Library Help: Office For Open Research

This article contains the following sections:

• Introduction
• Information security classification
• Storage and collaboration solutions
• Storage and security considerations
• Support and guidance

Introduction

Safe and secure storage of research data is essential to protect against data loss, unauthorised access, and ensure compliance with institutional, funder, data provider and legislative requirements.

A Principal Investigator (PI) should establish a research data management system for their projects, and document details in their data management plan. The PI should communicate these procedures to all group members. The procedures should ensure that the PI is able to access all data produced by the research group and must meet all applicable security requirements.

Information security classification

All information must be stored and handled in a manner appropriate to its security classification, and the master copy of all digitally held information, regardless of its security classification, must be stored on University-approved systems.

The University has four levels of information security classification: Unrestricted; Restricted; Highly Restricted; Very Sensitive. The following guidance explains these classifications and information handling controls:

• Information Security Classification, Ownerships and Secure Information Handling SOP
• Information security classification examples and handling guidance for confidential information

That guidance includes, but is not limited to:

• If information is classified as Very Sensitive, then you must seek advice from the University’s Head of Information Governance and/or the Research Relationship Oversight Group before signing any contracts or starting to store or handle it.
• Highly Restricted information must always be encrypted, at rest and/or in transit.

Storage and collaboration solutions

To safeguard your data, use storage systems provided by the University. These systems are regularly and automatically backed up, and may be accessed on-campus and off-campus (except for the Data Safe Haven which is restricted to on-campus access). 

• Research Data Storage (RDS) See also the RDS Service Introduction and RDS User FAQ.
• OneDrive for Business
• P Drive
• Sharepoint Online
• Data Safe Haven

The Information Governance Office also provides Best practice guidance on tools for sharing and storing information.

Storage and security considerations

If you will store person identifying information then this must not be kept indefinitely. You should aim to anonymise it as soon as possible or follow the retention as prescribed by your funders, data providers or in line with the University Records Retention Schedule. As such, make sure you have processes for secure deletion of the data, both paper and electronic.

Retention does not mean you archive after the retention period has been reached. Once retention is reached you will need to securely delete the person identifying information. If you will dispose of confidential or personal data then see the Information Governance Office guidance on disposal of confidential material.

If you intend to capture audio, video or images of participants, please consult the Data management and protection page for ‘Guidance on recordings’ to ensure compliance with data protection laws.

If you will export any controlled items (which may include information, data or software) outside the UK, then you are responsible for checking your work complies with export controls. If you need further advice, please contact the Export Controls Compliance team.

When choosing storage solutions consider whether you will need to archive your data at the end of your project and whether your chosen storage solution will support this. If appropriate, you may wish to consider further options for sharing research data openly or in a controlled manner.

There are circumstances, such as fieldwork, where portable devices and media (e.g. laptops, hard drives) may be necessary to temporarily store or transfer data. Where such exceptions exist, data should be moved as soon as possible to University-approved systems. If Highly Restricted or Restricted information need to be temporarily stored outside of University-approved systems then the file, device or media must be encrypted and the device or media must be kept physically secure at all times. IT Services provides guidance and support for encryption, including laptop encryption, and for travelling abroad with an encrypted laptop and data.

Support and guidance

• Research IT provides support for digital data solutions.
• Information Governance Office provides support for data protection, information security, information risk management, records management, Freedom of Information, and business continuity.
• Highly Restricted Data Service supports the provision of dedicated and secure platforms for researchers working with restricted and highly restricted data. Services include the Data Safe Haven, secure web platforms, SafePod and REDCap.