Data storage and security while my research project is taking place
While your project is taking place, you’ll need to store your research data securely and protected from loss, unlawful or unethical access.
If you are collecting personal data then please read the previous section first.
If you are interested in archiving your data after your project has completed, then please see Openly sharing and preservation of research data after my research project has finished.
You have a number of options for storing your ‘live’ research data during your project. The aim is to find a flexible solution, which best fits your requirements.
To help with this, and to keep your Service Delivery Manager informed of new project data storage requirements, please access and complete a Research Data Enquiry form.
(Please note, in the rare instances where research involves the handling and storage of illegal material, you must read the Handling Illegal Material advisory (In the IS Advisories -> Governance section towards the bottom of the Inormation Services' Account Security page) before proceeding and contact Information Services on +44 (0)23 9284 7777 or use the Contact IT Support page in the first instance.)
Staff and students have several options:
1. Google Team Drive:
Google Team Drive is easy to access off-campus and is useful when working with external collaborators. (Please note - you must only use the a Google Team Drive associated with your official UoP account.)
Capacity: 20GB. If you are expecting to use/need more than 20GB please contact your Faculty Service Delivery Manager for more information.
Where appropriate the University recommends the use of Google Team Drives for research data storage. External options, such as Dropbox, should only be considered in exceptional circumstances - if you think this is the case please contact IS Service Desk; a Privacy Impact Assessment may be required if personal data is involved.
However, before choosing the Google Team Drive, there are three things that you need to be aware of:-
- It may not be ideal when working with large files (e.g. videos or high resolution images) due to the time needed to download/upload or stream them.
- If you’re storing personal data then it is essential that (in addition to following Steps 1-3) you follow Step 4 in its entirety.
- You’ll need to consider how you’ll ensure that multiple team members aren't working on the same file at the same time. (The exception is if you’re only using Google Docs, as you can edit them online.)
So although Google Team Drive is an extremely useful tool, there may be some specific circumstances where it not may not be practical and you will need to contact your Service Delivery Manager (below) for an alternative.
The steps below explain how to set up and configure a Google Team Drive. If you have any questions, please contact Information Services on +44 (0)23 9284 7777 or use the Contact IT Support page.
Step 1: Create your Team Drive
To set up a Google Team Drive, please follow these instructions.
Step 2: Set up access permissions
You must restrict access to just the project team and monitor who has access. Please follow these instructions.
We are conscious that if the members of a project team leave the university there will no longer be an active data steward, with the possibility of a Project Team Drive being difficult to access. We recommend that all Research Google Team Drives have ownership shared with email@example.com. This purely to ensure that a monitored University account is always connected to the project data. The content will not be viewed unless specifically requested. For example when a Principal Investigator or Project Lead leaves the University.
Step 3 (optional, but recommended): Set up Google Drive File Stream
It is recommended that you also use the ‘add-on’, Google Drive File Stream. Using Google Drive File Stream allows you to stream files from your Google Team Drive, as opposed to manually downloading/uploading files each time you need to work on them. Or in other words, this allows your Google Team Drive to appear as another drive on your computer, much like the K drive.
It also allows you to choose to have a file or folder offline, so you can have access even when not connected to the network (for example when travelling, etc). This downloads a copy to your computer, so you do need to be mindful of the space that this will take up.
To set up Google Drive File Stream, please follow these instructions. Alternatively you can contact Information Services on +44 (0)23 9284 7777 or use the Contact IT Support page and request it to be installed on your PC.
Step 4: Storage of personal data on Google Drive
If your project involves personal data (or any other data deemed to be sensitive or confidential), it is a legal requirement that you must store the data in a manner that meets the requirements of the General Data Protection Regulation (GDPR).
In order to do this, it is the PI’s responsibility (or supervisor in the case of student projects) to ensure that the Google Team Drive is configured in the following way. Please contact Information Services on +44 (0)23 9284 7777 or use the Contact IT Support page if you have any queries:
- You must restrict access to your Google Team Drive to just project team members who need to have access (and have participants’ consent to have access) to the files (Step 2). Please also see the note in the previous section about controlling access further if you’re dealing with sensitive personal (special categories) data. It is essential that you are extremely careful with these ‘access sharing’ settings.
- Please be also aware that any project team member who you grant access to ‘edit’ file and folders in your Google Team Drive will technically be able to share these files and folders onto other people. It is the PI’s responsibility to ensure this does not happen. Therefore, where possible, it is advised that the team members are only given ‘view’ access.
- Where you do download a personal data file (e.g. if you select to work on it offline while using Google Drive File Stream), this will save a local copy to your computer. Therefore, you must also delete the downloaded copy of the data from your device as soon as you’ve finished working on it (e.g. at the end of each day) and empty the Recycle Bin to remove all copies of the document/s from your computer.
