Data management and protection
Good data protection management means having effective processes and methodologies in place to maintain data integrity.
Questions related to data management and protection should be directed to the Information Governance Office. You can also find lots of helpful information on their website.
Information on the creation of data management plans for research projects can be found here.
Here are some useful links to more specific information:
- Data Management
- Records Retention Schedule
- Security of Voice Recordings
- Encryption
- Disposing of Personal Data
- Loss or theft of personal data
Accessing NHS England Data
If you are planning to access NHS Digital data, you need to follow NHS Digital’s Data Access Request Service (DARS) process.
DARS application
When preparing a new DARS application, applicants should make contact with the University's Highly Restricted Data Service, Information Governance Office and Research Governance teams so that the arrangements for accessing, transferring and processing the NHS England data can be reviewed. Notice of the planned application and, if available, a copy of the draft DARS application should be sent to: Data_RG@manchester.ac.uk
If you need specific advice on any aspect of the technical or governance arrangements, please outline in the email what input is required.
Data Sharing Agreement
Before the data can be accessed/ transferred, a Data Sharing Agreement (DSA) needs to be put in place between NHS England and the University. All DSAs must be reviewed by the University’s Contracts Team who will arrange for the DSA to be signed by the University’s authorised signatory.
As part of the sign-off process, the Contracts team will seek confirmation from Research IT, Information Governance and Research Governance teams that there are no objections to sign-off.
In addition to the conditions outlined in the DSA, NHS England data users must be aware of the conditions outlined in the overarching Data Sharing Framework Contract (DSFC) in place between NHS England and The University of Manchester. The DSFC ensure that high standards are maintained by the University in safeguarding any data we receive from NHS England. Full details of what you need to consider are outlined in the University’s NHS Digital Data Sharing Framework Contract (DSFC) guidance document for users.
Related guidance
The University’s Data Safe Haven provides an infrastructure for the secure management of personal, sensitive and confidential information including NHS England data.
Making research data open and accessible
Open research relates to how research is performed and how knowledge is shared based on the principle that research should be as open, transparent, and accessible as possible. Open research also enables researchers to take advantage of digital technology.
Open research practices include:
- pre-registration of hypotheses and/or research questions
- the use of pre-prints
- open-access publications and other outputs
- full and transparent reporting of research workflows and statistical analysis code
- sharing of original research materials
- FAIR (Findable, Accessible, Interoperable, and Reusable) data
Not all of these practices will be appropriate for any given research project. Open research will look different in different disciplines but common to all is transparency in the research process.
When writing your data management plan you should consider how you will satisfy the University’s expectations for open research which are outlined in the Position Statement on Open Research (section 4). In particular, consider how you will make research data as open and accessible as possible and where relevant, justify any restrictions that might need to be applied. The University’s Research Data Management Standard Operating Procedure (sections 29-34) and Sharing data page provide guidance on publishing data, and the Concordat on Open Research Data (Principle #2) outlines valid reasons for restricting access to data.
You will also need to ensure that you include relevant information in your participant information sheet and consent form to make it clear to participants what will happen with the information they provide.
Guidance on the use of freedom of information requests for research purposes
Freedom of Information (FoI) requests legally compel public organisations to produce the information that is asked for in the request, if it falls within the legal criteria for such requests. Answering a FoI request may involve considerable resources if the information cannot easily be extracted from an organisation’s IT systems, or has not already been collated for other purposes. Organisations receiving FoI requests for information for research purposes are therefore likely to see this as a particularly aggressive form of data collection, and qualitatively different from a standard request concerning whether they are able to provide information that is important for a research project.
Using an FoI request to obtain information for the purposes of research should only be used under the following circumstances:
The information cannot be obtained via more usual and less aggressive means.
The research justifies the time and cost to the organisation(s) approached (e.g. we would not expect an undergraduate dissertation to justify this)
The potential future cost to any current or future relationship between the University and the organisation(s) has been considered.
Protecting and exploiting intellectual property
For detailed information about Intellectual Property at the University of Manchester please click here.
Guidance on Recordings
Approval of proposed recording and transcription activities
Approval of proposed recording and transcription activities
If ethical approval is required for the research project in which recordings will be taken (as verified by the University’s Ethics Decision Tool), this approval must be obtained before commencing any recording. Please note that all guidance information below must be followed for any recordings to be taken, including those that are parts of projects requiring ethical approval and those that are classed as ethically exempt.
