If you are working with sensitive data - personal and special category data, commercially, politically, environmentally or socially sensitive data - you will need to take extra care. Sensitive data is commonly subject to legal and ethical obligations that impose restrictions on how it is accessed, used and handled. It often can't simple be shared and made openly available.
Sensitive data is classified as 'confidential' under the University's information classification and handling scheme
Watch a recording of a webinar on anonymisation techniques.
It's designed to equip researchers with the essential knowledge and skills to navigate the complexities of data anonymisation.
The University has identified four information categories which determine where you should store the data you are working with. Sensitive data is classified as 'confidential' and must be stored using University IT facilities (University filestore, University cloud storage - Google Drive). You must not use your personal accounts for external cloud services (e.g. Google Drive) to store sensitive data.
You must ensure that any sensitive data is only accessible to those that need it. Shared filestore is provided by IT Services if you need to share a working area with a number of colleagues. You must be familiar with Google Drive settings and options for file/folder sharing if you store sensitive data in your University Google Drive.
The University requires that any device that holds sensitive or confidential information is encrypted. You do not need to encrypt data stored on a University filestore or Google Drive. However, if you are sharing sensitive data stored on Google Drive with external users it must be encrypted first.
You should contact IT Support if you require assistance storing or managing access to sensitive data.
The University provides guidance on:
You should adopt the practice of sharing rather than sending sensitive data to collaborators, by pointing or linking to documents / files / folders.
If it becomes necessary to send sensitive data outside of a shared filestore or Google Drive (e.g. via email, the DropOff Service) files must be encrypted beforehand. Encrypting a file before you send it ensures that the contents can only be read by someone who has the key/password. The encryption key/password must be transmitted to the recipient via a different method to the encrypted file, e.g. if you send an encrypted file via email you can tell the password to the recipient over the phone.
The DropOff Service is the preferred method of transmitting any data in and out of the University. You must not transfer sensitive data using any non-University supported cloud services (e.g. Dropbox, personal Google Drive, OneDrive), which do not meet information security and Data Protection requirements.
You must follow the data sharing guidance provided by Data Protection before sharing personal / special category data with a third party (e.g. external collaborators).
The University provides:
You must ensure that you dispose of sensitive data safely and securely. The more sensitive the data is, the greater the level of security required.
The University's Records Management Guide disposing of information provides guidance.
Further advice and support on the disposal of digital data is available from IT Services, email itsupport@york.ac.uk.
Informed consent and restricting access should be considered alongside anonymisation. When these strategies are employed, even sensitive data can be shared safely.
The University of Bristol provides useful guidance to inform researchers about the process of sharing research data which concerns human participants, for use by 3rd parties.
Anonymisation and pseudonymisation are techniques used to edit personal data in order to eliminate or reduce the possibility of individuals being identifiable.
Both processes involve editing direct and indirect personal identifiers.
Once data is truly anonymised and individuals are no longer identifiable, the data is not personal data and data protection law does not apply. However, true anonymisation is often difficult to achieve and could limit the data's reuse potential/value. Before anonymising data you should consider the future use of your data best planned for at the start of your project.
The UK Data Service provides guidance on anonymising qualitative data and quantitative data, and a step-by-step guide to anonymising data.
The Information Commissioner's Office code of conduct on anonymisation [PDF] suggests applying a ‘motivated intruder’ test for ensuring the adequacy of de-identification techniques.
"For research or further activity drawing on research involving humans (including participation, observation and/or data), the default position is that informed written consent is required from those involved and/or their representatives." - Code of practice and principles for good ethical governance, 2.3
Informed consent is widely accepted as the cornerstone of ethical practice for research involving human participants or personal data. It entails providing participants with clear information about the purpose of the study, what their participation will involve and how their data will be used, during research (e.g. where data will be stored and who will have access to it) and in the long term.
To facilitate future data sharing and reuse, participants need (as far as possible) to give specific consent if data is going to be archived and shared. A section on data sharing should be included and then explained to participants or those involved. Participation in the study should not be subject to agreement to data sharing.
Personal data should never be shared with a third party without the valid consent of the person to which the data relates.
The UK Data Service provides extensive guidance on consent for data sharing, it includes examples of gaining consent in different scenarios and example consent forms.
The University provides guidance on:
Where it may not be possible to share sensitive data openly, it may be possible to share it safely if appropriate restrictions on access and use are applied.
You can find further guidance on the restricting access to sensitive data page.
Some data repositories provide a facility to allow restricted or controlled access to sensitive data. For example:
ReShare, the online repository of the UK Data Service (UKDS), has safeguarded access. Safeguarded data requires users to be registered with the UKDS and to accept their End User Licence; this licence establishes the terms and conditions under which secondary research can make use of the data.
To identify repositories that provide restricted access:
If your research involves working with people, be it through surveys, interviews, trials, experiments, focus groups or other methods, then it is important to know the legal and ethical obligations you have towards your research participants. Ethical guidelines issued by funders and the University cover how you can create and store data. In addition, statutory requirements such as the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 govern the processing of personal data.
University guidance: The Data Protection web pages provide guidance, procedures and policy to assist with the implementation of the GDPR and the Data Protection Act. Guidance on GDPR compliant research is included, setting out the key issues to consider when planning and delivering a research project involving personal data.
Guidelines for the use of social media data in research explores five of the most prominent issues noted in social media research: legal considerations, duty of care, data integrity and management, privacy, and consent.
Contact: dataprotection@york.ac.uk
The management of sensitive data has ethical as well as legal implications. The core principle underpinning the University's Code of practice and principles for good ethical governance is the of avoidance of harm. This includes harm to the welfare and interests of human participants (whether participating actively or through observation/use of their data) and harm to the welfare and interests of the wider community.
Two key considerations when managing your research data are to ensure:
Your funder and/or your professional body may also have requirements and/or guidance relating to the ethical management of research data, which you will need to take into account when addressing the above considerations.
University guidance: The research integrity and ethics web pages and the codes of practice set out the University’s framework for high quality and robust practice across the full research process.
Contact: Your Research Ethics Committee
The Freedom of Information Act and Environmental Information Regulations provide members of the public with a general right of access to the recorded information held by the University. The legislation works to promote openness across the public sector. So you could be required to release information about your research based on FOI and EIR requests.
University guidance: The Freedom of Information web pages provide information to help you understand the FoI Act and the University’s approach.
Contact: foi@york.ac.uk