Working with sensitive data

For the purpose of research data management, the following is regarded as 'sensitive data'

research data containing personal identifying information, all of which is subject to the General Data Protection Regulation (GDPR)
confidential data, including data for which a commercial funding agreement restricts publication
ecological data, where its release may adversely affect rare or endangered species of plants or animals
data likely to harm an individual or community, or have a significant negative public impact, if released.

Researchers whose research involves working with human subjects or animals should also familiarise themselves with the University's guidelines on research involving humans and research involving animals as well as the University's guidelines on data protection.

Additional detailed guidance from the data protection officer relating to GDPR and the storage of relevant data is available on the ethical application pages.

Working with sensitive data has legal and ethical implications for collecting, storing, sharing and archiving this data. This results in a number of obligations for researchers involved in this work, who must:
- observe the duty of confidentiality
- obtain informed consent for information sharing from participants
- appropriately assess which information can be disclosed
- choose a storage medium that satisfies security requirements for the data
- employ anonymisation and access control where appropriate
- pay special attention to data security and legal and ethical obligations when working with sensitive data.
You should also consult the University's research data protection guidance for detailed information about the use of ICT devices for research data involving human participants and managing participants rights and the interests of researchers.

These aspects should be considered at the stage of planning for data and be covered in ethical applications and when writing a data management plan.

Data legislation

If you handle personal information about individuals, you have a number of legal obligations to protect that information under the Data Protection Act 2018 (The Act) and the General Data Protection Regulation (GDPR). The Act gives individuals certain rights and imposes obligations on those who record and use personal information to be open about how information is used. There are six data protection principles concerning how personal data should be managed. Data should be:
- processed fairly and lawfully
- obtained for specified and lawful purposes
- adequate, relevant and not excessive
- accurate and, where necessary, kept up-to-date
- not kept for longer than necessary
- kept and processed in a secure manner.
Lawful bases under which researchers can obtain personal data include:
- collection is based on consent by the data subject,
- collection is necessary for the performance of a contract,
- there is a legal obligation placed upon the data controller to collect the data,
- collection is necessary to protect vital interests of the data subject or another natural person,
- collection is carried out in the public interest or in the exercise of official authority,
- the data controller has a legitimate interest to collect the data.
For further information, please see the University's guidance on data protection and the General Data Protection Regulation. Additional guidance on legal and ethical issues with respect to research data is available from the UK Data Service.
The Freedom of Information (Scotland) Act 2002 (FOI) gives the public a general right of access to information a public authority holds and places an obligation on the authority to provide the information that has been requested, subject to any valid exemptions.

The University of St Andrews has adopted the Single Model Publication Scheme 2013 produced by the Scottish Information Commissioner who is responsible for enforcing the Freedom of Information (Scotland) Act 2002. Your research data may be covered by the terms of the Act.

In circumstances where you think there are legal, ethical or other valid reasons why you shouldn't supply data requested from you, or the request is specifically identified as a FOI request, you should consult the University's Freedom of Information Officer. The legislation requires the University to supply information or a refusal notice within 20 working days from receipt of the request.
You may additionally receive requests for data under Environmental Information (Scotland) Regulations 2004, through which the public can gain access to environmental information held by public authorities. Rules for requests of environmental data are similar to regular FOI requests.

Both FOI and EIR include a number of exemptions and exceptions to protect information such as confidentiality or sensitive data or financially valuable information. If you are concerned, consult the University's Freedom of Information Officer.

Working with sensitive data

Protecting sensitive data

Data legislation

Data protection and research data

Freedom of information and research data

Environmental Information Regulation