It is good practice to plan your data management strategy prior to commencing data collection as it will help to ensure that all members of the research team are aware of the procedures and therefore are able to follow them.
The Research Data Management webpages provide extensive information, advice and how-to guides on planning and managing research data, such as how to write data management plans and costing requirements, advice on storing data including available options, handling sensitive personal data, and sharing data as well as advice on funder requirements.
The Digital Curation Centre is a very useful source of guidance on the storage, management, protection and sharing of digital research data. It also includes case studies, training materials, how-to guides, checklists and tools such as the data management plan to better enable researchers to plan and manage digital research data. There is also guidance on the data requirements of various funders.
The following are questions for you to consider. In addition, the UK Data Service has useful, easy to follow guidance on data management, including the data life-cycle.
- Who is responsible for the data?
Will UCL be classed as the Data Controller, a Data Processor or will UCL be a joint Data Controller together with another institution?
- Is the data being collected and analysed by UCL?
- Is the data being collected by UCL on behalf of another institution who will conduct the analysis?
- Will the data be analysed and shared between UCL and another institution equally?
Who is taking responsibility for the data?
- Who will be responsible for the collection, processing, storage and archiving/destruction of the data? NB: This could be multiple individuals.
- Will the data by processed in multiple institutions? If so, is this documented?
The UCL Research Data Policy sets out the responsibilities of all members of UCL to guide researchers and students in how to manage research data.
- What data do you intend to collect?
Consider the following questions:
- Is any of the data classed as personal or special category personal data under the Data Protection Legislation (2018)?
- What data should be treated as confidential, even within the research team?
- Can you or others potentially identify individuals from the data such as through images, names, etc or is it completely anonymous?
- Does the data come with conditions attached; such as conditions placed on pre-collected archive data, or conditions set through legislation such as the Data Protection Legislation (2018)?
- Are you seeking to access personal from the NHS? (See guidance on Section 251 exemptions below.)
- How and in what formats will the data be collected?
The UCL Information Security Policy has a guidance document on the Classification of information held by UCL personnel, for security management purposes which is designed to assist UCL researchers in protecting electronic data they are responsible for.
- Good Record Management
It is good practice to keep track of what data you have, what format, where it is stored, whether it has limited access, and when (if at all) it will destroyed. It is important as well to ensure that if members of the research team leave UCL that data is still accounted for, which may mean that responsibility of the data moves to someone else.
The UCL Records Office provides some very useful advice on records management including information on UCL's Retention schedule and guidance on storing, transferring and disposing of paper records, managing electronic records and protecting information for both staff and students.
Consider the following questions:
- In what formats will the data be stored; cabinets, draws, work/home computers, portable devices?
- Will some data be stored in multiple formats, for example having both audio files and transcripts of interviews?
- Should some data be kept separate? Are the participants contact details and consent forms stored away from their anonymised data?
- Will data be archived (in part or fully)? Will it be made available to other researchers?
- What consents were gained from participants; did all participants agree to their data being made available to other researchers in an archive or just some?
- Will the data to be stored, shared or published be done so in an identifiable form? Will it be anonymised or anonymous?
- Will or should any data be destroyed at the end of the study?
Researchers will find the Information Commissioner's Office's Anonymisation: managing data protection risk code of practice helpful when identifying issues relating to ensuring effective anonymisation of personal data, including the 'motivated intruder test' (page 22).
- Data security and sharing
Taking into account the type of data being held, how this will be sorted, shared and accessed, how will you ensure the safety and security of the data?
Consider the following questions:
- Where will data be sent? Will it be kept within the European Economic Area (EEA)?
- How will you be sharing or transporting the data?
- Emails; does the data need to be sent via email? Are the emails encrypted? Emails can be intercepted or compromised and so should be used with care when sending data.
- Data sharing sites; are you using a UCL approved site or an unsecure site such as DropBox?
- Portable devices; are the devices password protected? Are the files encrypted (see UCL guidance on encryption)
- How will you prevent accidental disclosure - e.g. by encryption of data on laptops, not taking printed confidential materials out of premises, storing files in locked cabinets in locked rooms, not carrying sensitive personal data on portable devices?
For more information see the Information Security webpage.
UCL Research IT Services
UCL Research IT Services offer support activities throughout the research life-cycle including safe data storage, custom software development, high performance computing, research management and Open Science services.
Section 251 Exemptions and SLMS Data Safe Haven
Section 251 was established to enable the disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent was not practical, having regard to the cost and technology available. Applications for data via section 251 are made to the Confidentiality Advisory Group (CAG), which is part of the Health Research Authority (HRA).
All new and existing CAG applicants for data via section 251 are required to provide IG assurances using the HSCIC's IG Toolkit, demonstrating a satisfactory level of compliance. The SLMS Data Safe Haven is designed to provide much of the assurance required for a satisfactory IG Toolkit score and IT for SLMS can offer researchers support in submitting an IG Toolkit for their study.
UCL researchers in SLMS collecting and using personally identifiable information are advised to use the data safe haven to satisfy data security requirements or else use an alternative encrypted solution, such as encrypted memory sticks in the transfer of this data. Security of the intended storage of personal identifiable data will play an increased part of the data protection registration process.
Full information on the SLMS Data Safe Haven can be found on the IT SLMS Handling Sensitive Data webpage. For researchers in SLMS intending to use the SLMS Data Safe Haven you will need to complete the approved training on data security.