Confidentiality and data protection

It is crucial that researchers respect the confidentiality of, and data provided by, their participants in an ethically and legally appropriate manner. This means thinking about how to safely and appropriately store and manage participants' data before any data is collected.

This page details the key information for researchers to consider in relation to participant data.

Other sources of information relating to collecting and managing research data include:

The ethics guidance pages - these include information on specific research methods.
The research data management pages - these cover relevant policies such as the University's research data management policy, and give guidance and contacts for planning and managing research data including how to create a data management plan.

No matter what type of data you collect, it is always important that your participant information sheet (PIS) (Word) and consent form (Word) provide clear and consistent information to participants about their data and offer them an appropriate right to withdraw data, and that this information is consistent with what is written in your ethical review application form (Word).

If you're working with existing or secondary datasets consider the guidance on the ethics topic Secondary data.

If personal data relating to research participants have been lost, stolen, or accidentally deleted, researchers must contact dataprot@st-andrews.ac.uk immediately as the law requires that the University record such instances.

It is critical that these definitions are used strictly in participant documents and the ethical application form. In particular, take care to note the distinction between 'anonymised' data and 'pseudonymised' data, and only use the terms 'anonymous' or 'anonymised' when the data conform to the specific definition below.

Personal data is information relating to natural living persons who: can be identified directly from the information in question; or who can be indirectly identified from that information in combination with other information. Personal data include the following:
- Special category data is personal data relating to race, ethnic origin, politics, religion or philosophical beliefs, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life, or sexual orientation.
- Fully identifiable data is personal data that can be directly linked to an individual.
- Pseudonymised data is personal data that can be indirectly linked to an individual using a ‘key’ or other form of 'code' used by the researcher i.e. the researcher would always be able to re-link the data and reveal the identity of the participant.
Anonymised data is data that cannot be linked to a living individual using any reasonable means (this means that there is a realistic and significant risk that a third party could link the data to an individual, considering the information available to a third party, and the effort and resource they would require to make the link); it is not defined as personal data.

Consent forms do contain personal data and must be securely retained for the lifetime of the research. However, applicants should answer no to question 29 on the application form if the only personal data being collected in the project is that which appears on the consent forms.

The Information Commissioners Office (ICO) provides some useful information on these definitions in relation to GDPR including a summary of 'what is personal data', which may help if you are still unsure.
Researchers should identify, and take as soon as possible, any opportunities they have to convert their data into an anonymised form and permanently delete any fully identifiable data. This means that the data is then outside the scope of the data protection laws and the safety of individuals (i.e. against breach of privacy) can be guaranteed.

If anonymisation is not possible for practical reasons or for the needs of the research, researchers should identify, and take as soon as possible, any opportunities they have to convert their data into a pseudonymised form and permanently delete any fully identifiable data.

Care should be taken with the storage of pseudonymised data - researchers should consult the rest of the information on this page on the secure storage of data.
Personal data collected in a focus-group setting will always be re-identifiable by those who were present at the focus group, including the researcher themselves. However, for the researcher, data protection legislation applies to only the information captured and kept by the researcher, not that which happens to be stored in the memories of the participants. Therefore, the fact that participants could reidentify each other does not preclude the researcher from anonymising or pseudonymising the data they captured, and describing that data as having been anonymised or pseudonymised.

Nonetheless, it is good practice when holding focus groups to use the Chatham House rule ("information disclosed during a meeting may be reported by those present, but the source of that information may not be explicitly or implicitly identified"), and explicitly state this expectation to participants at the start of the focus group and in the participant information sheet.

Researchers conducting focus groups should note that participants withdrawing data may adversely impact the integrity of the data for the entire focus group i.e. by removing context behind other participants’ responses. Researchers are therefore encouraged to consider this when forming their ‘right to withdraw’ statement in the Participant Information Sheet
The best place to store research data is on the University Home Drive or OneDrive when accessed via Office365 and using University credentials, see the section on secure storage.

