York St John University

Policy on safeguarding research data

1.Objective

This policy is intended to set out the responsibilities of York St John University (YSJU) staff and research students to safeguard research data.Staff and research students need to ensure that they:

  • Take responsible ownership of all research data that they generate.
  • Follow legal, regulatory and compliance needs.
  • Ensure the maximum possible security and confidentiality of research data and that personal, confidential or sensitive data is not disclosed to unauthorised recipients.
  • Ensure the integrityof research data.
  • Ensure the appropriate availability of data.

2.Definitions

Personal, confidential and sensitive data have been defined by the UK Data Archive as follows:

Personal data

Personal data are data which relate to a living individual who can be identified from those data or from those data and other information which is in the possessionof, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller. This includes any other person in respect of the individual (Data Protection Act 1998).

Confidential data

Confidential data are data given in confidence or data agreed to be kept confidential, i.e. secret, between two parties, that are not in the public domain such as information on business, income, health, medical details and political opinion. However, it should be remembered that we cannot guarantee confidentiality, as there may, on certain occasions, be an overriding duty or legal requirement to disclose data.

Sensitive personal data

Sensitive personal data are defined in the Data Protection Act 1998 as data on a person’s race, ethnic origin, political opinion, religious or similar beliefs, tradeunion membership, physical or mental health or condition, sexual life, commission or alleged commission of an offence, proceedings for an offence (alleged tohave been) committed, disposal of such proceedings orthe sentence of any court in such proceedings[1].

1 of 7

3.Principles of safeguarding research data

York St John University (YSJU) is committed to:

A) Protecting the privacy and confidentiality of personal, confidentialand sensitive data collected in the course of research.The University’s Data Controller is the Registrar and Secretary to the Governing Body. Where an individual feels that the rules of data protection have been compromised they should contact the Data Controller.

B) Ensuring the ethical conduct of research and data collection. For details of YSJU’s research ethics guidelines and process for research ethics approval see:

C) Maintaining the data security of research data. The University of Edinburgh defines data security for research data as ‘the means of ensuring that data are kept safe from corruption and that access is suitably controlled.’Here at YSJU data security is important to prevent:

  • Accidental or malicious damage/modification to data
  • Theft of data
  • Breaches of confidentiality

4. Policy on safeguarding research data

It is University policy that research data will be safeguarded by all researchers, by:

  • Protecting the privacy and confidentiality of personal, confidential and sensitive data collected in the course of their research.
  • Conducting their research in accordance with YSJU’s research ethics guidelines and process for research ethics approval.
  • Never being dependent on a sole copy of data - this can be lost, stolen or corrupted.
  • Always having up-to-date anti-virus software installed on home computers or laptops.
  • Ensure that personal data, from research participants, is kept to a minimum and stored securely.
  • When transporting electronic data ensuring that it is encrypted.
  • Making sure that data is regularly backed up.
  • Where possible, all electronically stored data on the University network relating to research participants, should be anonymised or pseudonymised in respect of personal details or identifiers. Where portable electronic storage devices are being used (e.g. external hard disks or USB devices) the expectation for anonymised or pseudonymised data still applies. Encryption and/or password protection, on all external storage devices, is considered good practice, subject to external funding body requirements.
  • Ensuring the physical security of computers, portable devices and paper based data.

For further guidance on the implementation of this policy see the University guidelines on safeguarding research data.

5. Personal responsibility

Any adverse consequences of a failure to comply with this policy may be regarded as a prima facie disciplinary offence for staff or students. Staff or students who fail to comply with the law may be personally liable for the consequences of their actions.

York St JohnUniversity guidelines on safeguarding research data

1.Objective

These guidelines are intended to support and inform the application of the University Policy on safeguarding research data.

2.Ethics

For details of YSJU’s research ethics guidelines and process for research ethics approval see: Under a framework of delegated authority the majority of research ethics proposals are considered by Faculty Research Ethics Committees. The University Research Ethics Sub Committee deals with proposals which either cannot be approved at Faculty level or which involve University-wide research. Prior to preparing a proposal for research ethics approval you should consult the above guidelines and submit your proposal accordingly.

