What counts as sensitive data?
Sensitive data can refer to:
- any data that could be used to identify an individual, also termed personal data
- commercially sensitive data including produced under a restrictive commercial funding agreement
- ecological or environmental data, the release of which may have an adverse effect on rare or endangered species of plants or animals
- data relating to national security/defence
- data that, if released, is likely to cause harm to any individual or community or will have significant negative public impact.
Tips for managing sensitive data
- Only collect as much sensitive or personal information as needed for your research project
- Data that contains personal or sensitive information should be treated with higher levels of security than non-sensitive data.
- Copies of personal data should be kept to a minimum in order to reduce risk of disclosure or unauthorised access.
- Where possible, identifiable data should be anonymised. The GDPR does not apply to anonymised data but best practice for handling sensitive data should still be followed. The UK Data Service have published guidance on anonymising quantitative and qualitative data
- If data have been pseudonymised (i.e. where information that identifies an individual is replaced by a code), the code key should be kept in a separate location
- Any sensitive data stored on portable media or personal devices should be password protected or encrypted.
- Access to devices, files or servers containing sensitive or personal data should be responsibly managed and regularly reviewed.
- Always transfer sensitive or confidential data securely (Sharing files)
- A plan for the timely and necessary deletion of personal information should be put together at the start of any project and included in your data management plan. Imperial ICT can be consulted about methods for ensuring permanent deletion of sensitive information.
Additional support
Data storage and security
For more further information about data storage and security see the Imperial ICT web guidance on keeping your files and data safe and saving my files or contact ICT Security
Data protection and the GDPR
For advice on how to manage research data in compliance with the GDPR and UK Data Protection Act visit the Information Governance team’s web pages on use of personal data in research or contact your faculty data protection coordinator.
For advice on managing health data and patient identifiable information visit the Faculty of Medicine’s Information Governance SharePoint site.