Managing sensitive data
What counts as sensitive data?
Sensitive data can refer to:
- any data that could be used to identify an individual, also termed personal data
- confidential data, including commercially sensitive data produced under a restrictive commercial funding agreement
- ecological or environmental data, the release of which may have an adverse effect on rare or endangered species of plants or animals
- data that, if released, is likely to cause harm to any individual or community or will have significant negative public impact.
Tips for managing sensitive data
- Data that contains personal or sensitive information should be treated with higher levels of security than non-sensitive data.
- Copies of personal data should be stored in a separate location from the original and kept to a minimum in order to reduce risk of disclosure or unauthorised access. Ideally this would involve just a master copy and a single backup.
- Any sensitive data stored on a portable or personable device should be password or passcode protected and securely encrypted. This includes data held on USBs, external hard drives, laptops, desktop computers, smart phones, tablets and external servers.
- Personal devices holding sensitive data should be kept in a secure location overnight and securely encrypted.
- Access to devices, files or servers containing sensitive or personal data should be responsibly managed and regularly reviewed.
- The GDPR does not apply to anonymised data so, where possible, personal data should be anonymised and any identifying information such as a key kept securely in a separate location.
- A plan for the timely and necessary deletion of personal information should be put together at the start of any project and included in your data management plan. Imperial ICT can be consulted about methods for ensuring permanent deletion of sensitive information.
- Do not collect and store unnecessary sensitive or personal information.
Data storage and security
Data protection and the GDPR
For advice on how to manage research data in compliance with the GDPR and UK Data Protection Act visit the Information Governance team’s web pages on GDPR and research data or contact your faculty data protection coordinator.
For advice on managing health data and patient identifiable information visit the Faculty of Medicine’s Information Governance SharePoint site.