Resource Overview: Working with Personal Data

Here is an overview of key considerations and resources to help you work with personal data. It is useful for researchers working with personally identifiable data in health or social care-related projects. Please note that links to relevant training and guidance will be reviewed and updated regularly.

Topics covered include:

• Definitions: sensitive data, personal data
• Key considerations: legal frameworks (GDPR), roles and responsibilities, sponsorship, ethical approval
• Data Management Plans, Data Protection Impact Assessments
• Working with NHS data
• Central University Infrastructure for data storage and transfer
• Trusted Research Environments
• Tips for managing personal and sensitive data
• Information Security and Data Protection
• Mandatory and suggested training
• Key contacts

This resource complements the Spotlight Webinars on working with personal data. The webinar series sovers sponsorship, ethics, data protection, open research, data preservation, research contracts and supporting student projects in 30 minute slots.

View Spotlight Webinars

What is sensitive data? What is personal data? 

The term “sensitive data” is a bit of a catch-all term.

In health and social care research, it particularly involves personal data.

• Personal data can be used to identify an individual person, either directly or indirectly (e.g. name, contact details, information on physical appearance, location data etc.).
• Personal data also includes special category person data. As well as making a person more identifiable, special category data is more sensitive, and possessing this data makes a subject more vulnerable (e.g. ethnic origin, political opinions, religious beliefs, sexual orientation, genetic and biometric data, health data etc).
  • Examples of personal data and special categories of personal data can be found here: Definitions | Data Protection (ed.ac.uk)
• Personal data also includes data of offenders and suspected offenders. However, it is processed under a slightly different set of laws and receives extra protection.
  • More information here: Criminal offence data | ICO

It is important to note that sensitive data can also refer to commercially sensitive data, data that, if released, could adversely affect rare or endangered species, harm an individual or community or have a significant negative public impact. An overview of what counts as sensitive data can be found here: Working with sensitive data | The University of Edinburgh

“Does my data count as personal data?” This is a common question, and there is often no black and white answer. Even after removing obvious identifiers (e.g. name, date of birth, hospital number), participants may still be identifiable in some circumstances. For instance, imagine a database of people with an extremely rare condition or data coming from a small population local hospital. Even after names are removed, the combination of their age, sex and postcode might still make them identifiable, as no-one else will tick all the boxes. The more specific information there is, the higher the chance that it can be strung together (on its own, or combined with a different dataset) to render the participant identifiable

If you are unsure whether your data counts as personally identifiable or not, there are several teams that can support you with this.

Research Data Support Data Protection Officer

My data counts as personal data... what does this mean for me?

Legal Framework

If you are processing personal or identifiable data, various legal frameworks (e.g. GDPR) come into play. You can find University guidance on this through the Data Protection Office. More information is also available via UKRI and ICO.

UK/EU GDPR applies to:

• Anyone in the UK/EU who processes personal data anywhere in the world.
• Anyone outside the UK/EU who processes personal data on UK/EU citizens.

Understanding roles and responsibilities

You will need to understand who the data controller and data processor is for your research.

It is also necessary to carefully review your funder’s requirements in terms of how data should be handled in the short, medium and long term.

Depending on the source of your data, there may be a Data Sharing Agreement in place, which will specify how data needs to be handled. For example, the (American) National Institutes of Health (NIH) have a specific data sharing policy and principles of best practice for protecting participants. The Research Contracts Office at the university can help you putting data sharing agreements or other research contracts in place.

Sponsorship (for health and social care research)

All health care and social care research requires sponsorship. Sponsors are different from funders. Sponsors have overall responsibility of your research project and make sure it is feasible, safe, legal, ethical and meets all regulatory requirements.

Sponsorship should be obtained before ethical approval. In fact, the sponsor will instruct which type of research ethics committee (REC) the project should be submitted to.

ACCORD provides sponsorship for University of Edinburgh and/or NHS Lothian-led projects in health and social care. As part of the sponsorship review process, ACCORD will assess whether your plan for data collection and storage meets key requirements in terms of data protection and security. University of Edinburgh systems for data storage and management are known to them, and may be approved depending on the wider context of the proposed study and other safeguards. You get get in touch with their governance team through resgov@accord.scot.

