Data management and protection

Good data protection management means having effective processes and methodologies in place to maintain data integrity.

Questions related to data management and protection should be directed to the Information Governance Office. You can also find lots of helpful information on their website.

Information on the creation of data management plans for research projects can be found here.

Here are some useful links to more specific information:

Accessing NHS Digital Data

If you are planning to access NHS Digital data, you need to follow NHS Digital’s Data Access Request Service (DARS) process.

DARS application

When preparing a new DARS application, it is strongly advised that you seek advice from the University’s Research IT, Information Governance and Research Governance teams on the arrangements for accessing, transferring, and processing the NHS Digital data. Applicants can request advice form the University teams by sending a copy of the draft DARS application to research-gov-data@manchester.ac.uk and specifying the input required.

Data Sharing Agreement

Before the data can be accessed/ transferred, a Data Sharing Agreement (DSA) needs to be put in place between NHS Digital and the University. All DSAs must be reviewed by the University’s Contracts Team who will arrange for the DSA to be signed by the University’s authorised signatory.

In addition to the conditions outlined in the DSA, NHS Digital data users must be aware of the conditions outlined in the overarching Data Sharing Framework Contract (DSFC) in place between NHS Digital and The University of Manchester. The DSFC ensure that high standards are maintained by the University in safeguarding any data we receive from NHS Digital. Full details of what you need to consider are outlined in the University’s NHS Digital Data Sharing Framework Contract (DSFC) guidance document for users.

Related guidance

The University’s Data Safe Haven provides an infrastructure for the secure management of personal, sensitive and confidential information including NHS Digital data.

Making research data open and accessible

Open research relates to how research is performed and how knowledge is shared based on the principle that research should be as open, transparent, and accessible as possible. Open research also enables researchers to take advantage of digital technology.

Open research practices include:

pre-registration of hypotheses and/or research questions
the use of pre-prints
open-access publications and other outputs
full and transparent reporting of research workflows and statistical analysis code
sharing of original research materials
FAIR (Findable, Accessible, Interoperable, and Reusable) data

Not all of these practices will be appropriate for any given research project. Open research will look different in different disciplines but common to all is transparency in the research process.

When writing your data management plan you should consider how you will satisfy the University’s expectations for open research which are outlined in the Position Statement on Open Research (section 4). In particular, consider how you will make research data as open and accessible as possible and where relevant, justify any restrictions that might need to be applied. The University’s Research Data Management Standard Operating Procedure (sections 29-34) and Sharing data page provide guidance on publishing data, and the Concordat on Open Research Data (Principle #2) outlines valid reasons for restricting access to data.

You will also need to ensure that you include relevant information in your participant information sheet and consent form to make it clear to participants what will happen with the information they provide.

Guidance on the use of freedom of information requests for research purposes

Freedom of Information (FoI) requests legally compel public organisations to produce the information that is asked for in the request, if it falls within the legal criteria for such requests. Answering a FoI request may involve considerable resources if the information cannot easily be extracted from an organisation’s IT systems, or has not already been collated for other purposes. Organisations receiving FoI requests for information for research purposes are therefore likely to see this as a particularly aggressive form of data collection, and qualitatively different from a standard request concerning whether they are able to provide information that is important for a research project.

Using an FoI request to obtain information for the purposes of research should only be used under the following circumstances:

The information cannot be obtained via more usual and less aggressive means.

The research justifies the time and cost to the organisation(s) approached (e.g. we would not expect an undergraduate dissertation to justify this)

The potential future cost to any current or future relationship between the University and the organisation(s) has been considered.

Protecting and exploiting intellectual property

For detailed information about Intellectual Property at the University of Manchester please click here.

Guidance on Recordings

Approval of proposed recording and transcription activities

If ethical approval is required for the research project in which recordings will be taken (as verified by the University’s Ethics Decision Tool), this approval must be obtained before commencing any recording. Please note that all guidance information below must be followed for any recordings to be taken, including those that are parts of projects requiring ethical approval and those that are classed as ethically exempt.

