Q. What is personal and sensitive data?
Personal data is data relating to a living individual, which allows the individual to be identified from the information itself or from the information plus any other information held by the 'data controller' (or from information available in the public domain). The University of Cambridge as a whole is the data controller.
Sensitive data is personal data about:
- racial or ethnic origin
- political opinions
- religious beliefs
- Trade Union membership
- physical and mental health
- sexual life
- criminal offences and court proceedings about these
If you would like to learn more about personal and sensitive data and do some practicial excercises on identifying these data types, the University of Cambridge offers short 30-mins long online courses on personal and sensitive data. Additionally, you can also register for a face to face training on Data Protection and FOI, delivered by the University of Cambridge Information Compliance Officer.
Q. What does the law require me to do with data protection?
The Data Protection Act of 1998 gives individuals certain rights, and imposes obligations on those who record and use personal information to be open about how information is used and to follow eight data protection principles. Personal data must be:
- processed fairly and lawfully
- obtained for specified and lawful purposes
- adequate, relevant and not excessive
- accurate and, where necessary, kept up-to-date
- not kept for longer than necessary
- processed in accordance with the subject's rights
- kept secure
- not transferred abroad without adequate protection
If you would like to learn more about personal and sensitive data and do some practicial excercises on identifying these data types, the University of Cambridge offers short 30-mins long online courses on personal and sensitive data. Additionally, you can also register for a face to face training on Data Protection and FOI, delivered by the University of Cambridge Information Compliance Officer.
Q. I am funded by EPSRC - can I restrict access to my data?
The EPSRC expects you to make your research data publicly available, with as few restrictions as possible. However, there are some exemptions to this. The access to the following types of data can be restricted:
- Personal data should not be released, unless consent of the person is given; otherwise the data will need to be properly anonymised. Anonymisation can be more complex and time consuming than simply removing someone’s name, so plan ahead (guidance on personal and sensitive data is available).
- Sensitive data (that would compromise intellectual property, or security) should only be released under carefully controlled conditions and once any necessary permissions are obtained (guidance on personal and sensitive data is available).
- Reasonable delays/restrictions to data publishing are acceptable if necessary to protect intellectual property or commercially confidential data.
- If data preservation is not possible or cost-effective, it is acceptable not to publish the data, as long as the ability to validate published research findings is not compromised. For example, suitably documented research methodology and initial conditions allows others in principle to produce an equivalent dataset sufficient to validate the published work.
Q. How should I store my sensitive or confidential data?
You should limit physical access to sensitive data or encrypt it (speak with your local IT/Computing Officer or the University Information Services Help Desk for help in doing this).
To avoid accidentally compromising the data at some future date, you should always store information about the data's sensitivity and any available information on participants' consent or use agreements from your data provider with the data itself (i.e. put information about lawful and ethical data use in your data documentation or metadata description).
Q. How do I share or publish my findings for research using sensitive or confidential data?
There can be a potential conflict between abiding by data protection legislation and ethical guidelines, whilst at the same time fulfilling funder's and individual's requirements to make research results available. Ethics committees may believe that any personal or sensitive data should remain confidential. It is important therefore to distinguish between personal and more general data gathered during research.
Personal data can be disclosed or shared if the individual has given explicit consent and specified the level at which this should be done. You should always consult with your Faculty Ethics Committee if you are unsure whether the data you wish to share or publish can be used. The University of Cambridge has an Ethics in Research website, which explains when to seek an ethics review and what body to consult. That page includes a handy Ethics Review Flow Chart, the University Guidelines on Ethics in Research, information on applying for ethical approval and information on consent forms.
In some cases, you may be able to anonymise your data in order to share and publish it in more detail. The UK Data Service provides brief Guidance on Anonymisation.
Q. Data supporting my research is personal or sensitive. How do I share these data?
If your research involves human participants, you need to carefully consider ethical aspects of your research already before the start of your project. You should address these considerations in your data management plan. In most research projects of this type, you ask your participants to fill in a consent form. When you are considering sharing data the consent form should inform the participants about your plans for research data processing, storage and sharing. For example, you can inform your participants that anonymised data will be shared via the University of Cambridge data repository.
There is good guidance on consent forms at the UK Data Archive. The UK Data Archive also provides a model consent form.
Further guidance on various aspects of personal and sensitive data is available.
Q. Could I just share research data only when asked for it?
Yes, but only provided that there are legitimate reasons why you cannot make your data openly available. A possible reason might be data containing personal/sensitive information. In circumstances when data is made available via managed access (upon request), data access controls and criteria for what needs to happen for the access to be granted have to be made clear in metadata description.
For more guidance on managed access to research data please see the EAGDA report on data access governance.