As an SGUL researcher, you can get help with managing your data at each stage of your project from the RDM Service.

cropped RDM index brainstorming

Does my study need NHS Ethics Review?
The following two links will take you to guidance provided by the Medical Research Council, the Health Research Authority (HRA) and the National Research Ethics Service (NRES) on whether your study requires ethical review by NRES or not.

As stated at the end of the decision tool in particular, although your study may not require ethical review from NRES, it may still require approval from other bodies.

Advice on Data Management for Masters Students
There are two electronic storage areas that students have access to–

  • OneDrive for Business (not personal) on SGUL's Office 365
  • Personal SGUL H: drive .

Whilst students are working on or with their projects/data, they can use these two areas to save work etc. – this should give them the freedom to work on their data on personal laptops. The H: drive is accessible remotely via VPN, and ensures data is secure both from a confidentiality and loss perspective. Students can access OneDrive directly from their student mailboxes by clicking ‘Office 365' on the top left of the screen. You have 1TB of cloud storage available on OneDrive.

Students need to ensure that their research data/files are saved on their H: drive or OneDrive for Business accounts and NOT on personal laptops, removable hard drives or other portable media, or personal cloud-based services (e.g. smartphones back-up etc.). The SGUL H: drive, that every SGUL student is given, is backed up to a server every night, so data is recoverable. Information on OneDrive is automatically saved and backed up.

The only people able to access files on OneDrive for Business are the owner of the account and anyone they choose to share files with. It is important that data is anonymised before it can be put on OneDrive. No sensitive personal data or patient information should be kept on the university's 365 cloud, including OneDrive for Business, at any time.

Mobile storage devices: these include; recorders, USB, smart phones, laptops. For transferring research data (e.g. audio recordings) you can use password protected/encrypted mobile devices (e.g. USB with encryption) but note this data is still vulnerable if the USB stick is lost or stolen. If you are using a mobile phone for recording, ensure that only you will be able to access the files and they are saved on the phone's physical memory drive rather than the cloud. Saving identifiable or sensitive research data on the cloud is not permitted under any circumstance . Ensure you upload the information to your H: Drive or, if anonymised, OneDrive ASAP and delete the information from the mobile device.

Students sharing data between each other

  1. They can email documents to each other.
  2. If the document/spreadsheet contains any personal data the document will need to be password-protected and then sent, with the password for opening the file sent separately.
  3. If the document contains no personal data you can share it directly on Office 365 using OneDrive's sharing and collaboration features. Support/training in IT will be able to support you with using these features.

What is data Anonymisation?
Anonymisation is the process of turning data into a form which does not identify individuals and where identification is not likely to take place. This allows for a much wider use of the information. Anonymising research data involves removing information which might lead to an individual being identified, either from the data itself or by combining the data with other information which a recipient of the data could be expected to have access to . Once the information is anonymised, it ceases to be personal data, and can be disseminated and published without contravening the Data Protection regulation. However, the latter does not diminish research ethics considerations and requirements .

What is data Pseudonymisation?
The Data Protection Act (DPA) 2018 and General Data Protection Regulation (GDPR) defines pseudonymisation as “ the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information .” To pseudonymise a data set, the “additional information” must be “ kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable person .” It is important to note that where a researcher produces an anonymised dataset but retains the information which is necessary to identify an individual, the totality of the information held by the researcher will still be personal data, and will have to be managed in accordance with GDPR. What the researcher holds will not cease to be personal data unless the researcher disposes of the identifying information and has no means of recovering it.

Quantitative Data
Anonymisation may be as simple as removing variables which directly identify a research subject, such as name and home address. However, it is often necessary to do more than that to render a dataset truly anonymous. Variables may have to be removed or the data manipulated to deal with situations where an individual could be identified through combinations of variables, or by combining the data with other publicly available information. For example: full UK postcodes typically cover only a small number of delivery addresses, and can easily lead to identification of an individual or household when combined with other information. To anonymise a dataset, it might be necessary to remove the postcode or to only include the element of the postcode which relates to a wider area (i.e. first part of the postcode).

Qualitative Data
Anonymisation may involve the use of pseudonyms and editing the data to remove identifying information. Anonymisation of qualitative data can be problematic because of the risk of individuals being identified through contextual information, and the risk of the data being distorted by the anonymisation process.

Determining what is personal data
Any information related to a natural person or ‘Data Subject', which can be used to directly or indirectly identify that person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or an IP address.

Special Category (sensitive data) personal data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

The data subject must give explicit consent to the processing of those personal data for one or more specified purpose.

Examples of Special Category data:

  • race
  • ethnic origin
  • politics
  • religion
  • trade union membership
  • genetics
  • biometrics (where used for ID purposes)
  • health
  • sex life or
  • sexual orientation

What should a researcher do if they wish to use personal data for research?

The regulation requires that personal data are processed fairly and lawfully. To use personal data for research, researchers have two options:

1. Comply with the regulation by gaining 'explicit' or 'unambiguous' consent or must have other legal basis for processing. Or

2. Use unidentifiable data so that processing no longer needs to comply with the regulation.

Data is only completely anonymised if it is impossible to identify the individuals from the information therefore researchers should always use the term pseudonymised if they are not sure. A set of data is not anonymised if codes were given to individual items and then a separate list is held which links these codes to individuals.

What is the difference between ‘ explicit' and 'unambiguous' data subject consent?

The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent (this should be in the participant information sheet) - meaning it must be unambiguous using clear and plain language. This can rely on implied consent (i.e. a data subject inserting their email address to be contacted for future research). This is still an affirmative action that indicates acceptance of the processing, but they have not given their “explicit consent”.

Explicit consent is required only for processing Special Category (sensitive) personal data - in this context, an affirmative action is required where data subject should explicitly indicate that they agree to the processing (e.g. ticking a box that says “I consent to…”).

For support/training on IT infrastructure available contact IT Training Manager, Information Services: This email address is being protected from spambots. You need JavaScript enabled to view it.

For all enquiries about research data management, email: This email address is being protected from spambots. You need JavaScript enabled to view it.

For Research Ethics and Governance Student queries contact: This email address is being protected from spambots. You need JavaScript enabled to view it.

Last Updated: Tuesday, 09 April 2019 14:12

For all enquiries about research data management, email: