Some of the data which you collect may be personal, confidential or sensitive in nature. As such, this may require different safeguarding.
The procedures for handling personal, confidential and sensitive data are ruled by a combination of ethical and legal requirements:
- Data Protection Act 1998
- Freedom of Information Act 2000
- Human Rights Act 1998
- Statistics and Registration Services Act 2007
- Environmental Information Regulations Act 2004.
It is therefore important to ensure that sensitive data is handled correctly.
What constitutes personal, confidential or sensitive data?
Personal data is 'data which relates to a living individual who can be identified from those data OR from those data and other information which is in the possession of or is likely to come into the possession of the data controller (e.g. University) and includes any expression of opinion about the individual' – Data Protection Act (1998).
Confidential data is data that:
• 'can be connected to the person providing them or that could lead to the identification of a person referred to (names, addresses, occupation, photographs)
• are given in confidence, or data agreed to be kept confidential (secret) between two parties, that are not in the public domain
• are conditioned by factors such as ethical guidelines, legal requirements or research-specific consent agreements' – UK Data Archive
Sensitive personal data is information relating to:
'(a)the racial or ethnic origin of the data subject,
(b)his political opinions,
(c)his religious beliefs or other beliefs of a similar nature,
(d)whether he is a member of a trade union (within the meaning of the M1Trade Union and Labour Relations (Consolidation) Act 1992),
(e)his physical or mental health or condition,
(f)his sexual life,
(g)the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings'- Data Protection Act (1998)
What are guidelines about sharing personal, confidential or sensitive data?
There is a common misconception that you cannot share data that is categorised as personal, confidential or sensitive. This is not necessarily true and there are certain strategies that you can take that will protect the integrity of such data but still allow you to share it within the public domain, for example by:
- Gaining informed consent
- Anonymising data or
- Restricting Access to data
How should such data be stored?
It is good practice to limit the amount of people that can access personal, confidential or sensitive data, and to ensure there are sufficient security measures in place (i.e. encryption or passwords).
Alternatively, you could separate personal, confidential or sensitive data from other data files and store them separately (still encrypted or password protected), or remove any personal identifiers (e.g. names).
It is important to remember that personal data can be found on consent forms, information sheets and patient records and these would also need to be safeguarded. It is also advisable to document (e.g. through sufficient metadata) a datasets level of sensitivity and any ethical considerations in case this information is required in the future, and so others are aware of such measures if they re-use your data.