Approval of proposed recording and transcription activities

If ethical approval is required for the research project in which recordings will be taken (as verified by the University’s Ethics Decision Tool), this approval must be obtained before commencing any recording. Please note that all guidance information below must be followed for any recordings to be taken, including those that are parts of projects requiring ethical approval and those that are classed as ethically exempt.

 Prior to approval the Supervisor/Principal Investigator must ensure that, for each element of information to be gathered, the following have been considered:

• The recording must be limited to the information necessary to address the aims of the research project;
• The structure of the recording must be planned in advance so far as is appropriate to the research project;
• The need for audio recording as opposed to taking field notes and/or the need to use a video recording as opposed to an audio recording has been justified; and
• Any new requests to purchase recording equipment must be for encrypted devices as advised by Research IT, and the cost of such equipment must be included in funding applications.

 Details of the proposed recording must be included in the full mandatory Data Management Plan completed for the research project.  Additionally, the end-to-end data handling of these recordings must be documented (e.g. by completing a data flow diagram or narrative). Approved storage for research data can be found here.  If it is not possible to meet the storage requirements, a review of the Data Management Plan must be requested via DMP Online and any questions directed to Research IT via the tool.

 The PI/Supervisor must sign to confirm that they understand and will comply with this Procedure either through the Ethical Review Manager (ERM) system or the faculty research governance review process.

Recording participants - instructions

• Only record what has been approved by the ethics committee as necessary for the study;
• Ensure the location of any recording is appropriate (e.g. consider the privacy and comfort of the participant and/or any risk involved);
• Where possible the name of the interviewee must not be recorded unless verbal consent is required and this must be both recorded and stored separately from the rest of the interview data;
• If using Zoom or Teams for audio and/or video recordings, ensure you adhere to the guidance issued by Research IT and Information Governance.
• An encrypted University-provided device should be used for recording (e.g. an Apple iOS device such as an iPod touch, iPhone or iPad which has been enrolled onto the University Exchange email service to activate device encryption).
• If it is not possible to use an encrypted University provided device (e.g. for UG or PGT students or for staff projects with limited funding), personal devices may be used for recordings provided the following criteria are met:
  • The device is enrolled onto the University Exchange email service to activate device encryption
  • All recordings are immediately transferred off of the personal device onto University storage and any copies of the recordings on the personal devices are deleted.
  • Any cloud back-up services that the device is connected to are turned off or disabled until the recordings are permanently removed from the device.

• The device used to make the recording must never be left unattended and must be locked away securely when not in use; and

If a recording device is shared, any recordings must be deleted prior to handing over to another user.

Storage and Processing of Recordings

Transfer of recordings to University storage

• Recordings must be transferred from the recording device to University storage (as detailed in the Data Management Plan) as soon as possible to ensure that a master copy is backed up and the file is encrypted.
• Recordings should be checked once transferred and before deleting from the recording device.
• Examples of methods for transferring recordings securely to University storage can be found in Appendix A.

Storage of recordings   

• Transcripts must be securely stored (i.e. on servers provided through IT Services (“University servers”)).
• Appropriate storage must be used as per the information security classification of the data captured, as well as any third party data providers’ requirements.
• Approved storage for research data can be found here.  LiData must be encrypted to AES 256 standard when not in use. Further University of Manchester guidance on file encryption can be found here.
• Highly restricted information must always be encrypted, including data on University systems and with third-party/cloud service providers.[1]
• Transcripts not held on University servers must be stored on an encrypted device for temporary storage only. They must be transferred to University servers and deleted from temporary storage as soon as possible. Information regarding hardware encrypted USB sticks can be found here: http://www.itservices.manchester.ac.uk/secure-it/encryption/usb/ More advice on Portable Devices can also be found here.

Data transfer, collaboration or sharing

If recordings that contain personal data are moved to another organisation, a data transfer agreement may be required to be put in place between the organisations, particularly where it is not possible to anonymise the data (e.g. observational studies).   This also applies when staff leave the University and request to take the data with them, and may apply if staff move within the University.  

• Recordings must be transferred from the recording device to University storage (as detailed in the Data Management Plan) as soon as possible to ensure that a master copy is backed up and the file is encrypted.
• Recordings should be checked once transferred and before deleting from the recording device.