Ethical approval

Please note that you will need to obtain ethical approval for your project if working with sensitive data. The ethics committee will review the purpose of the project, the impact on participants/subjects and the way you intend to process data (collection, storage, analysis, deletion). Please see more information on obtaining ethical approval from one of the University's research ethics committees here. For projects that involve NHS patients, their tissue or their data, you will need to get NHS REC approval, rather than a University REC approval.

Important planning documents

Working with NHS data

NHS Lothian

ACCORD provides sponsorship for University of Edinburgh as well as NHS Lothian-led studies involving humans, their tissue or their data. They can give advice on what additional approvals and pathways are necessary to work with NHS data. Amongst many helpful resources, their website includes information on NHS Lothian requirements for Information Governance and IT Security.

View the University guidance on the requirements for access, security and information governance of NHS Lothian data for research.

DataLoch provides a safe and secure environment for accessing routinely collected health and social care data. See also trusted research environments below.

Beyond Lothian

The Health Data Access Tool Kit helps you understand which approvals you need to access routinely collected NHS data, and points towards key considerations you need to address for a successful application.

The HDRUK Innovation Gateway | Homepage (healthdatagateway.org) lets you search and request hundreds of health datasets and research tools.

Please note: Consent from research participants or NHS Caldicott Guardian approval may be required to obtain data

Personal data - data storage and data transfer options  

Disclaimer: Each project leader and data processor is responsible for their own data. Please consider guidance or limitations set out by the data provider, funder or study sponsor, e.g. ACCORD. This is a rough guide whether systems are likely to be suitable and approved.

Please note: If researchers are working directly with NHS Lothian data, data should be kept on NHS Lothian servers. NHS Lothian data should only be transferred to University of Edinburgh servers if appropriate data sharing agreements and approvals are in place and the data has been de-identified.

Central University Infrastructure 

Summary of data tools

DataStore

For active research data. In general, DataStore is suitable for personally identifiable data with suitable safeguards (for example pseudonymisation and encryption), which is the responsibility of the data holder. However, it will always depend on the wider context of the research project and the details within the data management plan, all of which will be taken into consideration during the sponsorship approval process with ACCORD (see above).

More on DataStore Compare OneDrive & Sharepoint

DataVault

For long-term data retention or archiving. Data on DataVault is automatically encrypted, and is approved for storing sensitive data by the University. It has approval from NHS Lothian to store pseudonymised health and social care data on a case by case basis. However, you may need to provide justification for retaining personal data (e.g. data protection exemptions, permission from ethics committee).

More on DataVault Compare DataShare

DataSync

For data transfer. Is approved for sensitive data if suitable safeguards in place (e.g. encryption). It is important that you discuss the transfer of sensitive data with all parties involved and have the necessary agreements in place.

More on DataSync

Trusted Research Environments 

If research data requires advanced security, it should be kept in a controlled and secure environment. The following ones are recommended by the University of Edinburgh:

EIDF - Edinburgh International Data Facility - EIDF provide a range of security environments. Access depends on which service you want to use, how much resource you require and what type of user you are. Please contact them to explore the available options.

Dataloch - a service developed by the University of Edinburgh and NHS Lothian offering secure access to a predetermined set of health and social care data for approved applicants.

LRSH - Lothian Research Safe Haven - more info on the ACCORD website, who would be involved from the outset.

Top Tips for Managing Personal and Sensitive Data

These tips provide a general overview of things to consider for managing data in your research project. They are by no means a finite “to-do” list; instead, they are intended to get you thinking, and go off and explore certain areas in more depth using the links provided. After all, every project is unique, and will therefore have a unique set of requirements, which should be documented in things such as your data management plan or data protection impact assessment.

This may sound daunting, but there is lots of support around for this! If you want to discuss your individual project requirements further, you can get in touch with the Research Data Support Team or Data Protection Officers. Some Schools/Institutes also have a Data Manager who you can ask for advice.

