Data security is relevant to protect intellectual property rights, commercial interests, or to keep sensitive information safe.

Arrangements need to be proportionate to the nature of the data and the risks involved. Data that contain personal information should be treated with higher levels of security than data which do not, as the safeguarding of personal data is dictated by national legislation, the Data Protection Act 2018, which states that personal data should only be accessible to authorised persons. Personal data can be stored in digital files, or can exist in non-digital format: patient records, signed consent forms, interview cover sheets containing names, addresses and signatures.

Security can be made easier by:

  • Separating data content according to security needs, e.g. store participant names and addresses separately from survey files
  • Encrypting data containing personal information before they are stored or transmitted

Attention to security is also important when data files are to be destroyed.

Physical security

  • Controlling access to buildings, rooms, cabinets where data, computers, media or hardcopy materials are held
  • Logging the removal of, and access to, media or hardcopy material in store rooms
  • Transporting sensitive data only under exceptional circumstances, even for repair purposes; for example, giving a failed hard drive containing sensitive data to a computer manufacturer may cause a breach of security.

Network security

  • Not storing sensitive data such as those containing personal information on servers or computers connected to an external network, particularly servers that host internet services
  • Firewall protection and security-related upgrades and patches to operating systems to avoid viruses and malicious code

Security of computer systems and files

  • Locking computer systems with a password
  • Ensuring computer software is up-to-date
  • Protecting servers by power surge protection systems through line-interactive uninterruptible power supply (UPS) systems
  • Implementing password protection and controlled access to data files, for example ‘no access’, ‘read only’, ‘read and write’ or ‘administrator-only’ permission
  • Controlling access to files, folders or entire hard drives encryption
  • Not sending personal or confidential data via email or other file transfer means without first encrypting them
  • Destroying data in a consistent manner when needed: deleting files and reformatting a hard drive will not prevent the possible recovery of data; consult our guidance on data disposal
  • Imposing non-disclosure agreements for managers or users of confidential data

Data security and cloud storage

Cloud-based* storage such as Google Drive, Dropbox, OneDrive, iCloud or YouSendIt are easy to use, but not necessarily permanent or secure. Cloud-based storage is usually overseas and, therefore, not subject to UK law, consequently its use could be in violation of the UK Data Protection Act 2018 (DPA) and/or the General Data Protection Regulation, which require that personal and sensitive data should not be transferred to other countries without adequate protection.

Cloud data storage should not be used for high-risk information such as files that contain personal or sensitive information or that have a very high intellectual property or commercial value. While file encryption safeguards data files to a certain degree, it does not negate the requirements of the DPA.

Alternatives are secure FTP (SFTP) servers, secure content management systems set up and controlled by an institution or secure workspaces. See our guidance on file sharing.

*Cloud-based, in this context, refers to generic cloud services (often free) where one does not have an individual contract/SLA with the supplier that contains agreed information security standards. An organisation may have their own cloud-based secure storage or contract for the same to be provided by a suitably qualified supplier.