 Guidance on how device tools can be used to transfer data is provided below.

 Apple Devices

When using University-provided Apple devices such as iPads the following process using iTunes can be used.

The transfer process using iTunes requires the iTunes application installing on your University of Manchester PC to make a connection from your iPad to your PC via the USB data/charging cable.  Once connected, you can then transfer data from a compatible iPad app as per this Apple knowledge base article: https://support.apple.com/kb/PH20348?locale=en_US

This enables a direct transfer from the iPad to the PC, or network storage mapped to the PC such as the P drive or a shared drive.  The process must not involve transferring the data to iCloud or any other third-party hosted cloud service.  Please see the screenshot below for an example of using iTunes to transfer a PDF from the GoodReader app on an iPad directly to the P Drive using the ‘save to’ button at the bottom right of the screen.

Video Recorders

There are no mass-produced camcorders with built-in encryption capabilities. Therefore, when using a camcorder to record sensitive data alternative security measures will need to be implemented. The camcorder must be stored in a locked location when not in use. The data must be transferred from any insecure portable media at the end of every recording session or day, whichever is more appropriate, to University storage (see section 3.6 and 3.7).  If this is not possible it must be stored on an encrypted medium until it is possible to move to University storage. If stored on an unencrypted drive, the video files must be encrypted following University guidance on file encryption, which can be found here. Once the transfer is complete, the videos on the media used in the camcorder, eg SD card, must be wiped with a secure deletion utility.

Transfer of data to University of Manchester or External Collaborators

The following tools can be used to transfer data to the University of Manchester or External Collaborators:

• University of Manchester Dropbox Service – Data must be encrypted before storing on the service. Please read the terms and conditions of use of this service at: http://www.itservices.manchester.ac.uk/ourservices/catalogue/commscollab/sec/
• Zendto – Data must be encrypted before sending via Zendto. More information on the Zendto service can be found at: https://zendto.manchester.ac.uk/

Retention and Destruction

Information must be kept in accordance with the University’s Retention Schedule and Research Data Management Plan.  Destruction of records must be performed in a secure manner, ensuring that records to be destroyed are transported securely and destroyed completely in a manner that renders the information completely and irreversibly destroyed.  Further information regarding disposal of confidential material can be found here.

Incident Reporting

If recordings or transcripts that have not been anonymised are lost, stolen, corrupted or disclosed to, or accessed by, unauthorised persons, it must be reported to the Head of Information Governance as soon as possible in order that appropriate measures can be taken to contain any damage and minimise the harm which might arise.

 Contact the Information Governance Office:

Email: infosec@listserv.manchester.ac.uk

Telephone: 0161 275 7789

If you are storing personal identifiable data that you have collected for a research project, the current advice is to leave the data where it is. 

Do not move the data or back it up on a personal device. 

You can continue to collect personal data as part of research projects. If personal data are collected on encrypted devices, or in an external system (e.g. e-surveys, Zoom interviews) you should still download this to University of Manchester servers (e.g. RDS), but until the cyber incident has been resolved, you should not delete it from the device or external system to prevent any potential data loss.

When the cyber incident has been resolved in relation to the systems that store research data, you should then delete data from devices and external systems as usual.

• For studies where data have been collected and there is no ongoing communication with research participants there is no need to contact research participants unless their data becomes compromised and at that point the appropriate ethics committee should be consulted about contacting the research participants.

• For studies where communication with participants is ongoing assurances could be given that their data are currently safely stored but if that situation changes they will be informed immediately.

Any queries/concerns raised by research participants who have heard about the cyber-attack should be responded to. There are several different situations, and example texts are provided for each below. You should request to keep their contact details on file so that you can contact them again if necessary:

1. Personal data is no longer being held by the University, is minimal or is safely encrypted

“As far as we know at the moment the University systems holding research data have not been affected by the incident. In relation to the research project you participate(d) in, I am able to reassure you that we no longer hold your personal data. All the data has been fully anonymised and cannot be linked to you.”

or

“As far as we know at the moment the University systems holding research data have not been affected by the incident. In relation to the research project you participate(d) in, I am able to reassure you the only personal data we hold about you is your contact details and consent forms. This is separated from the research data and cannot be linked.”

or

“As far as we know at the moment the University systems holding research data have not been affected by the incident. In relation to the research project you participate(d) in, I am able to reassure you that all the files that contain your personal data are encrypted and the encryption key is kept separate to these files.”

