Safe and secure storage of research data is essential to protect against data loss, unauthorised access, and ensure compliance with institutional, funder, data provider and legislative requirements.
When choosing storage options consider where, when and how many times the data will be backed up, data security, and access control - whether it will permit access for the research team and collaborators. Also consider whether you will need to archive your data at the end of your project and whether your chosen storage solution will permit this.
You should not keep person identifying information ("PII") indefinitely and should aim to anonymise it as soon as possible or follow the retention as prescribed by your funders, data providers or in line with the University Records Retention Schedule. As such, make sure you have processes for secure deletion of the data, both paper and electronic. Retention does not mean you archive after the retention period has been reached. Once retention is reached you will need to securely delete the person identifying information.
Digital data solutions
All information must be stored and handled in a manner appropriate to its security classification, and the master copy of all digitally held information, regardless of its security classification, must be stored on University-approved systems. If you intend to capture audio, video or images of participants, these must be stored as described in the Taking recordings of participants for research projectsSOP to ensure compliance with data protection laws.
To safeguard your data, we recommend using storage systems provided by the University, such as the Research Data Storage (RDS) Service, departmental shared drives or SharePoint. University-provided Dropbox Business must only be used for sharing information, not long-term storage, and your P Drive should be avoided as information is not accessible to others in your absence. These systems are regularly and automatically backed up, and may be accessed on-campus and off-campus.
More detailed guidance and a summary table of digital storage and collaboration options are available on our Storage and Collaboration page.
Research Data Storage Service
- University-approved storage for research projects.
- Intended for use by research groups and supported by IT Services. Principal Investigators can apply for storage space using the request storage space form and can then grant access to other researchers and students.
- Each research project is entitled to 8TB of (replicated) storage, free at the point of use. Additional storage may be requested and charges apply. Research IT can provide further guidance on storage options.
- Accessible remotely via GlobalProtect Virtual Private Network (VPN).
- Hourly backups which can be accessed within 24 hours and daily backups which can be accessed within 35 days.
- Available to all staff and students.
- It is only acceptable to store research data on the P drive in the following cases:
- For students who do not have access to the Research Data Storage Service (described above) through a project’s Principal Investigator.
- To store the pseudonymisation key for personal data, where the pseudonymised data is stored using a different and appropriate data storage solution. This ensures that person identifying information is kept separately and securely from data relating to research participants.
- The P drive is not accessible to others in your absence, so if you leave the University any research data must be transferred to another appropriate storage solution. All University staff leaving the University must complete the Staff Exit Checklist to ensure all necessary steps are taken before they leave. P drives and all its contents are deleted three months after a member of staff or student leaves.
- Daily backups.
Data Safe Haven
- The Data Safe Haven provides an infrastructure for the secure management and processing of personal, sensitive and confidential information.
- For research projects that need to handle the following type of studies:
- All NHS-Digital data users who need to be NHS Information Governance Toolkit (IGTK) compliant, unless there are reasons this cannot proceed.
- Other, non NHS-Digital data users who also need to be NHS IGTK compliant, including section 251 approval.
- Other, non NHS-Digital data users where the data is highly sensitive and their security requirements could only be met by a data safe haven.
- Defence data.
- Enables secure file transfer.
- If you wish to discuss Data Safe Haven in more detail, contact the Research IT team.
Dropbox Business is the University-approved secure cloud-based file sharing and synchronisation service that lets you share large files and folders securely with external collaborators. Over 1TB of storage is provided and it is compatible with Windows, macOS, Linux, iOS and Android. As per the University’s standard operating procedure for information security classification, ownership and secure information handling, please ensure that you have encrypted Highly Restricted or Restricted information such as person identifying information.
Other cloud services that have not been endorsed by the University (e.g. Google Drive, personal Dropbox accounts) should not be used for Highly Restricted or Restricted information.
Portable devices and media
Portable devices and media (such as laptops, USB sticks, external hard drives and DVDs) are vulnerable to failure, damage, loss and theft. The IT Services policy on point storage solutions strongly discourages their use. An unmanaged laptop can easily miss important updates such as anti-virus and become a target for hackers.
Nonetheless, there are exceptional circumstances, such as fieldwork, where portable devices and media may be necessary to temporarily store or transfer data. Where such exceptions exist, data should be moved as soon as possible to University-approved systems.
If you are using portable devices and media then:
- Temporary storage of Highly Restricted or Restricted information (such as person identifying information) outside of University-approved systems require the file, device or media to be encrypted and the device or media to be kept physically secure at all times.
- Consider the need for regular backups. The Information Governance Office can advise whether such duplication of information is recommended for specific scenarios. Duplicating versions of data already stored on the Research Data Storage Service (described above) is not necessary.
- Making backups ensures that original data files can be restored from backup copies, should originals be damaged or lost. It is helpful to regularly document and test your backup procedures to ensure they are functioning as planned.
- The 3-2-1 principle offers a useful rule of thumb:
- Save three copies of your data (original copy and two backup copies),
- two locally (on two different devices),
- and one off-site.
- Backing up your data at regular intervals minimises the amount of data you can lose. When deciding how regularly you should back up your data, consider how many hours or days of work you are willing to lose.
- Research IT provides support and guidance on digital data solutions.
- Information Governance Office provides support and guidance on data protection, records management, information security and a risk review service.