Working with sensitive data

If you work with personal data or commercially-sensitive data, you will need to ensure that you manage this research data securely and adhere to any relevant data protection legislation or contractual obligations to protect this data.

On this page, you’ll find basic guidance and links to further guidance on storing sensitive data, controlling access to sensitive data, encrypting sensitive data, anonymising sensitive data, transferring sensitive data, and disposing of sensitive data.

Key information

The University’s Data Protection Officer is Elaine McMillan ()

The University’s Senior Information Risk Owner is Ian Wilmot (University Secretary & Chief Operating Officer)

The University’s ISO registration number is Z8450604

You can find further information on the University’s personal data protection policy and personal data handling principles on the personal data protection webpages.

Storing sensitive data

The University has identified four information categories (intranet login to access) which determine where you should store your data. Special category personal information (as defined by law) and commercially sensitive data are classified as Highly Confidential and must only be stored on OneDrive and Sharepoint. You must not use your personal Google Drive to store sensitive data.

You can now share files with external colleagues at Trusted Partner organisations via OneDrive and SharePoint. Trusted Partners include every educational institution with a domain ending in 'ac.uk'. If your collaborator is at a commercial or other type of organisation that does not fit into the ‘ac.uk’ environment, you’ll need to create a request for Trusted Partner status to be allocated before you can share data with external partners. To find out how to complete a request for an organisation you work with regularly, see Trusted Partners – improving collaboration (staff login required).

If you have to use external storage providers, perhaps because of conditions imposed by external collaborators, you must only use those which provide the following security measures:

  • The data is encrypted in transit between your local network and the external storage, for example, by using protocols such as HTTPS or SFTP.
  • The data is encrypted at rest in the remote storage.
  • The data is stored only in data centres operating in jurisdictions which provide the same level of privacy and data protection as the European Economic Area, or that are contractually bound by EU data protection rules.

If you need to share confidential data with external collaborators, a solution must be agreed in consultation with the Information Compliance Team. Log a ticket with the Service Desk outlining your requirements to access additional support.

Controlling access

In many cases, you may wish to restrict access to your data to a specific list of individuals. You can find guidance on how to set access permissions at file and folder level in OneDrive and Sharepoint on the Microsoft Office 365 support pages.

Encrypting sensitive data

You may wish to encrypt data in your storage space, if you have highly confidential information which requires additional security controls or measures.

Encryption is the process of obfuscating data so that only those with the correct decryption key or password are able to read them. The strength of encryption refers to how difficult it would be for an attacker to decrypt the data without knowing the key in advance, and this depends on both the method and the key used.

The tool you use for encryption should inform you of the method it will use and may give you a choice. The Information Commissioner's Office currently recommends using the AES-128 or AES-256 encryption methods, of which the latter is stronger.

Whenever setting the key to be used by an encryption method, be sure to use a strong password.

You can find further guidance on data encryption at the UK Data Service.

Anonymisation

Anonymising or pseudonymising data provides an additional level of security to mitigate against the accidental release of personally sensitive information. Anonymised data should remove both direct identifiers (names, addresses) and indirect identifiers (workplace, age), so that identifiers cannot be combined to reveal an individual’s identity.

You can find detailed and extensive guidance on the processes for anonymising qualitative data and anonymising quantitative data, as well as a step-by-step guide to anonymising data at the UK Data Service.

Transferring sensitive data

You may sometimes need to send data to people who don't have access to your secure storage space. Encrypting a file before you send it via an insecure means such as email ensures that the contents can only be read by someone who has the key.

Download our step-by-step guide to activate encryption for emails containing sensitive or confidential information using Outlook and Windows 10 (staff login required).

Data can also be transferred on removable media, such as an external hard drive, by a secure courier. The courier to be used should be agreed on and trusted by both parties. The data should be encrypted on the drive and the password sent separately.

Disposing of sensitive data

You should ensure that you dispose of sensitive data securely. For example, If you have collected personal data, you should ensure that your methods of disposal provide adequate protection for the identity of participants.

Furthermore, you might be required to demonstrate that you have complied with any requirements to destroy third-party data in accordance with their terms of use.

Read our guidance on disposing of hardware and data (intranet login to access) and find further information on data disposal at the UK Data Service.

You should also familiarise yourself with the University of Westminster Records Management Policy.

More information

If you are collecting or using research data about individuals, you should read the University’s Code of Practice for the Ethical Conduct of Research.

The Information Security and Compliance team have written guidance on protecting your data (staff login required) and handling and storing work-related information.

You should also familiarise yourself with the University’s IT Policies (staff login required) and read our guidance on working safely online.

You can find further guidance on working with sensitive research data at the UK Data Service.

Contact us

For further guidance and support, contact the Research Data Management Officer at .