Encryption

• If working with personal data, or other types of sensitive data, you should consider whether encryption is necessary. Using a Data Protection Impact Assessment, you can weigh up the risks for and against this.
• If you decide that encryption is the right way to go, you can read more about University Guidance on encryption, as well as UK Data Service Guidance.

Identifiability

• Think about options to de-identify at the point of collection. We recommend coming up with an anonymisation or de-identification plan and to keep a change log too. That way, you can make sure de-identification is consistent and done properly.
• Anonymisation completely removes identifiers, and irreversibly prevents the identification of data subjects. This is difficult to achieve, more often the data is pseudonymised.
• With pseudonymisation, key identifiers are removed/replaced and a key is created to enable re-identification. You should store the key in a separate encrypted container, and make sure you only have one copy of these. Pseudonymised data still counts as personal data.
• See University Guidance for anonymisation/pseudonymisation of data, as well as the Information Commissioner's Office Guidance.

3rd party servers

• Please make sure that sensitive/identifiable data is not stored on or transferred through 3rd party servers outside of the UK/EU, especially if they have not been vetted or contracted by the University of Edinburgh.
• In general, the use of third-party servers is riskier, and you may violate the University’s data protection agreements.
• Instead, the University provides secure facilities for data storage and sharing (see above).

Portable devices  

• e.g. laptops, audio recorders, tablets, USB sticks, audio/video recorders. Please note that University-managed devices are often encrypted from the onset.
  
• Proposed use of these devices should be documented in the data management plan, ethics application and sponsorship application.
• Sometimes remote desktop connections can be an alternative to portable devices, but you need to check whether working remotely is authorized by the PI and covered in the relevant data sharing agreement and/or data management plan.
• For storing data:
  • We strongly recommend not using any of these options as a primary location for storing any data, but especially sensitive data. The risks of loss, theft, damage, etc. are too high.
    
• For collecting data:
  • Only use these devices for data collection if you have the necessary permissions in place, and make sure they are encrypted to a high standard.
  • If the devices can be connected directly to the network (using the VPN), data collected should be saved directly to DataStore, not kept on e.g. laptop hard drives.
  • If devices cannot be connected to the network directly (e.g. recorders), data should be saved on DataStore as soon as possible and securely deleted from the device. Writing a back-up schedule can help with this.

Access configurations

• It is up to the user or group to configure shared group storage spaces or access controls for certain data. The need to access data may change across a project, as do the roles and responsibilities of group members and collaborators.
• It is advisable to limit data sharing and authorised individuals, and regularly review user permissions.

File Sharing

• If transferring sensitive/identifiable data, the requirements and the process should be carefully discussed with the parties involved. Data sharing may not be necessary – an alternative is working on shared folders in DataStore.
• All data flows leaving the University must be documented with a Data Protection Impact Assessment and lodged with the Data Protection Office.
• Never use email, Dropbox or Google Drive for file sharing. Make sure you use secure channels and SFTP.

File deletion 

• Think about how long you need to keep your data for, taking into consideration funder and sponsor requirements and relevant legislation. Document it in your data management plan.
• Secure deletion is not achieved by the delete key or moving something to the desktop recycling bin. Instead, you can use secure disk eraser programmes - see University guidance. You can get in touch with the Research Data Support Team to discuss further options for secure deletion, such as file-level delete applications for Windows or secure delete applications in Linux coreutils.

Do not store copies of identifiable data on a device unless explicitly approved by your sponsor and ethics committee.

Information Security and Data Protection

For sensitive and identifiable data, it is key to prevent unauthorized access through good information security. Data Protection encompasses a set of laws, regulation and guidance on collecting and using personal data.

University of Edinburgh Resources

• The University of Edinburgh provides information, guidance and training on the data protection policy.
• There is also specialist guidance on research data protection.
• The Data Protection website also includes information on how to carry out a data protection impact assessment (DPIA).

Other Resources

• Overview of Research Data Management provided by UK Data Service. This includes a section on data protection and other legal issues, as well as a guide to anonymisation.

Training

University of Edinburgh - mandatory training

• Data Protection Training: online self-paced course on Learn. Compulsory for all staff and strongly recommended for students. Self-enrol via People and Money.
• Information Security Essentials: Online self-paced course. Compulsory for all staff and strongly recommended for students. It is divided into five modules. Self-enrol on Learn.
• Data Protection for Research: online self-paced course on Learn. Compulsory for academic research staff. Self-enrol via People and Money.

