Information security is important to protect highly restricted or sensitive information, for example where personal data, intellectual property, commercial interests, or national security is involved.
Sensitive information can be used to identify an individual, species, object, or location that introduces a risk of discrimination, harm, or unwanted attention.
The legal definition of sensitive personal data (sometimes referred to as special category personal data), comprises personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, information concerning health or relating to a natural person's sex life or sexual orientation and criminal records and proceedings.
Whilst adopting a proportionate risk based approach, the entire lifecycle of the research information needs to be considered, from creation to destruction. Minimum controls for highly restricted information to remain secure include user access controls, encryption, identifying and guaranteeing the location of the information, legitimate sharing / appropriate contracts.
If you intend to capture audio, video or images of participants, you must give further consideration to the handling of this data. Still and moving images and sound recordings featuring identifiable individuals contain the personal data of the participants and therefore must be processed in accordance with data protection laws. Taking recordings of participants for research projects is the standard operating procedure for secure handling of recordings and transcriptions.
Physical security, network security and the security of computer systems and files each need to be considered to ensure the protection of information and prevent unauthorised access, changes, disclosure or destruction of information. The Information Governance Office provides a review service which will be necessary if you are processing personal data and need to carry out a Data Privacy Impact Assessment (DPIA). You are likely to need to carry out a DPIA if you are using new technologies and/or cloud based solutions, if your research data leaves the European Economic Area (EEA), or if the University of Manchester does not provide you with the required tools.
Guidance and support
IT Services provides guidance on:
- Cyber security (including advice on encryption, data handling and using cloud services)
- GlobalProtect Virtual Private Network (VPN) is a secure connection that allows your computer to access the University network when you are using wireless connections, or you are not on campus
- Dropbox Business is a secure cloud-based file sharing and synchronisation tool that lets you share large files and folders securely with colleagues who are external to the University and to drop off files internally
Information Governance Office provides support and guidance to enable the University to create, use, archive and dispose of information safely:
- Information security (including disposal of confidential material)
- Information Handling Tool helps you determine how to handle information correctly
- Information security classification, ownership and secure information handling (standard operating procedure) describes generic requirements which must be considered in relation to all information handling processes
Research Governance, Ethics and Integrity Team provides guidance and support to researchers in the area of research governance, integrity and ethics
Data Protection online course (all staff who handle person identifying information of staff, postgraduate researchers, students, research participants or others must complete the University's online data protection course)
Where technologies (including data) may be misused for human rights violations, terrorist acts or the development of weapons of mass destruction they may be subject to UK Export Data Law, and may require an export licence from the Export Control Organisation (ECO). The ECO provides online checker tools to help establish if a licence is required.