Information and services for working with personal and confidential data.
We use 'sensitive data' as a catch-all term to refer to:
Other kinds of research data may also be considered sensitive, and researchers should therefore use their own judgement to determine whether research data should be considered as sensitive.
Personal data are currently as defined by the Data Protection Act 1998 (DPA), and research involving such data must uphold the duty of confidentiality and protect data subjects' right to privacy.
In May 2018, the DPA will be replaced by the European General Data Protection Regulation (EU) 2016/679 (GDPR).
The GDPR defines personal data as follows:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Please see the following University of Edinburgh guidance for more information
Personal data should not be stored on cloud (external) services, such as DropBox.
Personal data should not be stored on unencrypted laptops or flashdrives.
Personal data should not be transferred via insecure channels, such as email.
Please visit the Information Security website to learn more about keeping data safe, including software for encryption.
Confidential data are data not in the public domain, including information that has been is given in confidence or agreed to be kept confidential between two parties. This may include information on business, income, health, medical details, and political opinion. A 'duty of confidentiality' exists in UK law and you should be aware of this when working with such data.
In addition, although DPA legislation may not apply to confidential data where they do not contain personal data, other legislation may apply.
The UK Data Archive provides further information about the duty of confidentiality and an overview of legislation relevant to working with personal and confidential data.
For projects requiring advanced security, the forthcoming Data Safe Haven (DSH) will provide a controlled and secured service environment for undertaking research using sensitive data.
The service will provide robust controls and safeguards to enable the secure transfer of sensitive data into a ‘walled garden’ environment where it can be securely stored, manipulated and analysed by approved members of a research team.
The DSH service will be available later in 2017.
Access online training about 'storage and security', and 'data protection, rights & access' via the Research Data Management Training site:
Find out about relevant training and workshops run by the Research Data Service:
If you have questions about working with sensitive data, including:
General queries about personal or confidential data
Please contact the Research Data Service team, by emailing