University of Edinburgh - additional training and workshops

• Working with sensitive data workshop: This training is provided by Research Data Service, with scheduled sessions at various points during the semester – in person or online. You can view the course schedule and the timings following the link above.
• Workshops run by Edinburgh Clinical Research Facility, e.g. “Research, GDPR and Confidentiality”: There is a limited number of subsidised spots on these courses for members of the NHS or the University of Edinburgh. See full list of training using the link above.
• The Spotlight Webinar Series covers seven 30 minute webinars on working with personal data. Topics include: sponsorship, ethics, data protection, research contracts, open science, data preservation and supporting student projects,

Other training providers

• MRC Regulatory Support Centre – UKRI: includes e-Learning on the use of data about people, and human tissue in research.
• Training | SCADR: the main focus here is on administrative data research, but it also links to basic training in data awareness and research skills.

Summary and Helpful Links

What counts as sensitive data? What counts as personal data?

• University guidance - Research Data Support
• University guidance - Data Protection Office

Guidance on GDPR and legal frameworks

• University guidance and data protection policy
• UKRI: Using data about people in research – UKRI
• Information Commissioner’s Office: UK GDPR guidance and resources | ICO
• NHS Health Research Authority: GDPR guidance - Health Research Authority (hra.nhs.uk)
• MRC Regulatory Support Centre: Using data about people in research – UKRI

Guidance on data sharing agreements, data transfers, research contracts

• Setting up research contracts | Edinburgh Research Office
• Setting up research contracts (sharepoint.com)

Guidance on Data Protection Impact Assessments (DPIAs)

• University guidance
• Data Protection Impact Assessments - Home (sharepoint.com)

Guide to anonymisation/pseudonymisation of data

• University guidance
• Information Commissioner's Office Guidance

Guide to encryption

• University guidance
• UK Data Service Guidance

Guidance on research integrity

• University guidance
• UK Research Integrity Office

Guide to secure deletion

• University guidance

Guidance on Information Security in research

Guidance on accessing/working with NHS data

• University guidance
• ACCORD
• NHS Lothian Information Governance and IT Security | Accord
• Caldicott Guardian | Accord
• Health Data Access Tool Kit
• HDRUK Innovation Gateway | Homepage (healthdatagateway.org)

Key Contacts

• ACCORD: Mandatory first point of contact for conducting a clinical-based study at the University of Edinburgh. They issue sponsorship, which also entails support on protocol development, regulatory compliance and risk assessment. Accord (ed.ac.uk). You can directly get in touch with their governance team at resgov@accord.scot.
• College-level ethics committees: Ethical approval should be obtained once sponsorship is in place. See here for links to the various college contacts and processes: Research Ethics (ed.ac.uk)
• Research Data Service: Supporting researchers to manage their data through all stages of a research project. Appointments may be made for in-person or Teams meetings, 1:1. Experience with managing sensitive data. Contact | The University of Edinburgh
• Information Security: Provides access to a library of guidance and advice on information security, as well as diverse training courses. The Information Security Team can also provide guidance on research projects. Information Security | Information Security (ed.ac.uk)
• Data Protection Office: For policies and guidance on data protection, including carrying out a data protection impact assessment (DPIA) for a research project. This is the right team if you want to report a data protection breach, or if you have a have a data protection query. Data Protection | The University of Edinburgh
• Research Contracts Office: Helps with data sharing agreements, data transfers and other research contracts: Setting up research contracts | Edinburgh Research Office
• CMVM IS Bioquarter and Central Support: Support with various hardware and software requirements of your research. View their SharePoint site for an overview of services and support or submit an IS ticket for queries.
• Data Managers: Many schools and departments have Data Managers that can help with specific data management queries. If you are in CMVM, contact the data managers here: CMVM.Data@ed.ac.uk
• MRC Regulatory Support Centre: Support and guidance for those conducting research with human participants, their tissue or data (not just MRC-funded projects). About us and contacts – UKRI