Research data storage outside UWE Bristol

This guidance relates to all circumstances when UWE Bristol data is stored anywhere apart from UWE Bristol premises or on UWE Bristol servers. This includes where a researcher could be based in another institution such as a hospital, or is a visiting fellow at another institution, or where data is collected via an online survey company, or is collected on UWE Bristol's behalf by an external survey organisation.

All research data is an asset of the University, and it is not just personal data which may be confidential or restricted, or valuable. Please refer to the data definitions for further information.

Do

• Make sure that appropriate agreements are in place prior to placing, collecting or storing research data on devices or servers not owned by UWE Bristol.
• Be aware that transferring personal data outside the EEA requires special care if Data Protection law is not to be breached. Take advice from the UWE Bristol Data Protection and Records Management Officer, if required.
• Always contact The Contracts Team or the Data Protection Office ;to arrange the necessary agreements.
• Before entering into any agreement, either orally or in writing, with a third party you must contact the UWE Bristol Contracts team.
• Make sure you are familiar with the provisions of the Data Protection Standard for Research (including GDPR) (PDF).
• Make sure you have sufficient evidence that any data collected on UWE Bristol's behalf is lawful and consistent with UWE Bristol's research ethics and governance requirements.

Don't

• Store any research data on the servers or devices of another organisation (or individual) unless a formal agreement has first been entered into, via The Contracts Team (Intranet access only) governing the security and use of the data.
• Put in a research bid that you will store data on the servers or devices of another organisation without first seeking guidance as to whether this will be acceptable.
• Contravene the conditions you have set out in the Data Privacy notice – if you have only told participants the data will be held on UWE Bristol servers, then that is all you can do with it.
• Ever transfer data outside the EEA without ensuring you are compliant with the law. You may be personally liable.

Agreements

Where UWE Bristol data is collected but is stored at another organisation or on another organisation's server or devices, a formal Agreement will need to be set in place.

Where the data is personal data, this will need to include a Data Processing Agreement (DPA). Such agreements must be signed by an approved UWE Bristol signatory, and can be set in place via The Contracts Team (or the Data Protection Office for 'standard' DPAs).

For personal data, the data subjects (research participants) must also sign a Privacy Notice, which makes the storage arrangements clear.

Online surveys

Online surveys must only be hosted on the Qualtrics systems. UWE Bristol considers this tool to comply with data protection legislation, and the necessary Data Processing Agreements are in place.

If you wish to make a case to use a different tool, please contact the UWE Bristol Data Protection and Records Management Officer (Intranet access only).

For details about how to access these, refer to the online forms and survey tools (Intranet access only).

Personal data outside the European Economic Area (EEA)

In the same way, researchers should only take or send personal data outside the EEA where the individual has consented to this by signing a consent form and has been provided with a Privacy Notice, and a Data Processing Agreement and appropriate security arrangements are in place.

Who should I contact if I'm not sure?

Contact the Data Protection Office for specific data protection issues, questions or concerns and The Contracts team (Intranet access only) in relation to formal Agreements.