Data storage and data security
Whether you are collecting new data or accessing existing data, you need to consider:
- how data will be stored;
- who will have access to the data; and
- how they will be able to access data.
Remember, research ethics is all about unanticipated events - so you need to plan for unexpected and undesirable events (like leaving a bag on a train, or losing a USB stick). What systems can you put in place to protect your participants, yourself and your institution if something like that happens?
For example, losing a USB stick that contains anonymised data is problematic, but it is less problematic if the stick is securely password protected. But what if the USB stick contained participant contact details or other personal or identifiable information? How secure would it need to be? Could you ensure that?
Your planning should take account of what you need to do with hard copies (such as paper notes of interviews), computer files with anonymised data that are not identifiable, and computer files with personal or identifiable data.
Hard copies such as interview notes, prints of photographs, or video or audio tapes need to be kept securely locked away - for example in a locked filing cabinet that can only be accessed by agreed members of the research team. Ask yourself:
- Who needs to have access to hard data?
- Will these data be anonymised before they are stored? If not, why not?
- Will these data be stored separately from personally identifying data?
- Where will the key be stored?
- Could any one find it and access the data who should not?
- How will you deal with hard copies in the period between data collection and data storage?
Files - including computer files - that contain personal or identifiable data (such as names) come under the terms of the Data Protection Act. These files need to be encrypted or password protected, and only accessed by agreed members of the team. Particular care needs to be taken if you are sharing files within the research team - e.g. on shared computer drives, or by email - or if you are transferring personal data beyond the research team (e.g. if a gatekeeper is giving you a list of contacts).
If your research involves data that comes under the remit of the Data Protection Act - and most research does - then it is a good idea to check with the Data Protection Officer in your organisation, to see if there are any standard protocols you should be following.
Computer files including anonymised still need to be held securely, and can only be shared according to the terms of your consent from participants. Thus - for example - you need to get prior consent from participants if you plan to archive data for use by other researchers. Anonymising data is more complicated than simply assigning an ID number or pseudonym - see our section on anonymising data.
To ensure that anonymised or personal data are only accessible to those that have been agreed (such as your immediate team) you may need help to set up additional security systems. Consider the following example:
A research team is conducting a mixed methods study, collecting quantitative and qualitative data from elderly participants in residential care. The study is concerned with the effect that physical exercise has on their health, and so is collecting biomedical data (e.g., blood pressure, cortisol levels) as well as conducting in-depth interviews about participants day to day lives. So the team has a number of data sets: personal information about participants, and where they live; quantitative data from biomedical tests; and digital audio-recordings and transcripts of interviews. These data give rise to two key considerations:
1. Data should be accessible to team members, but no one else. The team work across two institutions; both have computer servers with shared drives that are accessible to all staff within the institution. The researchers need to set up secure systems (a) to ensure that other staff within their institutions cannot access their data via the shared staff drives, and (b) to ensure secure data transfer between institutions.
2. Different data files need to be link-able, but they need to be held separately, so that they can only be linked purposely, by researchers who are authorised to do so. There is also a need to ensure that data cannot be removed from secure systems in ways that might compromise data security. For example, if anonymised data sets might become identifiable in combination, they should not be downloaded onto the same USB stick - what if it was lost, and found or misused by someone else?
However simple or complex your data set, think about what you might need to do to ensure that your management of the data respects the terms of your consent, and in particular, the confidentiality and anonymity that participants were promised.
Take advice from relevant staff in your institution. Your Data Protection manager can advise you on protocols for handling personal data. Your computing or information services department should be able to advise you on setting up secure databases for the different forms of data that will be generated by your research.
As with everything in this guidebook, the earlier you can start to think about these issues, the better. When you are preparing your research proposal, you need to plan for data management - this is a requirement for ESRC applications, and increasingly for other funders. If your work will generate complex or sensitive datasets, you may need to plan and cost some time for a database manager or information specialist to develop and manage the systems that you need to keep your data secure.
Do you have suitable arrangements in place for archiving data? Befor you access or collect your data, you should check institution what requirements they have in place for data storage, and what facilities are available (e.g. for data archiving).