Prior to approval the Supervisor/Principal Investigator must ensure that, for each element of information to be gathered, the following have been considered:

The recording must be limited to the information necessary to address the aims of the research project;
The structure of the recording must be planned in advance so far as is appropriate to the research project;
The need for audio recording as opposed to taking field notes and/or the need to use a video recording as opposed to an audio recording has been justified; and
Any new requests to purchase recording equipment must be for encrypted devices as advised by Research IT, and the cost of such equipment must be included in funding applications.

Details of the proposed recording must be included in the full mandatory Data Management Plan completed for the research project. Additionally, the end-to-end data handling of these recordings must be documented (e.g. by completing a data flow diagram or narrative). Approved storage for research data can be found here. If it is not possible to meet the storage requirements, a review of the Data Management Plan must be requested via DMP Online and any questions directed to Research IT via the tool.

The PI/Supervisor must sign to confirm that they understand and will comply with this Procedure either through the Ethical Review Manager (ERM) system or the faculty research governance review process.

Recording participants - instructions

Only record what has been approved by the ethics committee as necessary for the study;
Ensure the location of any recording is appropriate (e.g. consider the privacy and comfort of the participant and/or any risk involved);
Where possible the name of the interviewee must not be recorded unless verbal consent is required and this must be both recorded and stored separately from the rest of the interview data;
If using Zoom or Teams for audio and/or video recordings, ensure you adhere to the guidance issued by Research IT and Information Governance.
An encrypted University-provided device should be used for recording (e.g. an Apple iOS device such as an iPod touch, iPhone or iPad which has been enrolled onto the University Exchange email service to activate device encryption).
If it is not possible to use an encrypted University provided device (e.g. for UG or PGT students or for staff projects with limited funding), personal devices may be used for recordings provided the following criteria are met:
- The device is enrolled onto the University Exchange email service to activate device encryption
- All recordings are immediately transferred off of the personal device onto University storage and any copies of the recordings on the personal devices are deleted.
- Any cloud back-up services that the device is connected to are turned off or disabled until the recordings are permanently removed from the device.

The device used to make the recording must never be left unattended and must be locked away securely when not in use; and

If a recording device is shared, any recordings must be deleted prior to handing over to another user.

Storage and Processing of Recordings

Transfer of recordings to University storage

Recordings must be transferred from the recording device to University storage (as detailed in the Data Management Plan) as soon as possible to ensure that a master copy is backed up and the file is encrypted.
Recordings should be checked once transferred and before deleting from the recording device.
Examples of methods for transferring recordings securely to University storage can be found in Appendix A.

Storage of recordings

Transcripts must be securely stored (i.e. on servers provided through IT Services (“University servers”)).
Appropriate storage must be used as per the information security classification of the data captured, as well as any third party data providers’ requirements.
Approved storage for research data can be found here. LiData must be encrypted to AES 256 standard when not in use. Further University of Manchester guidance on file encryption can be found here.
Highly restricted information must always be encrypted, including data on University systems and with third-party/cloud service providers.[1]
Transcripts not held on University servers must be stored on an encrypted device for temporary storage only. They must be transferred to University servers and deleted from temporary storage as soon as possible. Information regarding hardware encrypted USB sticks can be found here: http://www.itservices.manchester.ac.uk/secure-it/encryption/usb/ More advice on Portable Devices can also be found here.

[1] Information Security Classification, Ownership and Secure Information Handling Standard Operating Procedure.

Processing the recordings (eg coding, analysis, transcription)

The identity of the participant must be anonymised in the transcript as soon as is practicable, unless consent has been sought to permit identification (e.g. an oral history archive);
The transcription of recordings must be done in a secure environment where the data subject cannot be seen or heard by another person outside the approved team. Further information regarding the minimum security controls can be found in the “Information security classification, ownership and secure information handling SOP”;
Transcription by a third-party is only permitted where either a University-approved transcription service is used (see ‘Find a supplier’ link on the Procurement homepage for more information) or other arrangements as approved by the ethics committee.

