Security

Security

Ensuring data security requires attention to physical security, network security, and the security of computer systems and files to prevent unauthorised access or unwanted changes to data, disclosure, or destruction.

Data security arrangements need to be proportionate to the nature of the data and the risks involved. Attention to security is also important when data files are to be destroyed.

Security strategy overview

  • Apply stricter security for personal, sensitive, or confidential data.
  • Control physical access to rooms, devices, and printed materials.
  • Encrypt files before storing or sharing, especially when transmitting online.
  • Separate directly identifiable data (e.g. names) from research data and store securely.
  • Keep systems updated with firewalls, antivirus software, and patches.
  • Use password protection and permission controls for digital files and folders.
  • Avoid using general-purpose cloud file-sharing tools for personal data.
  • Only share sensitive data via secure transfer methods approved by your institution.
  • Include non-disclosure agreements for anyone handling confidential data.
  • Document who has access, review permissions regularly, and remove access when no longer required.

Personal data considerations

Data that contains personal information or personal data should be treated with higher levels of security than data that does not. Safeguarding of personal data is dictated by data protection legislation. For example, in the UK, the Data Protection Act 2018 states that personal data should only be accessible to authorised persons.

Personal data can be stored in digital files or in a non-digital format, such as patient records, signed consent forms, or interview cover sheets containing names, addresses, and signatures.

Depending on the nature of the personal data, you may need to carry out a Data Protection Impact Assessment (DPIA). The UK GDPR states that you must carry out a DPIA “where a type of processing is likely to result in a high risk to the rights and freedoms of individuals”. You should consult with your organisation’s Data Protection Officer (DPO) for guidance. However, if you are unsure, it is good practice to produce a DPIA for any major project that involves the use of personal data.

Security can be made easier by:

  • Separating data content according to security needs, e.g. you can store participant names and addresses separately from survey files.
  • Encrypting data containing personal information before these are stored or transmitted.

Physical data security includes:

  • Controlling access to rooms and buildings where data, computers or media are held.
  • Logging the removal of, and access to, media or hardcopy material in storerooms.
  • Transporting sensitive data only under exceptional circumstances, even for repair purposes. For example, giving a failed hard drive containing sensitive data to a computer manufacturer may breach security.

Network security means:

  • Not storing confidential data, such as those containing personal information or personal data on servers or computers connected to an external network, particularly servers that host internet services.
  • Firewall protection, security-related upgrades and patches to operating systems to avoid viruses, trojans and malicious code.

Security of computer systems and files may include:

  • Locking computer systems with a password and installing a firewall system.
  • Implementing password protection of, and controlled access to, individual data files, for example, allocating ‘no access’, ‘read only’, ‘read and write’ or ‘administrator only permissions.
  • Controlling access to restricted files or storage areas by encrypting them.
  • Imposing non-disclosure agreements for those that have access to confidential data.
  • Not sending personal or confidential data via email. This should be encrypted and sent via a secure means, not email.
  • Destroying data in a consistent and robust manner when needed.
  • Protecting servers by power surge protection systems through line-interactive uninterruptible power supply (UPS) systems.
  • Remembering that online file-sharing services may not be suitable for confidential data.

Data security and cloud storage

Cloud-based storage is easy to use, but not necessarily permanent or secure.

Cloud-based storage is usually overseas and, therefore, not subject to UK law. Consequently, its use could be in violation of the UK Data Protection Act 2018 and/or the UK General Data Protection Regulation, which require that personal and sensitive data should not be transferred to other countries without adequate protection.

Cloud data storage should not be used for high-risk information, such as files that contain personal or sensitive information or that have a very high intellectual property or commercial value. While file encryption safeguards data files to a certain degree, it does not negate the requirements of the DPA.

Alternatives are secure File Transfer Protocol (SFTP) servers, secure content management systems set up and controlled by an institution or secure workspaces. See our guidance on file sharing.