Managing personal data
This page is only relevant if you are collecting or using personal personal data, e.g. from studies with human participants. If you are collecting personal data, you will also need to seek ethical approval for your research and include a summary of how you will manage personal data in your DMP.
What is personal (and sensitive personal) data?
If you are collecting personal data (including sensitive personal data), it must be processed in compliance with the General Data Protection Regulation (GPDR). (See the Data Protection Policy for more details.) You need to pay particular attention to the secure storage of personal data and ensure confidentiality will be maintained.
Personal data is data which identifies individual participants, whether by name or another identifier, such as an ID number, IP address, or by particular circumstances relating to that individual. If you can tell from your data which measurements, responses, observations, etc, came from which participant, then you are processing personal data. Consent forms also count as personal data. Also, please be aware that some data collection instruments (e.g. surveys) allow participants to be identified by their IP address and hence also count as personal data.
A subset of personal data is “special categories of personal data” (previously referred to as "sensitive personal data"), which relates to areas including ethnicity, religion, sexuality, trade union membership, political views, mental and physical health, genetic and biometric data that is processed for the purpose of uniquely identifying an individual.
Please be aware that even if participants aren’t actually named, it still counts as personal (or sensitive personal) data if it’s possible to deduce their identity. For example, if a survey didn’t collect people's names but did collect job titles and company names, then it’s likely this would include personal data because (in some cases at least) you could work our which responses came from which people by their job titles.
Data can be linked-anonymised (pseudonymisation). This means the that a participant's identity is held in a separate document from their responses / observations, and the two documents are only linked via a 'key' (e.g. participant names are replaced with numbers and the only 'key' document links the participant name with their number). Under the GDPR pseudonymised data counts as personal data (or special categories of personal data) and must be treated as such.
The GDPR requires that personal data should only be kept (see below for information on how to store it) in an identifiable form for as long as necessary, and that, where possible, the data is anonymised as soon as feasible.
Once the data has been anonymised, it no longer falls within the requirements of the GDPR.
How do I store personal (and sensitive personal) data?
When it is necessary to retain the data in an identifiable format, e.g. if there is a need to maintain contact with the participant or to keep a record of the individual’s participation in case of any later enquiry or complaint, it must be stored securely in accordance with the GDPR. (See above information on personal data.)
The University provides storage facilities that can be configured to comply with the DPA and GDPR’s requirements for storing both personal and sensitive personal data, i.e. the storage meets the GDPR’s ‘safeguards’ required to store and process personal data. Therefore, you MUST use one of the storage facilities outlined in the next section.
The main difference between storing personal and sensitive personal data is the access control. When storing personal data it may be appropriate for all members of the project team to see all of the data, but with sensitive personal data (depending on the nature of the research) access to the data must be restricted to only those who need to see it - for example, the researcher rather than the administrator.
For further information, you may like to read the GDPR articles 89, 5, 9 and 14, and recitals 156-162.