In all research, personal,confidential or sensitive data collected from research subjects (e.g. identities of participants in experiments, fitness data from lab tests, opinions in interviews or questionnaires) in the course of research will be used for the purposes stated in the informed consent form and, if appropriate, will be anonymised in research outputs. Disclosure of personal data to a third party will only occur with the express permission of the research subject, unless YSJU has a statutory/legal obligation to disclose the information or it isnecessary to protect the vital interests of the individual (e.g. where disclosing the data is required to fulfil a medical emergency).

3.Data Security

Always have up-to-date anti-virus software installed on any home computers or laptops used for research. YSJU IT Services will install anti-virus software onUniversity networked PCs and University laptops.

For further guidance on data security see page 19-20 of

4.Data storage

Throughout the course of your research you must ensure that all research data is stored securely irrespective of the format.

Electronic data can be saved on:

  • Networked drives (e.g. the YSJU ‘My Docs’ drive)
  • Personal computers and mobile computing IT devices including laptops, netbooks, tablets and smart phones
  • Digital audio and video data recorder
  • External storage devices (e.g. external hard drives, USB flash drives, CDs, DVDs)
  • Remote online backup services (e.g. Dropbox).

It is strongly recommended that research data is regularly saved on the YSJU networked drive‘My Docs’. This is backed up by YSJU IT Services and provides dependable secure long-term storage. This is the only guaranteed storage. Computer hard drives, personal PCs, laptops and external storage devices can be very useful for storing data temporarily and/or transporting it, but these can be vulnerable to failure, damage, loss or theft. Data saved on YSJU computer hard drives, including those in the Graduate Centre, is not secure and these must not be used to store personal data or sensitive information.Personal PCs or laptops can be useful for temporarily storing personal data or sensitive information, but this must be password protected or encrypted to ensure confidentiality.External storage devices are an attractive storage option, but errors writing to CDs or DVDs, or corruption or degradation of data, are not uncommon. USB flash drive ‘memory sticks’are to be preferred as an external storage device and are particularly useful for working data, but even these can fail or be lost.

Ensure the physical security of computers, portable devices and paper based data. A computer that is not connected to a network is still vulnerable to theft and malicious damage/modification to data.

Any paper based personal data or sensitive information (e.g. completed questionnaires) must be stored securely in a secure, lockable cabinet and treated with appropriate levels of confidentiality. Examples would include a Graduate Centre locker and/or a lockable desk drawer at home.

In some cases, for example research within the NHS, different guidance on the storage of data may be relevant. In these cases, the most stringent of the alternative guidelines should be adopted. It is recognised that these may include the use of an NHS or other secure server or storage facility etc. Providing these alternative facilities provide at least an equivalent level of data security to the YSJU guidance given above these may be used.

It is recognised that Departments/Faculties may maintain research data relating to work being carried out by staff and/or students. Where this is the case it is a requirement that these are held in a secure, lockable cabinet and treated with appropriate levels ofconfidentiality. Electronic data being stored within YSJU should be password protected or encrypted. Responsibility for recording the storage of data, and ensuring its timely and secure disposal rests with the individual, department or Faculty storing the data.

For further guidance on data storage see page 18 of

5.Working away from YSJU and transporting research data

The seventh principle of the Data Protection Act (1998) requires that ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’. It is recognised that some research has to be carried out away fromthe University. This could take the form of using home computers, laptops, mobile devices and could encompass saving files on portable storage devices, such as USB Flash drives, separate hard drives, DVDs or CD-Roms. These devices are all potentially vulnerable to theft, loss or corruption. Researchers who collect data remotely should save multiple copies (for example, on their laptop and on a separate USB flash drive). Any personal data or sensitive information saved or stored on such equipment must be password protected or encrypted (see below for encryption).

