Policies and data protection

University of Southampton Research Data Management Policy

The following guidance supports the University of Southampton Data Management Policy. All students are required to abide by the University’s policy. Taught students are exempted from the provisions regarding retention and deposit unless they have published peer-reviewed articles based on their research.

Data Protection Act (2018)

If your research involves collecting data from living human subjects, or ‘special category data‘ (formerly referred to as sensitive data) then you must comply with the Data Protection Act (2018). The Act incorporates the EU General Data Protection Regulation (GDPR).

The key actions to reduce your risk are:

  • Raw data and all files containing contact details for individuals (such as consent forms) must only be stored on University servers, within the University network
  • If you are holding data locally on a laptop (for example during collection) the data must be encrypted and the laptop should be a University build laptop.
  • When sharing data with collaborators, do not share the raw data. Do not use cloud-based services. Do not share data with¬†collaborators¬†outside the University unless you know¬†that a¬†data sharing agreement is in place.
  • When moving data, do not email files instead use SafeSend¬†or create a SharePoint site for you and your collaborators. SharePoint can also be accessed via University of Southampton Office 365¬†

What if I lose some data or disclose by accident?

Do not delay, do not spend time trying to find the data, email databreach@soton.ac.uk as soon as you suspect the data loss may have happened.

  1. Email databreach@soton.ac.uk 
  2. Liaise with Finance to get mobile number blocked (if appropriate)
  3. If the lost device is a iPhone or iPad:
    • Access iCloud.com and Find my iPhone with account on the item lost
    • Click ‚Äėall devices‚Äô
    • Select device that is missing and click erase iPhone

Differences Between Consent For Ethics and Data Protection

Ethical guidelines issued by funders and the University cover how you can create, store, share and archive data concerned with human subjects. In addition, laws such as the Data Protection Act 2018, govern the processing of personal data.

The University is able to hold and share certain types of data, for example pseudonymised and anonymised research data. Data collected by staff and students in the course of their research and education constitute a ‚Äėpublic task‚Äô in law.¬†Even sensitive research data can often be shared legally and ethically by using anonymisation and controlled access.¬† In order to be able to do this it is important to consider potential data sharing and re-use scenarios well before the ethics process and data collection.

Be explicit in your consent forms and participant information sheets about your plans to make data available, who will be able to access the data, and how the data would be accessed and potentially re-used. You should not ask participants to consent to sharing their anonymised or pseudonmysied data but instead that they understand their anonymised or pseudonmysied data may be shared.

If you want to keep their contact details so they can be contacted for further research after your study is finished, you must get their explicit consent to do this. You must keep the contact details separately from your current study.

For more guidance see the Sensitive Data, Research Data and the GDPR pages. Expert guidance on ethics can be sought from your local Faculty Ethics Committee and the Research Integrity and Governance Office.

The next section looks at top tips for best practice, focusing on planning, file naming, version control and storage.

page 3 of 4