Prior to approval the Supervisor/Principal Investigator must ensure that, for each element of information to be gathered, the following have been considered:
- The recording must be limited to the information necessary to address the aims of the research project;
- The structure of the recording must be planned in advance so far as is appropriate to the research project;
- The need for audio recording as opposed to taking field notes and/or the need to use a video recording as opposed to an audio recording has been justified; and
- Any new requests to purchase recording equipment must be for encrypted devices as advised by Research IT, and the cost of such equipment must be included in funding applications.
Details of the proposed recording must be included in the full mandatory Data Management Plan completed for the research project. Additionally, the end-to-end data handling of these recordings must be documented (e.g. by completing a data flow diagram or narrative). Approved storage for research data can be found here. If it is not possible to meet the storage requirements, a review of the Data Management Plan must be requested via DMP Online and any questions directed to Research IT via the tool.
The PI/Supervisor must sign to confirm that they understand and will comply with this Procedure either through the Ethical Review Manager (ERM) system or the faculty research governance review process.
Recording participants - instructions
Recording participants - instructions
- Only record what has been approved by the ethics committee as necessary for the study;
- Ensure the location of any recording is appropriate (e.g. consider the privacy and comfort of the participant and/or any risk involved);
- Where possible the name of the interviewee must not be recorded unless verbal consent is required and this must be both recorded and stored separately from the rest of the interview data;
- If using Zoom or Teams for audio and/or video recordings, ensure you adhere to the guidance issued by Research IT and Information Governance.
- An encrypted University-provided device should be used for recording (e.g. an Apple iOS device such as an iPod touch, iPhone or iPad which has been enrolled onto the University Exchange email service to activate device encryption).
- If it is not possible to use an encrypted University provided device (e.g. for UG or PGT students or for staff projects with limited funding), personal devices may be used for recordings provided the following criteria are met:
- The device is enrolled onto the University Exchange email service to activate device encryption
- All recordings are immediately transferred off of the personal device onto University storage and any copies of the recordings on the personal devices are deleted.
- Any cloud back-up services that the device is connected to are turned off or disabled until the recordings are permanently removed from the device.
- The device used to make the recording must never be left unattended and must be locked away securely when not in use; and
If a recording device is shared, any recordings must be deleted prior to handing over to another user.
Storage and Processing of Recordings
Storage and Processing of Recordings
Transfer of recordings to University storage
- Recordings must be transferred from the recording device to University storage (as detailed in the Data Management Plan) as soon as possible to ensure that a master copy is backed up and the file is encrypted.
- Recordings should be checked once transferred and before deleting from the recording device.
- Examples of methods for transferring recordings securely to University storage can be found in Appendix A.
Storage of recordings
- Transcripts must be securely stored (i.e. on servers provided through IT Services (“University servers”)).
- Appropriate storage must be used as per the information security classification of the data captured, as well as any third party data providers’ requirements.
- Approved storage for research data can be found here. LiData must be encrypted to AES 256 standard when not in use. Further University of Manchester guidance on file encryption can be found here.
- Highly restricted information must always be encrypted, including data on University systems and with third-party/cloud service providers.[1]
- Transcripts not held on University servers must be stored on an encrypted device for temporary storage only. They must be transferred to University servers and deleted from temporary storage as soon as possible. Information regarding hardware encrypted USB sticks can be found here: http://www.itservices.manchester.ac.uk/secure-it/encryption/usb/ More advice on Portable Devices can also be found here.
[1] Information Security Classification, Ownership and Secure Information Handling Standard Operating Procedure.
Processing the recordings (eg coding, analysis, transcription)
- The identity of the participant must be anonymised in the transcript as soon as is practicable, unless consent has been sought to permit identification (e.g. an oral history archive);
- The transcription of recordings must be done in a secure environment where the data subject cannot be seen or heard by another person outside the approved team. Further information regarding the minimum security controls can be found in the “Information security classification, ownership and secure information handling SOP”;
- Transcription by a third-party is only permitted where either a University-approved transcription service is used (see ‘Find a supplier’ link on the Procurement homepage for more information) or other arrangements as approved by the ethics committee.
Transcription by those outside of the research team, including students, requires a signed confidentiality agreement.
Data transfer, collaboration or sharing
Data transfer, collaboration or sharing
If recordings that contain personal data are moved to another organisation, a data transfer agreement may be required to be put in place between the organisations, particularly where it is not possible to anonymise the data (e.g. observational studies). This also applies when staff leave the University and request to take the data with them, and may apply if staff move within the University.
