tools for anonymising data. However, there may be occasions when the tone of the voice used is important and data can be lost when transcribed eg. in Psychology.

Storage of sensitive data on BEAR

The Birmingham Environment for Academic Services (BEAR) is managed by Advanced Research Computing and amongst other things, provides resilient data storage holding research data in University data centres on campus. The service includes routine backup across multiple data centres for disaster recovery purposes. The data stored in BEAR is not encrypted so if you wish to store sensitive data then there are some considerations to be made (see 'Risk assessment of data encryption' below).

Which University of Birmingham storage should I use for my research data?

The University of Birmingham provides secure storage for valuable research data in the BEAR Research Data Store. The data is secure because:

  1. Access to the data is controlled by the Principal Investigator/Supervisor of the project or a designated Data Manager only;
  2. The data can only be accessed on campus or through the two-factor authentication remote access service (see https://kb.bham.ac.uk/KB13628).

However, there may be times when it is appropriate and you need to send sensitive research data to external collaborators eg. to get interviews transcribed. In this case we would advise encrypting or at least password-protecting your data before uploading it and sharing it using OneDrive via the University's Microsoft 365 service - see the M365 Hub for more information including the User Guidance. For use cases on sharing research data, see our KB article on 'Where should I store my research data' (UoB login required).

When shouldn't I use BEAR storage?

When handling personal sensitive data, follow any guidance provided by your funder or any organisations that you are working with and any procedures agreed in the Ethics application for the project. You can also get advice from your local College IT Services team.

Please note: BEAR storage cannot be used for NHS clinical data.

Research Data Matrix

We have compiled some detailed examples and guidance on what can and cannot be stored on BEAR storage in collaboration with the Legal Office, Research Governance and Ethics - see our Research Data Matrix

Risk assessment of data encryption

The University provides guidance and policies on the use of encryption products on their IT policy and procedures webpage: https://collaborate.bham.ac.uk/it/itas/Published/Guidelines/Guidelines%20-%20Encryption%20Products.pdf (University login required)

If data encryption is not required by your Research Council or commercial funder, you may still choose to encrypt it if it is important to keep the data confidential.

Before you decide whether to encrypt your data, there are some risks to be aware of;

  1. If the owner of the data loses the decryption key or password, then the data will be lost and cannot be restored from backups.
  2. The encryption product used can affect how secure the data is.
  3. Consider continuity of data access by securing a backup or escrow key (where an authorised third party can access the decryption key under certain circumstances). Please consult Legal Services for more information.
  4. When data is stored on any central system without encryption, it is possible for system administrators in IT Services to be able to access your data. However, misuse of data or unauthorised disclosure would be a breach of contract and subject to University disciplinary procedures, therefore this risk is generally considered to be very low.

Some encryption products can be installed via the ‘My Apps’ link on your desktop (Windows only). If you are unsure on which encryption product to choose after reviewing the online guidance from IT Services, then talk to your local College IT Services team.

Data Retention and Deletion Policies for BEAR services

Your funder or collaborating external organisations may require defined retention periods for sensitive data, you can find information on the Data Retention and Deletion policies for BEAR services here