Storing research data on removable media and in transit

Do

• Encrypt any personal data on UWE Bristol laptops and portable devices.
• Where research data has been collected ‘in the field’, make sure the data is immediately encrypted and password protected, and uploaded using a secure connection to UWE’s Bristol servers, or uploaded using UWE Bristol's OneDrive, or brought to UWE Bristol to be uploaded, as soon as possible.
• Where data is ‘in transit’ for example on a UWE Bristol laptop, securely store it and ensure no-one else has access to the device.
• Make sure you have appropriate, secure arrangements in place for research data in transit.
• Remember to use only your UWE Bristol email address in connection with UWE Bristol research including in communication with research participants.
• Use encrypted recording devices, and do not share hard drives/Memory cards.

Don’t

• Store or transport confidential or restricted data on a non-UWE Bristol device (It is sometimes permissible in specific circumstances to store research data on a device owned by a third party, such as an NHS Trust, but this must always be governed by an contractual agreement that must be set in place via the UWE Bristol Contracts Team).
• Transport, unencrypted, non-password protected sensitive personal data or unanonymised personal data on UWE Bristol devices outside the University.
• Delay contacting the IT Service Desk if you suspect UWE Bristol data has been lost or compromised.
• Ever share or disclose your UWE Bristol login credentials to anyone.
• Leave UWE Bristol devices, including removable media, containing research data unattended, such as in the boot of a car.
• Ever use Drop box (or other similar Cloud based provision apart from OneDrive) for personal information (or otherwise sensitive or valuable information). This will breach the Data Protection Act and you may be personally responsible for your actions.
• Email confidential or restricted research data to colleagues or external contacts.
• Ever send personal and/or sensitive research data by email. Research data should be shared via OneDrive, or where there is a specific justification, via SharePoint with appropriate rights management turned on.
• Ever use Cloud based storage other than UWE Bristol OneDrive (including DropBox) for confidential or restricted data, including personal data or other sensitive data, or valuable data, which you would not wish to be compromised, or lost.

Encryption

Any UWE Bristol related personal data, including research data, that is held on portable media and all University allocated laptops, must be appropriately encrypted. Non-UWE Bristol devices must not be used to store UWE Bristol personal data, or other confidential or restricted, or otherwise valuable, data.

IT Services provides encryption support for UWE Bristol owned devices. Please contact the IT Service Desk for further assistance or guidance regarding this topic.

It is the researcher’s responsibility to ensure the UWE Bristol device being used to store confidential or restricted data is appropriately encrypted and password protected. In cases of doubt, contact the IT Service Desk.

Transportation of encrypted data must be guided by the Information Security Policies. Researchers should consider very carefully whether it is appropriate to hold research data on a UWE Bristol laptop, or other removable device which is not secured within UWE Bristol.

Storage in transition

Where research data, such as interview data, is collected using a UWE Bristol device, it is important to upload this information to UWE Bristol networked storage using a secure connection as soon as possible.

Research data can be uploaded to the H: or S: Drives using external web access, or UWE Bristol OneDrive can also be used. Researchers should also familiarise themselves with UWE’s Bristol Remote Access Policy.

Where recording devices are used, for example when interviewing research participants, these should be encrypted, and a model chosen which uses removable storage media such as an SD card. Management controls should be in place such that an SD card is only ever accessed by those who have legitimate access to the data (such as one SD card per interviewer or project). SD card access should be recorded (signed in and out and a clear record kept). Once data has been securely uploaded to UWE Bristol servers, the SD card should be inserted into a UWE Bristol computer and formatted, which will delete the encryption keys, then re-encrypted. Each user of the SD card must use a unique password to encrypt the SD card each time they use it, preferably a long phrase or combination of random words - don't re-use UWE Bristol login passwords.

Cloud services

The University’s approved Cloud provision is UWE Bristol OneDrive, and that should always be used where Cloud provision is needed to store confidential and restricted research data, including personal data. This should also be used for research data which is otherwise sensitive. Please refer to the data definitions for further information.

Personal data placed in other Cloud provision (including Dropbox) may cross national boundaries in such a way as to breach the Data Protection Act. In addition, only UWE Bristol OneDrive is backed up by the University, so this is the safest solution to ensure you do not lose valuable research data. UWE Bristol OneDrive (intranet access only) should be used to enable sharing with those outside the University. If this is not possible for any reason please contact the IT Service Desk as to the best approach.

Further information

Researchers may be personally liable for any breach in data security arising from a failure in carrying out their data responsibilities. Researchers who believe that the security of a UWE Bristol device may have been lost or compromised, or that a data breach may have occurred, must inform the IT Service Desk immediately.