For managing sensitive data
Only collect as much sensitive or personal information as needed for your research project
Data that contains personal or sensitive information should be treated with higher levels of security than non-sensitive data.
Copies of personal data should be kept to a minimum in order to reduce risk of disclosure or unauthorised access.
Where possible, identifiable data should be anonymised. The GDPR does not apply to anonymised data but best practice for handling sensitive data should still be followed. The UK Data Service have published guidance on anonymising quantitative and qualitative data
If data have been pseudonymised (i.e. where information that identifies an individual is replaced by a code), the code key should be kept in a separate location
Any sensitive data stored on portable media or personal devices should be password protected or encrypted.
Access to devices, files or servers containing sensitive or personal data should be responsibly managed and regularly reviewed.
Always transfer sensitive or confidential data securely (Sharing files)
A plan for the timely and necessary deletion of personal information should be put together at the start of any project and included in your data management plan. Imperial ICT can be consulted about methods for ensuring permanent deletion of sensitive information.