Skip to navigation | Skip to main content | Skip to footer
Menu
Search the University of Manchester siteSearch Menu StaffNet

Updated research FAQS: personal data storage

01 Apr 2020

Frequently asked questions are updated regularly

This advice is correct at the time of publication of this news article.

If you have health concerns then you should refer to the NHS website as recommended by Public Health England, however to make other queries regarding the current situation you can email coronavirus-info@manchester.ac.uk.

We will be updating the staff frequently asked questions on a regular basis.

The latest questions are:

During this period of working from home - can I process personal data at home that has been obtained for the purposes of research?

You can process personal identifiable research data at home if all of the following conditions apply:

  1. You have ethical approval to process the personal data for the purposes of research.
  2. You are based in the EU and the data was acquired in the EU or you are based in the country of origin of the personal data if this is outside the EU.
  3. Where data is being provided by a third party, there are no clauses within the contract of the data provider/data controller that prevent you from processing the data at home.  (You should check contractual arrangements where there is a data provider before you access such data from home.) 
  4. There are no strict requirements guided by the data provider or the nature of the research that means that the physical environment from which the processing is being undertaken is restricted.
  5. You can ensure that no other member of your household can view any personal data.
  6. You use a University-managed device/access the data via VPN (Global Protect)/or follow the guidance regarding the use of your own equipment (see below).
  7. You take appropriate security measures (encryption), and back up your data securely following the advice by IT Services below.
  8. The information you have provided to the research subjects (Participant Information Sheet and Consent form) which describe the storage and processing environment do not prohibit you from doing this.  See the ethics website for more information.

Where the storage or processing of data cannot be undertaken on University infrastructure then contracts/data sharing agreements and other such formal documents (e.g., system level security policies) which state the location of storage and processing, should be updated to reflect the new storage and processing locations. Any contracts would need to be reviewed by the University Contracts Team before being forwarded to the third party data provider. Note that data can only be accessed/viewed within the stated territory of use in such contracts.

Can I process research data containing personal identifiable information on my own equipment? 

The University usually requires that personal identifiable data are stored on a University-managed device, not a personal computer, because these devices are encrypted and maintained by IT Services. The data should also be stored on a University server so that it is backed up regularly.

However, if you do not have a University-managed device you can use your personal device provided that you take account of the need for appropriate security, confidentiality and integrity of the data and are confident that your personal device meets the standards set out in the IT Services Bring Your Own Technology and Remote Working standard operating procedure.

As a last resort, how do I safely store data on my own equipment?

Where possible, and especially when you are processing restricted/highly restricted data, you should use VPN to access your University of Manchester staff desktop and storage eg. P drive or Isilon shared drive, University of Manchester Dropbox for Business or SharePoint/OneDrive services.  You should not save any copies of the data on your personal device.

As a last resort, if you need to store research data which includes personal identifiable information on your own device (i.e. laptops/desktops – not USB pens or portable hard drives), this must remain in your home at all times, and should not be transported elsewhere due to the increased risk of theft. Files containing personal identifiable data must be encrypted, and devices password protected/locked to prevent unauthorised access. Virus software and operating system updates should be kept up to date on your device.

Which text-messaging, Voice over internet protocol (VoIP) services and video services can be used for data collection?

If you are a member of staff:

If data is being recorded using the recording function in the service, University-approved services must be used via a University account:

The use of personal accounts or the use of other platforms is only permissible for communication – not recording.  Please contact Information Governance if you have any questions.

If you are a student:

Important: The guidelines issued below in relation to the use of personal accounts for the purposes of data collection are only to be used for research conducted during COVID-19 outbreak, while face-to-face data collection is prohibited. Discussions are currently ongoing regarding how to best support students who wish to use digital methods of data collection once the University re-opens and revised guidance on this topic will be circulated in due course.

Personal accounts may be used to record data as long as participants are made aware of the privacy policies of the relevant service, including the fact their data may be transferred to countries outside of the EEA before starting a recording either in a participant information sheet or in another written communication sent to the participants prior to the start of data collection. Participants must be advised that they do not have to take part if they do not wish a recording to be made.

It is strongly advised that Skype or Zoom are used to record video or audio only interviews with participants. Use of other third party apps/add-on apps to record conversations within other VoIP services such as WhatsApp or Telegram must not be used.

What should I tell participants before I start data collection?

The following text must be provided to participants:

Your participation in this research will be recorded in [Skype/Zoom] and your personal data will be processed by [Microsoft/Zoom]. This may mean that your personal data is transferred to a country outside of the European Economic Area, some of which have not yet been determined by the European Commission to have an adequate level of data protection. Appropriate legal mechanisms to ensure these transfers are compliant with the UK General Data Protection Regulation are in place. The recordings will be removed from the above third party platform and stored on University of Manchester managed file storage as soon as possible following the completion of data collection.

Further privacy information:

How long may I keep recordings?

The recording files must be downloaded, saved to University storage and deleted from the service as soon as possible.

Further information on recording participants for research purposes can be found in the University of Manchester Taking Recordings of Participants for Research Purposes Standard Operating Procedure.

If the recording is on a cloud service, then the cloud service should be based within the EU and the account must be protected by a unique strong passphrase consistent with the University of Manchester IT Services Password Technical Security Standard.

If the recording is stored on a personal device and this is backed up to a personal cloud e.g. Apple device and iCloud the recording must be permanently deleted from all back-ups and moved to University file storage. Backups of University information must NOT be taken, as personal devices never store the master copy of information. The master copy of information should be on University of Manchester storage. 

Please contact Information Governance if you have any questions around the use of other tools for data collection.

What should I do about storing physical documents containing personal information (ie consent forms)?

If you have physical documents containing personal identifiable information you should keep these in a secure place within your home, preferably in a locked filing cabinet for which only you have access.  When the University re-opens, all such data should be safely returned and stored at the University. 

More information