Information and services for working with personal and confidential data.
What are sensitive data?
We use 'sensitive data' as a catch-all term to refer to:
- research data containing personal identifying information (i.e. 'personal data' as defined in the Data Protection Act 1998);
- confidential data, including data generated or used under a restrictive commercial research funding agreement;
- ecological data, where the release of data may adversely affect rare or endangered species of plants or animals;
- data likely to harm an individual or community, or have a significant negative public impact, if released.
Other kinds of research data may also be considered sensitive, and researchers should therefore use their own judgement to determine whether research data should be considered as sensitive.
Personal data are currently as defined by the Data Protection Act 1998 (DPA), and research involving such data must uphold the duty of confidentiality and protect data subjects' right to privacy.
- Information Commisioner's Office (ICO) guidance on definition of personal data
- ICO quick reference guide for determining whether your research data include personal data for the purposes of the DPA
In May 2018, the DPA will be replaced by the European General Data Protection Regulation (EU) 2016/679 (GDPR).
The GDPR defines personal data as follows:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Please see the following University of Edinburgh guidance for more information
- University of Edinburgh - data protection policy
- University of Edinburgh - research ethics and data protection
General data security principles for personal data
Personal data should not be stored on cloud (external) services, such as DropBox.
Personal data should not be stored on unencrypted laptops or flashdrives.
Personal data should not be transferred via insecure channels, such as email.
- Personal data should be stored no longer than necessary. Consider options for de-identification, anonymisation or timely disposal.
Please visit the Information Security website to learn more about keeping data safe, including software for encryption.
Confidential data are data not in the public domain, including information that has been is given in confidence or agreed to be kept confidential between two parties. This may include information on business, income, health, medical details, and political opinion. A 'duty of confidentiality' exists in UK law and you should be aware of this when working with such data.
In addition, although DPA legislation may not apply to confidential data where they do not contain personal data, other legislation may apply.
The UK Data Archive provides further information about the duty of confidentiality and an overview of legislation relevant to working with personal and confidential data.
Data Safe Haven
For projects requiring advanced security, the forthcoming Data Safe Haven (DSH) will provide a controlled and secured service environment for undertaking research using sensitive data.
The service will provide robust controls and safeguards to enable the secure transfer of sensitive data into a ‘walled garden’ environment where it can be securely stored, manipulated and analysed by approved members of a research team.
The DSH service will be available later in 2017.
Access online training about 'storage and security', and 'data protection, rights & access' via the Research Data Management Training site:
Find out about relevant training and workshops run by the Research Data Service:
If you have questions about working with sensitive data, including:
General queries about personal or confidential data
- Completing an application for access to external data
- Costing secure storage for a funding application
- Using the Data Safe Haven for your research project
- Training about personal and sensitive data
Please contact the Research Data Service team, by emailing