- Recordings must be transferred from the recording device to University storage (as detailed in the Data Management Plan) as soon as possible to ensure that a master copy is backed up and the file is encrypted.
- Recordings should be checked once transferred and before deleting from the recording device.
Guidance on how device tools can be used to transfer data is provided below.
Apple Devices
When using University-provided Apple devices such as iPads the following process using iTunes can be used.
The transfer process using iTunes requires the iTunes application installing on your University of Manchester PC to make a connection from your iPad to your PC via the USB data/charging cable. Once connected, you can then transfer data from a compatible iPad app as per this Apple knowledge base article: https://support.apple.com/kb/PH20348?locale=en_US
This enables a direct transfer from the iPad to the PC, or network storage mapped to the PC such as the P drive or a shared drive. The process must not involve transferring the data to iCloud or any other third-party hosted cloud service. Please see the screenshot below for an example of using iTunes to transfer a PDF from the GoodReader app on an iPad directly to the P Drive using the ‘save to’ button at the bottom right of the screen.
Video Recorders
There are no mass-produced camcorders with built-in encryption capabilities. Therefore, when using a camcorder to record sensitive data alternative security measures will need to be implemented. The camcorder must be stored in a locked location when not in use. The data must be transferred from any insecure portable media at the end of every recording session or day, whichever is more appropriate, to University storage (see section 3.6 and 3.7). If this is not possible it must be stored on an encrypted medium until it is possible to move to University storage. If stored on an unencrypted drive, the video files must be encrypted following University guidance on file encryption, which can be found here. Once the transfer is complete, the videos on the media used in the camcorder, eg SD card, must be wiped with a secure deletion utility.
Transfer of data to University of Manchester or External Collaborators
The following tools can be used to transfer data to the University of Manchester or External Collaborators:
- University of Manchester Dropbox Service – Data must be encrypted before storing on the service. Please read the terms and conditions of use of this service at: http://www.itservices.manchester.ac.uk/ourservices/catalogue/commscollab/sec/
- Zendto – Data must be encrypted before sending via Zendto. More information on the Zendto service can be found at: https://zendto.manchester.ac.uk/
Retention and Destruction
Retention and Destruction
Information must be kept in accordance with the University’s Retention Schedule and Research Data Management Plan. Destruction of records must be performed in a secure manner, ensuring that records to be destroyed are transported securely and destroyed completely in a manner that renders the information completely and irreversibly destroyed. Further information regarding disposal of confidential material can be found here.
Incident Reporting
Incident Reporting
If recordings or transcripts that have not been anonymised are lost, stolen, corrupted or disclosed to, or accessed by, unauthorised persons, it must be reported to the Head of Information Governance as soon as possible in order that appropriate measures can be taken to contain any damage and minimise the harm which might arise.
Contact the Information Governance Office:
Email: infosec@listserv.manchester.ac.uk
Telephone: 0161 275 7789
Data Protection Laws
If you are conducting research in a country outside of the UK, you need to familiarise yourself with the relevant data protection laws of that country. Although these are subject to change, you can find general information about this by visiting https://www.dlapiperdataprotection.com/
Any queries in relation to the data protection laws of individual countries, including whether any special provisions will be needed regarding your research project should be directed to the Information Governance Office. Additional guidance and support on data protection can be found by visiting the Information Governance StaffNet pages.
In the event of a cyber attack
Should I continue to collect personal data for my research project?
You can continue to collect personal data as part of research projects. If personal data are collected on encrypted devices, or in an external system (e.g. e-surveys, Zoom interviews) you should still download this to University of Manchester servers (e.g. RDS), but until the cyber incident has been resolved, you should not delete it from the device or external system to prevent any potential data loss.
When the cyber incident has been resolved in relation to the systems that store research data, you should then delete data from devices and external systems as usual.
What should I tell research participants?
- For studies where data have been collected and there is no ongoing communication with research participants there is no need to contact research participants unless their data becomes compromised and at that point the appropriate ethics committee should be consulted about contacting the research participants.
- For studies where communication with participants is ongoing assurances could be given that their data are currently safely stored but if that situation changes they will be informed immediately.
What should I do if I receive a query from a research participant about the cyber incident?