- With regards to encrypting files, you must encrypt files that contain sensitive (special category - see above) personal data at all times; both while the files are stored on the Google Team drive and also if you have downloaded a copy to work on. If your files contain personal data (but not sensitive / special category data) then you only need to encrypt them if you have download a copy to work on. You can use Axcrypt encryption software (available via AppsAnywhere).
- You must encrypt the computer/laptop/any other device you are using to access these files. For Windows machines please use BitLocker and use FileVault if you are using a Macs:
BitLocker: Start-> Control Panel->BitLocker Drive Encryption->...follow instructions.
BitLocker To Go (for encrypting portable devices) on the same page.
FileVault: instructions (Gizmodo blog)
- And finally, just to reiterate the point above. You must use a Google Team Drive associated with your University network account, not with any other G Suite account that you may have access to. Each project team member must access the data using their own individual login. You must not create ‘generic’ Gmail logins that multiple people can use, or allow other collaborators to use them.
2. Folder on your department K drive (staff only):
If you are storing files that contain personal data, then you may find the K drive slightly easier work with than a Google Team Drive. This is because the access and sharing permissions are set up for you by IS and centrally controlled. However, IS are also available to help you set up your Google Team Drive, so this isn't a major issue.
- It’s harder (but still possible) to access off campus (instructions).
- Limited storage capacity.
If your project involves personal data (or any other data deemed to be sensitive or confidential), you must put further precautions in place when using the K drive:
- Ensure that your K drive folder is configured (by contacting Information Services on +44 (0)23 9284 7777 or using the Contact IT Support page) to restrict access using a password to just the project team. Please see the note in Managing personal data about further access control if you’re dealing with sensitive personal (special categories) data. You must not save local copies of files containing personal data to your own computer / laptop / device.
3. Folder on your department N drive (students only):
If you are storing files that contain personal data, then you may find the N drive slightly easier work with than a Google Drive. This is because the access and sharing permissions are set up for you by IS and centrally controlled. However, IS are also available to help you set up your Google Drive, so this isn't a major issue.
It’s harder (but still possible) to access off campus (instructions).
(Staff should not use their N drive to store research data as it creates issues for sharing data with other team members and issues when members of staff leave.)
Please contact your Service Delivery Manager (SDM) if the storage options listed above do not meet your needs. They will be able to advise you on the most suitable storage solution for your research project. Please ensure that your Head of Department (or supervisor if you’re a PhD student) has agreed that your project can take place before contacting your SDM. Also, please be aware that there maybe a cost involved if you require a very large amount of storage.
As noted at the top of this section please access and complete a Research Data Enquiry form.
Contact details for the Service Delivery Managers:
Faculty of Science - firstname.lastname@example.org
Faculty of Humanities and Social Science - email@example.com
Faculty of Technology - firstname.lastname@example.org
Faculty of Business and Law - email@example.com
Faculty of Creative and Cultural Industries - firstname.lastname@example.org
USB sticks, external hard drives and similar
The use of unencrypted portable devices (e.g. laptops, memory sticks, portable hard drives, DVDs) to store any data (including personal data), even for temporary storage, is not permitted for staff or students. Although staff and students can purchased encrypted devices, if an encrypted device fails then the data will be irretrievably lost. Therefore, the use of encrypted portable devices (e.g. external hard drives, USB sticks) should only be used for temporary storage when absolutely necessary (e.g. during fieldwork) and the data must be transferred to network storage/Google Team Drive at the earliest opportunity.
Transferring personal data via email
If you follow the instructions above for storing personal (and personal sensitive) data, then you shouldn't need to send personal (or personal sensitive data) via email. However, if you must send personal data by email, then you MUST send the data as an encrypted attachment (i.e. not in the email text itself). Please review the Information Security advisory on 'Transferring Restricted Data by Email' (found under the Information section in the IS Advisories listed at the bottom of the page). Seek advice from Information Services if you are not fully confident with the process and obtain the approval of management, beforehand. Encryption utilities are built into the Microsoft Office products or the Axcrypt encryption software is available on the University network. The UK Data Service has further information on encryption in general.
All paper records which contain personal data, including consent forms, must also be stored securely. In reality, this means storing the paper records in a lockable filing cabinet. When dealing with sensitive personal data, the filing cabinet must not be unlocked until the data is required, and the data returned as soon as it is not needed. Sensitive personal data must not be left unattended on a desk. Only those members of the project team who have permission and need to access the sensitive personal data should be given physical access to the filing cabinet.