Working with sensitive data
Information for those working with personal and confidential data.
What are sensitive data?
We use 'sensitive data' as a catch-all term to refer to:
- research data containing personal identifying information, 'personal data' and special categories data as defined in UK and European data protection legislation;
- commercially sensitive data, including data generated or used under a restrictive commercial research funding agreement;
- data relating to species of plants or animals where the release of data may adversely affect rare or endangered species;
- data likely to harm an individual or community or have a significant negative public impact if released.
You may be collecting data that does not fit in any of these categories. It is your responsibility to understand and comply with the law and use your judgement when deciding the potential risk in releasing your research data.
Under data protection laws, anyone processing personal data must ensure they comply with key data protection principles. The General Data Protection Regulation (commonly referred to as the GDPR) defines personal data as follows:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Special categories of personal data
Special category data is personal data that needs more protection because it is more sensitive. Data is classified as special category data where it includes information about a person's:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data (where used for identification purposes)
- sex life
- sexual orientation
General data security principles for handling personal data
Personal data should not be stored on cloud (external) services, such as Dropbox, without ensuring legal safeguards are in place.
Personal data should not be stored on unencrypted laptops, flash drives or other storage devices.
Personal data should not be transferred via insecure channels, such as email.
- Personal data should be kept no longer than necessary. Consider options for de-identification, anonymisation or timely disposal.
Duty of confidentiality
Research involving personal data must uphold the duty of confidentiality and protect data subjects' right to privacy.
Confidential data are data not in the public domain, including information that has been is given in confidence or agreed to be kept confidential between two parties. This may include information on business, income, health, medical details, and political opinion. A 'duty of confidentiality' exists in UK law and you should be aware of this when working with such data.
In addition, although GDPR legislation may not apply to confidential data where they do not contain personal data, other legislation may apply.
For projects requiring advanced security, safe havens provide a controlled and secured service environment for undertaking research using sensitive data:
Guidance and useful links
Authoritative guidance from the University Data Protection Officer is available from the Data Protection website:
- University of Edinburgh - Data Protection site
- University of Edinburgh - Research and data protection guidance
Visit the Information Security website to learn more about keeping data safe, including software for encryption.
The UK Data Service provides guidance on topics such as disclosure assessment, anonymisation and access control for researchers working with sensitive data.
If you have questions about working with sensitive data, or wish to discuss using the Data Safe Haven for your research project, please contact the Research Data Support team using the 'Contact us' button.