Storing sensitive and personal data
What are sensitive and personal data?
Sensitive data can refer to:
- any data that could be used to identify an individual, also termed personal data (see below);
- confidential data, including commercially sensitive data produced under a restrictive commercial funding agreement;
- ecological or environmental data, the release of which may have an adverse effect on rare or endangered species of plants or animals;
- data that, if released, is likely to cause harm to any individual or community, or will have significant negative public impact.
This is not a comprehensive definition and other kinds of research data may also be considered sensitive. You, as a researcher, should exercise your judgement as to whether your research data should be considered sensitive.
Personal data is defined by the General Data Protection Regulation (GDPR) as data and information that relates to a living individual and could be used, either on its own or alongside other data, to identify them.
Special category personal data is defined as data containing information about an individual’s:
- Physical or mental health
- Genetic or biometric information
- Racial or ethnic origin
- Religious beliefs or other beliefs of a similar nature
- Political opinions
- Membership of a trade union
- Sex life
If your data falls under any of the above definitions then you need to carefully consider how you will store and manage access to it.
How to store sensitive and personal data
It is highly recommended that sensitive and personal data are kept within the College data storage infrastructure. This kind of data should not be stored on external commercial cloud based platforms such as Google Drive, Dropbox, iCloud and Amazon Drive. Data that contains personal or sensitive information should be treated with higher levels of security than non-sensitive data.
- Copies of sensitive or personal data should be stored in a separate location from the original and kept to a minimum in order to reduce risk of disclosure or unauthorised access. Ideally this would involve just a master copy and a single backup.
- Any sensitive data stored on a portable or personable device should be password or passcode protected and securely encrypted. This includes data held on USBs, external hard drives, laptops, desktop computers, smart phones, tablets and external servers.
- Personal devices holding sensitive data should be kept in a secure location overnight and securely encrypted.
- Access to devices, files or servers containing sensitive or personal data should be responsibly managed and regularly reviewed.
- The GDPR does not apply to anonymised data so, where possible, personal data should be anonymised and any identifying information such as a key kept securely in a separate location.
- A plan for the timely and necessary deletion of personal information should be put together at the start of any project and included in your data management plan. Imperial ICT can be consulted about methods for ensuring permanent deletion of sensitive information.
- Do not collect and store unnecessary sensitive or personal information.
For more information see the Imperial ICT webpage on protecting sensitive information. For information on the GDPR and research data visit the Information Governance webpage on personal data. For any queries please email firstname.lastname@example.org