Managing personal data

Even if they do not realise it, researchers often deal with personal and sensitive information during their projects. When we talk about personal data most researchers will automatically think about things such as medical information and confidential records but the definition is actually much broader.

Personal data is considered to be any information which can be used to identify a living person, either on its own or as part of a combination of data. This could include information such as contact details, photographs, job titles and workplaces. Sensitive personal data takes this one step further and includes any information which can tell you about the protected characteristics of an individual such as their race, gender or sexuality. If others were to find out this information about an individual then there may be a risk of it being misused and so it is given an extra level of protection. Another issue for researchers (and librarians) to consider is GDPR. The General Data Protection Regulation came into force on May 25^th 2018 as a way to bring the various data laws across the EU into line with each other. GDPR builds on the existing data protection regulations but extends the rights of individuals in terms of their data and greatly increases the fine for any data breach. You can read more about GDPR here.

These changes in legislation have an impact on the research community and the way in which they deal with data. Whilst there are some educational exceptions for academic research these need to be used carefully. Cambridge University has released some guidance for the research community on GDPR as has the UK Data Service. Researchers will need to ensure that they update any consent forms to obtain informed open consent which details exactly what will happen to the data collected and how it will be shared. The UK Data Service offers example consent forms for researchers to use.

There are some common sense tips when it comes to handling sensitive data:

• Don't collect it unless it is actually needed. Researchers often fall back on conducting surveys to find out information and these sometimes ask for demographic information such as date of birth or gender. If that information is not needed for the study then it is best to avoid collecting it – that way the researcher doesn’t have to worry about protecting something they don’t need in the first place.
• Researchers should ensure that informed open consent is obtained prior to data collection. This means that researchers should make clear to participants exactly how data will be used and shared with others. It is important to remember that permission to use data for an academic exercise is not the same as permission to publish it in any form and researchers should carefully consider this. Any consent should be formal and written down.
• All data should be anonymised with any identifying information removed. If this would still result in participants being identifiable then it may be a good idea to split the data into smaller data sets to prevent identification.

Researchers need to think broadly about the type of data and any extra steps they need to take to ensure its protection. As well as being part of good data management practice, failure to protect this information could land the researcher in serious trouble with both their funder and their wider institution.