Transcription by those outside of the research team, including students, requires a signed confidentiality agreement.

Data transfer, collaboration or sharing

If recordings that contain personal data are moved to another organisation, a data transfer agreement may be required to be put in place between the organisations, particularly where it is not possible to anonymise the data (e.g. observational studies). This also applies when staff leave the University and request to take the data with them, and may apply if staff move within the University.

Recordings must be transferred from the recording device to University storage (as detailed in the Data Management Plan) as soon as possible to ensure that a master copy is backed up and the file is encrypted.
Recordings should be checked once transferred and before deleting from the recording device.

Guidance on how device tools can be used to transfer data is provided below.

Apple Devices

When using University-provided Apple devices such as iPads the following process using iTunes can be used.

The transfer process using iTunes requires the iTunes application installing on your University of Manchester PC to make a connection from your iPad to your PC via the USB data/charging cable. Once connected, you can then transfer data from a compatible iPad app as per this Apple knowledge base article: https://support.apple.com/kb/PH20348?locale=en_US

This enables a direct transfer from the iPad to the PC, or network storage mapped to the PC such as the P drive or a shared drive. The process must not involve transferring the data to iCloud or any other third-party hosted cloud service. Please see the screenshot below for an example of using iTunes to transfer a PDF from the GoodReader app on an iPad directly to the P Drive using the ‘save to’ button at the bottom right of the screen.

Video Recorders

There are no mass-produced camcorders with built-in encryption capabilities. Therefore, when using a camcorder to record sensitive data alternative security measures will need to be implemented. The camcorder must be stored in a locked location when not in use. The data must be transferred from any insecure portable media at the end of every recording session or day, whichever is more appropriate, to University storage (see section 3.6 and 3.7). If this is not possible it must be stored on an encrypted medium until it is possible to move to University storage. If stored on an unencrypted drive, the video files must be encrypted following University guidance on file encryption, which can be found here. Once the transfer is complete, the videos on the media used in the camcorder, eg SD card, must be wiped with a secure deletion utility.

Transfer of data to University of Manchester or External Collaborators

The following tools can be used to transfer data to the University of Manchester or External Collaborators:

University of Manchester Dropbox Service – Data must be encrypted before storing on the service. Please read the terms and conditions of use of this service at: http://www.itservices.manchester.ac.uk/ourservices/catalogue/commscollab/sec/
Zendto – Data must be encrypted before sending via Zendto. More information on the Zendto service can be found at: https://zendto.manchester.ac.uk/

Retention and Destruction

Information must be kept in accordance with the University’s Retention Schedule and Research Data Management Plan. Destruction of records must be performed in a secure manner, ensuring that records to be destroyed are transported securely and destroyed completely in a manner that renders the information completely and irreversibly destroyed. Further information regarding disposal of confidential material can be found here.

Incident Reporting

If recordings or transcripts that have not been anonymised are lost, stolen, corrupted or disclosed to, or accessed by, unauthorised persons, it must be reported to the Head of Information Governance as soon as possible in order that appropriate measures can be taken to contain any damage and minimise the harm which might arise.

Contact the Information Governance Office:

Email: infosec@listserv.manchester.ac.uk

Telephone: 0161 275 7789

Data Protection Laws

If you are conducting research in a country outside of the UK, you need to familiarise yourself with the relevant data protection laws of that country. Although these are subject to change, you can find general information about this by visiting https://www.dlapiperdataprotection.com/

Any queries in relation to the data protection laws of individual countries, including whether any special provisions will be needed regarding your research project should be directed to the Information Governance Office. Additional guidance and support on data protection can be found by visiting the Information Governance StaffNet pages.