6.Back-ups

Throughout the course of your research you must ensure that your research data is backed up regularly, irrespective of the format.

It is strongly recommended that research data is regularly saved on the YSJU networked drive‘My Docs’ as a ‘master copy’ backup. YSJU ‘My Docs’ is backed up by YSJU IT Services and provides dependable secure long-term storage. This is the only guaranteed storage.

YSJU computers hard drives, personal PCs, laptops and external storage devices are not suitable for use as ‘master copy’ backups.

Research students living away from YSJU may use a remote online back-up service in addition to the YSJU networked drive for a ‘master copy’ backup, but only encrypted services should be used for personal data or sensitive information.

Valuable paper based data can be photocopied and stored in separate locations in place of an electronic back up.Examples could include a Graduate Centre locker and/or a lockable desk drawer at home.

For further guidance on back-ups see page 18 of

7.Data encryption

Confidential or sensitive data such as personal information that is stored and transmitted on portable devices such as laptops should be secured against unauthorised access.

Historically, passwords have been considered sufficient to protect portable devices. However, it is now recommended by the Information Commissioner to “encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen”.

ILS staff will install and configure encryption software on university laptops on request. If you are unsure if the data you need to store or transmit using a portable device should be encrypted in addition to the use of passwords, please contact ILS for further advice.

ILS Services have selected TrueCrypt as the university’s encryption tool. It is open source software and can be used on Windows, Mac and Unix. It can be used to encrypt folders, USB flash drives as well as internal hard drives.

Mac users may wish to use the built-in ‘FileVault’ encryption utility as an alternative to TrueCrypt.

  • You should keep a master copy of any encrypted data on the university network.
  • The TrueCrypt password must not be written down and kept with the portable device as this would be deemed as negligent as not having the data encrypted.
  • You should only take confidential or sensitive data off-site where it is essential.
  • TrueCrypt does not have a password recovery feature. If the password is lost or forgotten it will not be possible to decrypt the data. ILS will keep a copy of the initial TrueCrypt password for a device on file for end-users of University devices but if the password is subsequently changed and ILS are not informed they will not be able to decrypt the data.

Further guidance on encryption can be found here:

8.Managing and Sharing Data

For guidance on the best practice for managing and sharing research data, staff and research students are referred to the UK Data Archive publication Managing and Sharing Data (

9.Data Retention

The aim of this section is to provide a framework for the retention and disposal of research data, which is both sensitive and non-sensitive in its nature.

This section is written with due regard to the principles and guidelines laid out in the Data Protection Act 2008. Where appropriate, reference is made to the retention and disposal of both electronic and paper files.

As a default, research data should not normally be retained beyond the duration of the project that the data was collected for (e.g. duration of a research project or research degree). In certain cases it may be desirable to retain research data for a longer period, e.g. as protection against challenges of falsifying results or legal proceedings. Such data may be retained for six years after collection, based on the sixyear time limit within which legal proceedings must be commenced as laid down in the Limitation Act 1980. Faculty Research Ethics Committees or the University Research Ethics Sub Committee can advise on appropriate retention periods. Faculty Research Ethics Committees may make recommendations on appropriate retention periods for subjects covered by their Faculty’s remit. Documents (paper or electronic) retained after the end of a research project for which they were generated must be kept in secure storage within the Faculty or in a site approved by the Faculty Research Ethics Committee (this might include, for example, an NHS server or data storage facility). At the end of the approved retention period they must be securely disposed of.

10.Data Disposal

At YSJU, the Portering Team, based in St Anthony’s House, provide a confidential waste disposal service for paper based data.

ILS Services can dispose of portable storage devices containing digital data, in a secure manner. If you would like guidance on permanent deletion of data please contact the ILS Helpdesk (/01904-876696)

11.Personal responsibility

Any adverse consequences of a failure to comply with this policy may be regarded as a prima facie disciplinary offence for staff or students.

QA Ref:RES17

Maintained by:ADD

New/UpdatedSeptember 2014

1 of 7

[1] page 23 of