ScHARR Information Governance
Policy Section 3: Data storage and storage devices
ScHARR stores large volumes of research data, some of which is risk-bearing.The wrong choice of storage could put research work at risk of unauthorised access or loss and could damage the University’s reputation.
In order to choose appropriate storage the following issues should be considered:
security - ensuring that data is protected from unauthorised access. This is particularly important when working with risk-bearing data
availability - ensuring that data is accessible when and where it is needed
integrity - ensuring one true copy of the data is maintained.
All research projects should use the University’s Shared Networked Filestore as their primary data storage for risk bearing data. Where this is not practical alternative or additional secure data storage must be chosen based on an assessment of potential risk. Advice should be sought from the relevant Section IG Lead.
University network storage
ScHARR IT will create secure folders with controlled access and arrange archive or deletion on request. This will be documented in an information asset register.
Research groups must only request access for individuals who need access to their project folder. There is provision for secure access for people outside of the University when necessary. A member of the research group must notify ScHARR IT promptly when a member of staff no longer needs access.
CiCS manage the regular backup of all University file storage for disaster recovery purposes.
The University has an agreement with Google for provision of G Suite (Google Apps). The Factsheet on Data Security and Privacy with Google summarises this agreement and states that the University is satisfied that the security controls put in place by Google are sufficient to protect University data. This applies only to University supplied Google accounts and not personal ones.
Google Drive may be used by research groups as a tool to develop documents and spreadsheets collaboratively.
Google Drive is not recommended for use as a project’s primary data storage for a number of reasons:
- when a Google account is deleted any documents owned by that account are also deleted unless they are first transferred to another account
- back-up and disaster recovery procedures are managed by Google and therefore not within the control of CiCS
- there is increased risk of accidentally sharing data inappropriately.
For these reasons Google Drive should not be used for risk-bearing data without very careful consideration of risks, and consultation with the appropriate Section IG Lead. If the decision is made to collect or store risk-bearing data using Google Drive, e.g. via Google Forms, then this should be made clear to study participants.
External services should only be used for research work following very careful consideration of risks.
Examples of external service providers include:
- cloud storage services such as Dropbox, iCloud, OneDrive and Google Drive on personal (non-University) Google accounts
- online survey services such as SurveyMonkey (and Google Forms on non-University Google accounts)
- agencies which process data (e.g. mailing, transcription)
- agencies which develop/maintain IT systems to support research projects
If a research group is considering using an external service for something which involves the processing or storage of risk-bearing data, they must consult the IG Section Lead for advice. If it is agreed that use of an external service is appropriate, a contract must be in place to ensure there are sufficient security measures.
There may be further restrictions placed on data received from third party providers, for example:
- storing and processing data only on University premises
- storing/accessing the data only on a computer with no internet connection
- storing/accessing the data only using encrypted machines
- preventing off-campus access
- preventing download from primary storage
- encrypting data to a specific minimum standard
- applying additional firewall restrictions
- securely deleting files by an agreed date or at the request of the provider
- documented destruction of hardware at end-of-life
Data sharing agreements (DSA) will document any restrictions which must be adhered to. If projects require the use of NHS Digital datasets, the IG Section Lead must be informed and details must be logged on the NHS Digital information register.
In some cases using a virtual machine (VM) may be an option to meet the requirements of a DSA. CiCS maintains the physical infrastructure, and access to a particular VM can be restricted to specified user accounts. A firewall can be configured at VM-level to permit connection only from specified IP addresses, and data transmissions to and from the VM are encrypted by Transport Layer Security (TLS). ScHARR IT will pass VM requests from research groups on to CiCS.
Local hard drives / solid state drives
When performing process-intensive tasks it can be beneficial to work with data on a machine’s local drive rather than a network drive. If the data being processed is risk-bearing the local storage must be encrypted in accordance with University policy. It is recommended that local drives are used only for temporary storage (during processing) as they are vulnerable to corruption or failure, and are unlikely to have comprehensive back-up and disaster recovery plans in place.
Unlike straightforward password protection, which simply acts as a barrier to accessing the information, encryption renders information unreadable to anyone who does not have the right key/password
Portable devices (e.g. laptops, USB sticks, hard drives, voice recorders, mobile phones, tablets) should only be used for temporary storage of a second copy as they are vulnerable to loss or corruption. If portable devices are used to store risk-bearing data or used to access information which could include risk-bearing data (including receiving and sending email), they must be encrypted. It is recommended that all portable devices used for work purposes are encrypted.
Audio / video recordings
Ideally all audio / video recordings should only be made on encrypted devices. Unencrypted devices should only be used for research work following careful consideration of risks. Where an interview or other audio / video recording is taken on an unencrypted device the file must be transferred into a secure location as soon as is practically possible and securely deleted from the device.
Research project staff should discuss their requirements with their Section Administrator to ensure paper records are stored securely and archived/deleted when appropriate. Where necessary the Section Administrator will consult with the CiCS Records Management Team.
Information captured on paper is just as important as data stored digitally and carries many of the same risks, therefore care must be taken to ensure secure transit of anything containing risk bearing information.
Data disposal and device destruction
The disposal of risk-bearing data and devices on which risk-bearing data has been stored requires particular care. Files which have been deleted in the usual way may still be recoverable; instead files containing risk-bearing data must be securely erased. ScHARR IT can provide technical assistance.
All waste IT equipment will be collected and disposed of by ScHARR IT in accordance with the University’s procedure for the disposal of waste electrical and electronic equipment (WEEE).
The University has guidelines relating to physical and online security and the use of portable computers and media.
|Section 4: Remote working