Data Handling and Storage
For Research involving living human subjects, human tissues and other human samples.
It is the responsibility of the Researcher (Supervisor for undergraduate projects) to keep securely all data collected as part of their research.
Whether new or existing data, the Researcher must consider and advise the participants and the School Ethics Committee:
1. Rights of the Participant – from whom you are collecting data;
Participants have a right under the Data Projection Act to be fully informed as to the purposed and intended use of the data you wish to collect.
Who will have access to the data?
Participants should be clearly advised who will have access to their personal data through the research period.
How the data will be stored and for how long;
When personal data is being collected it is essential to inform the participant how long their data will be held for and if it will be retained for future research (appropriate consent must be obtained for the latter). Information should also be included as to how the information will be stored i.e. locked filing cabinet, encrypted or password protected files, coded data etc.
If the personal data will never be used in future research it is recommended that it be destroyed as soon as possible, and always within five years of the start date. This must be adhered to unless the Chief Researcher is able to contact the participant and ask for consent to hold it longer or ask if it may be used in other research.
Hard Copies, interview notes, printed papers, photographs, video or audio tapes must be kept securely locked away in a locked filing cabinet or cupboard that can only be accessed by the researchers involved in the research.
To ensure an extra layer of confidentiality researchers must also consider
· Will the data be anonymised before being stored?
· Will the data be stored separately from data which may identify a person?
· Where will the key be stored?
· Could others find the key and access the data?
Computer ( Laptops; non-University computers and USB memory sticks ) – containing personal or identifiable data
Files retained in this manner come under the Data Protection Act. The following security measures are recommended;
· Ensure an adequate firewall and virus checking system is on your computer/laptop
· Only allow authorised researchers access to the information. When using shared computer drives the research team members, ensure that files are secure by means of passwords and encrypted files. This principle l also pertains to personal information held on hard drives, USB pens or Disc’s
· That data is maintained only on work hard drives or encrypted USB sticks. Never on the hard drive of a work/home laptop which can easily be lost or stolen.
· Ensure that data has been securely removed before disposing of an old Computer ( Laptops, disks or USB memory sticks ).
· Under the Data Protection Act it is a legal requirement to ensure appropriate security measures do not allow unauthorised access and that failure to remove personal data from a computer’s hard drive may result in prosecution.
· Coded data files must be held separately to ensure that they can only be linked by the researchers authorised to do so.
2. What is personal Data - We recommend that the guidelines set out by the Information Consumer Officeshould be used to determine what personal data is.
3. What is Coded Data - The term ‘Coded Data’ refers to when data collected by the researcher is identifiable as belonging to a particular participant but is kept with personal identifiers removed. The researcher(s) retain a ‘key’ to the coded data which allows individual participants to be re-connected with their data at a later date. The un-coded data is kept confidential to the researcher(s) (ad Supervisors). If consent is given to archive data (see consent section of form) the participant may be contacted in the future by the original researcher(s) or other researcher(s). Coded data is not anonymised data and should not be referred to as such.
See Frequently Asked Questions on Information relating to Coded Data, Anonymous Data, Identifiable/Attributable Data
4. Sharing Data with other Universities
The data protection Act states that personal data should not be transferred to a country of territory outside the European Economic Area (EEA) unless an adequate level of protection of the data subjects exists.
If, however, the data is anonymous or anonymised so that there is no possibility of identifying the individual from it, then you are free to transfer the information outside the EEA.
EEA Countries: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lichtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden
The European Commission have also approved the following countries; Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Jersey, Switzerland.
SEC and UTREC Records
All ethical applications submitted for approval to School Ethics Committees are filed and archived independently within the relevant School/ Department. This is likely to be in the form of a hard copy and computerised copy. SEC should take the relevant measures to ensure that these files are kept securely accessible to only members of the Ethics Committee. A centralised password protected database is also maintained by UTREC accessible to permitted SEC and UTREC members only.
UTREC maintain all UTREC applications and Ethical Documentation on a restricted shared drive accessible only to 3 members of the UTREC team. Papers for SEC and UTREC meetings are collected at the end of each meeting and destroyed accordingly, with only the Convenor maintaining a copy in a locked cabinet.