Data Protection, Data Management and UK General Data Protection Regulation (UK GDPR)

When it comes to issues of data protection and secure data storage, you should consider data in its broadest sense, so it is not only referring to quantitative data or primary qualitative materials obtained or generated from human participants but primary materials such as poetry, novels, song, photographs, etc., as well as your own notes, ideas, jottings, and musings about the primary materials you might be using.

For further discussion on what data is, especially in the Arts and Humanities, please refer to:

Duca, Daniela. 2016. “Research data in the creative and performing arts.” Jisc, November 22, Research data in the creative and performing arts (jiscinvolve.org).

Jisc. 2021. “Research data in arts, humanities and social sciences,” in Research data management toolkit, Research data in arts, humanities and social sciences | Jisc.

Posner, Miriam. 2015. “Humanities Data: A Necessary Contradiction.” Miriam Posner’s Blog: Digital Humanities, Data, Labor, and Information, June 25. Humanities Data: A Necessary Contradiction – Miriam Posner's Blog.

Schöch, Christof. 2013. “Big? Smart? Clean? Messy? Data in the Humanities.” Journal of Digital Humanities 2, no. 3 (summer). » Big? Smart? Clean? Messy? Data in the Humanities Journal of Digital Humanities.

Secure data storage prevents loss, leakage, damage, unauthorised access and/or theft of data.

All staff members and students should ensure that they complete all mandatory Data Protection training before beginning any research. Please see: ‘TRAINING: Research ethics and UK General Data Protection Regulation (UK GDPR)’: TRAINING: Research ethics and UK General Data Protection Regulation (UK GDPR) | The University of Edinburgh.

Links to external websites may not be accessible and we are not responsible for their content.

Policies and other resources to help you conduct your research in line with GDPR and data protection guidelines.

University Data Protection Policy and Handbook: Policy and handbook | The University of Edinburgh

Research under the UK General Data Protection Regulation (UK GDPR): researchgdprv6.pdf (ed.ac.uk)

University guidance on Data Protection: Data Protection | The University of Edinburgh

UK Research and Innovation (UKRI), GDPR and research – an overview for researchers: GDPR and research – an overview for researchers – UKRI

Links to external websites may not be accessible and we are not responsible for their content.

Data Protection Impact Assessment (DPIA)

When do I need to carry out a DPIA? And other guidance related to DPIAs: Data protection impact assessments (DPIAs) | The University of Edinburgh

Data Management Plan (DMP)

It is worthwhile thinking through the data-related aspects of your research before you get underway. Data management planning, ethical approval, and data protection considerations are often essential prerequisites for a research project.

Information Services (IS) Research Data Services: Data Management Plan: Before you begin | The University of Edinburgh

Research Data Services

Information Services (IS) Research Data Services: Research Data Service | The University of Edinburgh

Information Services: Things you need to consider, and do, when travelling further afield: Before you go | The University of Edinburgh including Clean Laptop Service

Personal Data processed by students: Personal data processed by students | The University of Edinburgh

Data Storage

OneDrive is not suitable for storing all types of data, but is a good place to begin:

OneDrive for Business | The University of Edinburgh

DataStore is a file store for active research data, and is available to all research staff and postgraduate research students (PGRs). Find out more here: Active data storage | The University of Edinburgh

For long-term data retention, please refer to the guidance on DataVault: DataVault long-term retention | The University of Edinburgh.

Working with sensitive data

Some projects might require alternative data storage; for example, for projects which involve sensitive data. Information for those working with personal and confidential data: Working with sensitive data | The University of Edinburgh

Data Protection and travel

Information Services: Things you need to consider, and do, when travelling further afield: Before you go | The University of Edinburgh including Clean Laptop Service

Student research projects

For information for students processing personal data, please see: Personal data processed by students | The University of Edinburgh

Before you start using any new third party based software or services for University business, you must carry out due diligence to ensure that University information will be secure and appropriately managed.

For an overview of third party software application and services, see: https://www.ed.ac.uk/data-protection/data-protection-guidance/specialised-guidance/software-application-services

If it is necessary for you to use a third party software application to conduct research or collect any form of sensitive data (including student data) which is not supported by the University, then you should follow these steps:

1) Seek advice from Information Security (IS) about your unsupported software (https://www.ed.ac.uk/information-services/help-consultancy/contact-helpline)

2) Complete a Data Protection Impact Assessment (DPIA) (https://www.ed.ac.uk/data-protection/data-protection-impact-assessments)

3) Write and implement a Data Management Plan (DMP) (https://www.ed.ac.uk/information-services/research-support/research-data-service/before)

4) Carefully document all your decisions, and keep this record secure so that you can justify your choices at a later date should you need to

Please note that it is your responsibility to ensure that you have the correct permissions in place before conducting research.

For healthcare-related research, insurance and indemnity will be confirmed through sponsorship. However, certain categories of research must be referred to the University insurance officer for individual consideration before doing so (please contact the Research Governance Coordinator for guidance). These can include any research involving (but not limited to) the following: Children under 5 years old; Participants who are pregnant; Participants from outside the UK; Data from outside the UK (in particular the US). For data and indemnity-related enquiries, please contact the Research Governance Team (cahss.res.ethics@ed.ac.uk).