Data security

An important aspect of assessing the sensitivity and value of data and of deciding on the necessary steps to take is to correctly classify the data. The classification given to information and the associated protective marking label that is applied is a shorthand way of signalling how information is to be handled and protected.

The University's IT services provide guidance on how to classify information and store data containing sensitive and confidential information through its information classification policy. The guidance is in this case tailored to the University's administrative data, but it also serves as a reference for the case of research data.

The UK Data Service provide further information and guidance about legal and ethical considerations and secure storage and disposal.

For additional information on research ethics at the University of St Andrews, see working with sensitive data and the University's guidance on ethical issues in research involving humans.

Steps towards data security

Researchers have a duty to assess the sensitivity and value of the data they create and use in their research and to take appropriate measures to ensure its confidentiality, integrity and availability. Such steps may include:

  • Choosing appropriate storage
    It is recommended to use the University's central file store for the storage of sensitive data. The University's OneDrive for Business may be suitable for the storage of some data. However, it is not recommended to use cloud storage solutions such as Google Drive, Dropbox or iCloud. See also file storage options.
  • Anonymisation
    Anonymisation is necessary prior to data sharing or archiving to minimise the potential that individuals, organisations or businesses who are part or subject of a research project may be identified.
  • Access control
    Regulating access to data and what potential users are able to do with it can be achieved through various routes, including logins and passwords as well as controlling physical access. Access control should always be proportionate to the kind of data that is being dealt with.
  • Encryption
    Encryption of data is based on using mathematical algorithms to encode digital information so that only authorised parties can access it using a decryption key. Various software solutions and examples are listed on the UK Data Service website.
  • Checksums
    Checksums are unique number strings that serve as fingerprints for the content of a data file. They can be calculated by software, e.g. before and after a file is being transferred or backed up, to evaluate the integrity of the data.
  • Backup
    Backups of sensitive data should only create the minimal number of copies needed to ensure continued availability of the data if necessary. Backups should only be done on storage media that are suitably secure for holding that type of sensitive data and data should be encrypted once the backup has been completed. See also data storage.
  • Secure disposal
    It is important to note that using operating system tools or even erasing a hard drive may still allow the recovery of data that is meant to be erased. The effective removal of data from a storage medium, therefore, requires either physically destroying the drive or using specialist file shredding software suitable for the respective operating system and the type of hard drive.