Skip navigation to content

Data security

In this section:

  1. Information classification
  2. Steps towards data security

Information classification

An important aspect of assessing the sensitivity and value of data and of deciding on the necessary steps to take, is to correctly classify the data. The classification given to information and the associated protective marking label that is applied is a shorthand way of signalling how information is to be handled and protected.

The University's IT services provide guidance on how to classify information and store data containing sensitive/confidential information through its information classification policy. The guidance is in this case tailored to the University's administrative data, but it also serves as a reference for the case of research data.


The UK Data Service provide further information and guidance about legal and ethical considerations and secure storage and disposal.

For additional information on research ethics at the University of St Andrews, see Working with sensitive data and visit the University's guidelines on ethics guidelines.


Steps towards data security

Researchers have a duty to assess the sensitivity and value of the data they create and use in their research, and to take appropriate measures to ensure its confidentiality, integrity and availability.

Such steps may include:

  • Choosing appropriate storage: We recommend using the University's central file store for the storage of sensitive data. The University's OneDrive for Business may be suitable for the storage of some data. However, we do not recommend using cloud storage solutions such as Google Drive, Dropbox or iCloud. See also: file storage options
  • Anonymisation: Anonymisation is necessary prior to data sharing or archiving to minimise the potential that individuals, organisations or businesses who are part or subject of a research project may be identified. 
  • Access control: Regulating access to data and what potential users are able to do with it can be achieved through various routes, including logins and passwords as well as controlling physical access. Access control should always be proportionate to the kind of data that is being dealt with.
  • Encryption: Encryption of data is based on using mathematical algorithms to encode digital information so that only authorised parties can access it using a decryption key. Various software solutions and examples are listed on the UK Data Service website
  • Checksums: Checksums are unique number strings that serve as fingerprints for the content of a data file. They can be calculated by software, e.g. before and after a file is being transferred or backed up, to evaluate the integrity of the data.
  • Backup: Backups of sensitive data should only create the minimal number of copies needed to ensure continued availability of the data if necessary. Backups should only be done on storage media that are suitably secure for holding that type of sensitive data and data should be encrypted once the backup has been completed. See also: Data storage
  • Secure disposal: It is important to note that using operating system tools or even erasing a hard drive may still allow the recovery of data that is meant to be erased. The effective removal of data from a storage medium therefore requires to either physically destroy the drive or to use specialist file shredding software suitable for the respective operating system and the type of hard drive.

Please don't hesitate to contact the RDM team for further information and advice.