Information and services for working with personal and confidential data.
What are sensitive data?
We use 'sensitive data' as a catch-all term to refer to:
- research data containing personal identifying information (i.e. 'personal data' as defined in the General Data Protection Regulation);
- confidential data, including data generated or used under a restrictive commercial research funding agreement;
- ecological data, where the release of data may adversely affect rare or endangered species of plants or animals;
- data likely to harm an individual or community, or have a significant negative public impact, if released.
Other kinds of research data may also be considered sensitive, and researchers should therefore use their own judgement to determine whether research data should be considered as sensitive.
The General Data Protection Regulation (GDPR) defines personal data as follows:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Research involving such data must uphold the duty of confidentiality and protect data subjects' right to privacy.
Please see the following guidance for more information
- Information Commissioner’s Office (ICO) - Guide to the General Data Protection Regulation (GDPR): What is personal data?
- University of Edinburgh - Research using personal data
- University of Edinburgh - General Data Protection Regulation (GDPR)
General data security principles for personal data
Personal data should not be stored on cloud (external) services, such as DropBox.
Personal data should not be stored on unencrypted laptops or flashdrives.
Personal data should not be transferred via insecure channels, such as email.
- Personal data should be stored no longer than necessary. Consider options for de-identification, anonymisation or timely disposal.
Please visit the Information Security website to learn more about keeping data safe, including software for encryption.
Confidential data are data not in the public domain, including information that has been is given in confidence or agreed to be kept confidential between two parties. This may include information on business, income, health, medical details, and political opinion. A 'duty of confidentiality' exists in UK law and you should be aware of this when working with such data.
In addition, although GDPR legislation may not apply to confidential data where they do not contain personal data, other legislation may apply.
The UK Data Archive provides further information about the duty of confidentiality and an overview of legislation relevant to working with personal and confidential data.
Data Safe Haven
For projects requiring advanced security, the Data Safe Haven (DSH) provides a controlled and secured service environment for undertaking research using sensitive data.
Please contact the Research Data Service team for more information, or to discuss using the DSH for your research project.
Access online training about 'storage and security', and 'data protection, rights & access' via the Research Data Management Training site:
Find out about relevant training and workshops run by the Research Data Service:
If you have questions about working with sensitive data, including:
General queries about personal or confidential data
- Completing an application for access to external data
- Costing secure storage for a funding application
- Using the Data Safe Haven for your research project
- Training about personal and sensitive data
Please contact the Research Data Service team, by emailing