Any queries/concerns raised by research participants who have heard about the cyber-attack should be responded to. There are several different situations, and example texts are provided for each below. You should request to keep their contact details on file so that you can contact them again if necessary:
1. Personal data is no longer being held by the University, is minimal or is safely encrypted
“As far as we know at the moment the University systems holding research data have not been affected by the incident. In relation to the research project you participate(d) in, I am able to reassure you that we no longer hold your personal data. All the data has been fully anonymised and cannot be linked to you.”
or
“As far as we know at the moment the University systems holding research data have not been affected by the incident. In relation to the research project you participate(d) in, I am able to reassure you the only personal data we hold about you is your contact details and consent forms. This is separated from the research data and cannot be linked.”
or
“As far as we know at the moment the University systems holding research data have not been affected by the incident. In relation to the research project you participate(d) in, I am able to reassure you that all the files that contain your personal data are encrypted and the encryption key is kept separate to these files.”
2. Pseudonymised date is being held by the University
“As far as we know at the moment the University systems holding research data have not been affected by the incident. In relation to the project you participate(d) in the data that we hold is pseudonymised. This means that the link between your data and your personal identifiers (e.g. name) is through a unique code number. The data file and the file with personal identifiers are kept separate and the personal identifier file has been encrypted, so that it is not readable by anyone who does not have the encryption key. The encryption key is also kept separate.”
3. Personal data is being held by the University
“As far as we know at the moment the University systems holding research data have not been affected by the incident and the personal data we hold about you remains secure. There is an ongoing investigation and should this situation change I will inform you immediately.”
Guidance for Students
Data Collection
- When planning what personal information you will collect as part of your research study, please ensure you only collect what is essential in order to answer your research question or describe your participants as part of any research outputs. You should refrain from collecting unnecessary demographic information (e.g. annual income, marital status, ethnicity, etc) unless it aims to answer a specific part of your study and has been approved by the ethics committee.
- Audio/video recordings and photographs should be collected on encrypted devices or those which use encrypted cards. These devices can be those you own personally as long as they conform to all University expectations and requirements (see here for more information) and any cloud back-up connection has been disabled.
- Once data has been collected, it should be transferred to a secure University server as soon as possible and deleted from the portable device/card.
- If you wish to use WhatsApp for the collection of personal information for your study (e.g. asking participants to answer questions/send video diaries) you will need to speak with the Information Governance Office and obtain approval. Please remember to attach a copy of the IGO’s approval to your ethics application for ease of review.
Ensuring Confidentiality of Participants
- You should anonymise all research data as soon as possible in order to protect the confidentiality of participants.
- If you are not able to anonymise your data immediately (e.g. you need the data to be linked while performing your analysis), please consider pseudonymising the data until your analysis is complete.
- Pseudonymisation is the process of assigning a random ID number to each participant and creating a key (e.g. excel spreadsheet) which contains the name of each participant as well as their ID number. Names of participants are then removed from their research data and replaced with the ID number. The key is encrypted, password protected and stored separately (in a separate physical location) to the research data. The key should be destroyed at the conclusion of your project unless otherwise required (e.g. for longitudinal work undertaken by your supervisor).
Analysis
- When analysing your data, it’s best practice to access the data directly from University servers. This can include working on data stored on your OneDrive or Sharepoint via your laptop.
- If this is not possible, please use an encrypted device to perform the analysis.
- Analysis, including transcription, should be done in a private space where others are not able to see or hear any of the information you are accessing.
Storage
- Paper data (e.g. consent forms) needs to be stored in a secure place that only the research team have access to (e.g. a locked cabinet in an University office on campus). Data should not be stored at personal residences.
- Please consider whether it is appropriate to digitise your paper data in order to facilitate more secure storage (e.g. digitising records of consent).
- Electronic data needs to be stored on University servers, the research drive of your supervisor or a University approved cloud service (e.g. OneDrive or SharePoint)
- As a general rule, please do not use external hard drives, USB sticks or other portable devices to store personal identifiable data as they can be lost or stolen. If you need to use one of these devices due to size limitations (e.g. large video files) or transfer challenges (e.g. working abroad with no connection to University servers), please see advice from your supervisor or Programme Director as the device/card would need to be encrypted.
- Research data should be kept for the time period as specified in the Records Retention Schedule. Usually this is 1 year past submission of the dissertation for UG and PGT students and 5 years for PGR students. Please ensure this is the same period you list in your ethics application and Data Management Plan (if you are using a DMP).
- Personal data (e.g. contact details) should be deleted as soon as they are no longer required. If you are retaining contact details in order to contact participants about future projects or sharing the findings from your study, these should be stored in a separate, password protected file on a University server or approved cloud service.