2. Pseudonymised date is being held by the University

“As far as we know at the moment the University systems holding research data have not been affected by the incident. In relation to the project you participate(d) in the data that we hold is pseudonymised. This means that the link between your data and your personal identifiers (e.g. name) is through a unique code number. The data file and the file with personal identifiers are kept separate and the personal identifier file has been encrypted, so that it is not readable by anyone who does not have the encryption key. The encryption key is also kept separate.”

3. Personal data is being held by the University

 “As far as we know at the moment the University systems holding research data have not been affected by the incident and the personal data we hold about you remains secure.  There is an ongoing investigation and should this situation change I will inform you immediately.”

Please ensure you use UoM email addresses and phone numbers for any recruitment activities. Personal numbers/emails/social media accounts should not be used for this purpose.

• When planning what personal information you will collect as part of your research study, please ensure you only collect what is essential in order to answer your research question or describe your participants as part of any research outputs. You should refrain from collecting unnecessary demographic information (e.g. annual income, marital status, ethnicity, etc) unless it aims to answer a specific part of your study and has been approved by the ethics committee.
• Audio/video recordings and photographs should be collected on encrypted devices or those which use encrypted cards. These devices can be those you own personally as long as they conform to all University expectations and requirements (see here for more information) and any cloud back-up connection has been disabled.
• Once data has been collected, it should be transferred to a secure University server as soon as possible and deleted from the portable device/card.
• If you wish to use WhatsApp for the collection of personal information for your study (e.g. asking participants to answer questions/send video diaries) you will need to speak with the Information Governance Office and obtain approval. Please remember to attach a copy of the IGO’s approval to your ethics application for ease of review.

• You should anonymise all research data as soon as possible in order to protect the confidentiality of participants.
• If you are not able to anonymise your data immediately (e.g. you need the data to be linked while performing your analysis), please consider pseudonymising the data until your analysis is complete.
• Pseudonymisation is the process of assigning a random ID number to each participant and creating a key (e.g. excel spreadsheet) which contains the name of each participant as well as their ID number.  Names of participants are then removed from their research data and replaced with the ID number. The key is encrypted, password protected and stored separately (in a separate physical location) to the research data. The key should be destroyed at the conclusion of your project unless otherwise required (e.g. for longitudinal work undertaken by your supervisor).

• When analysing your data, it’s best practice to access the data directly from University servers. This can include working on data stored on your OneDrive or Sharepoint via your laptop.
• If this is not possible, please use an encrypted device to perform the analysis.
• Analysis, including transcription, should be done in a private space where others are not able to see or hear any of the information you are accessing.

• Paper data (e.g. consent forms) needs to be stored in a secure place that only the research team have access to (e.g. a locked cabinet in an University office on campus). Data should not be stored at personal residences.
• Please consider whether it is appropriate to digitise your paper data in order to facilitate more secure storage (e.g. digitising records of consent).
• Electronic data needs to be stored on University servers, the research drive of your supervisor or a University approved cloud service (e.g. OneDrive or SharePoint)
• As a general rule, please do not use external hard drives, USB sticks or other portable devices to store personal identifiable data as they can be lost or stolen. If you need to use one of these devices due to size limitations (e.g. large video files) or transfer challenges (e.g. working abroad with no connection to University servers), please see advice from your supervisor or Programme Director as the device/card would need to be encrypted.
• Research data should be kept for the time period as specified in the Records Retention Schedule. Usually this is 1 year past submission of the dissertation for UG and PGT students and 5 years for PGR students. Please ensure this is the same period you list in your ethics application and Data Management Plan (if you are using a DMP).
• Personal data (e.g. contact details) should be deleted as soon as they are no longer required. If you are retaining contact details in order to contact participants about future projects or sharing the findings from your study, these should be stored in a separate, password protected file on a University server or approved cloud service.

• The data custodian of your study is your supervisor.
• Please ensure you transfer custody of all paper and electronic data to your supervisor before you leave the University.

• If you wish to share research data with others or retain it (in either personal or anonymous format) to be used in future research studies, this must be explicitly mentioned in the participant information sheet and consent form.