Both the Home Drive and OneDrive can be accessed remotely and while away from the University. IT Services have guidance on how to access Office365 and the Home Drive remotely.

If researchers need to transfer files securely while away from the University and with no access to encryption, they can set up a OneDrive folder in Office 365 via their University credentials and share that folder with edit permissions with the third party. They can then via email and the internet upload files, unencrypted. The files are encrypted when placed into OneDrive meaning end to end secure file transfer is possible. This process can also be used to allow another person, such as a research collaborator, to securely transfer data to a researcher.
The following guidance relates to pseudonymised or identifiable data held personally or locally by researchers. There are no limitations on retention of robustly anonymised data.

This guidance is not intended to exclude or discourage sharing or archiving of data, such as with a data repository or archive (see the section on ‘data sharing’ below).

Staff and postgraduate research students should retain data subject to periodic review (normally 10 years from the point of last access). If a postgraduate research student or staff member leaves academia, they should transfer the data into the ownership of the most appropriate staff member (e.g. a PhD supervisor).

Example statement for ethical application form:

The data will be retained by [indicate who will retain the data] in [indicate the form in which the data will be retained - identifiable, pseudonymous, anonymous] and its deletion will be subject to periodic review [indicate how often the periodic review will occur - normally '10 years from the point of last access']

Undergraduate and postgraduate taught students should delete their data after they have fully completed (including scope for appeal) any assignment for which the data will be used. However, if the data is to be of value for a larger or ongoing project, they should transfer the data into the ownership of the most appropriate staff member (for example, a project supervisor).

Example statements for ethical application form:

The data will be retained until I have fully completed (including any grading and appeal process) the assignment that this data will be used for, and then deleted.

or

The data will be retained by [indicate who will retain the data] in [indicate the form in which the data will be retained - identifiable, pseudonymous, anonymous] and its deletion will be subject to periodic review [indicate how often the periodic review will occur - normally '10 years from the point of last access']
If your project requires that personal data will be passed to a third party i.e. an individual (someone who is not employed by or a student at the University) or organisation that is based outside the European Economic Area (EEA), please contact dataprot@st-andrews.ac.uk for advice before making any transfers, as it may be necessary to put in place a series of steps to ensure that the transfer of personal data is lawful. University students and/or staff making use of personal data for University work, when outside the EEA, must continue to handle that data in line with UK and European data protection laws.

If your project requires that personal data will be brought into the UK from individuals or organisations based outside the EEA, you must handle that data in line with UK and European data protection laws, i.e. as if you had collected it here in the UK as part of your study.

If an individual located at the University needs to give an individual located outside the EEA access to personal data collected as part of a research project, and where both are staff or students at the University, e.g. where project data is to be reviewed by a student’s supervisor, the rules for personal data transfer outside the EEA do not apply, as those data remain protected by the provisions of UK data protection laws. Personal data should only be transferred where necessary, if data can be pseudonymised then it should be transferred in ‘coded’ form. Where possible data should be stored on the University network and accessed remotely via the University’s VPN facility or accessed from a University approved Cloud service such as Microsoft OneDrive (accessed using University credentials).
Researchers should consider institutional, funder and publisher policies before deciding on their approach to sharing data arising from their study.

Think about these well in advance and when planning a project to ‘future proof’ against how you may need to use the data later. For example, it is crucial that researchers produce a participant information sheet and consent form that will allow them to publish, share or archive the data as required.

Where personal data will be shared with other institutions or agencies for research purposes, a data sharing agreement may need to be drafted and put in place. Please contact dataprot@st-andrews.ac.uk for guidance.

For more information on managing and planning to manage research data visit the research data management page.

Confidentiality and data protection

Definitions

Minimisation of data

Pseudonymisation and anonymisation of data

Pseudonymisation and anonymisation of data: focus groups

Secure storage of data

Transferring data into the University from elsewhere

Data retention and destruction

International data transfers

Data sharing