Discover resources and guidelines to help you curate your research data.
Protecting research data
City's Audit & Risk Committee (ARC) has issued a directive which requires City owned laptops and PCs to be encrypted, in order to reduce the risk of an unauthorised disclosure of sensitive information, due to accidental loss or theft.
The loss of any laptop belonging to the institution must be reported to the IT Service Desk. If you know of an institutional laptop that does not have encryption please contact the IT Service Desk.
More information can be found in the Mobile Device Security Policy.
City advises all members of staff and students to only use institutional devices when they are away on business (incl. field work). If possible store data on OneDrive and not on a mobile device.
If you are unsure how you can borrow encrypted electronic devices (including laptops and flash drives), contact the IT Service Desk on 0207 040 8181 or via ServiceNow.
Sharing and transferring to personal data to third parties or outside of the UK
- Do not transfer or share files containing personal data with third parties unless you have obtained informed consent from the data subjects.
- If the transfer of personal data is necessary, you should contact the R&E Strategy and Compliance team who will assist you in assessing ethical and legal risks and prepare a data sharing agreement if sharing personal data is unavoidable.
- If personal data of participants need to be transferred outside the UK, principle 8 of the Data Protection Act needs to be considered, which states: 'personal data shall not be transferred to a country or territory outside the European Economic Area unless the country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data'.
- Care should be taken when transporting data in electronic devices during travel. Please visit the Encryption section above for more information.
More information on sending personal data outside the European Economic Area can be found on the Information Commissioner's Office website.
If you have any questions please contact email@example.com.
According to the Intellectual Property policy, research data is owned by City.
In accordance with the JISC definition of personal data, personal data is information that:
All Personal Data must be processed in accordance with the Data Protection Act 2018 and the General Data Protection Regulations (GDPR).
If you have any queries please email firstname.lastname@example.org.
Sharing personal data
Extra care should be taken to ensure the security of research material containing personal data, which is subject to the provisions of the Data Protection Act 2018, GDPR and the Data Protection Bill.
In some instances restrictions of data is mandatory. However, this does not mean that the data cannot be shared. The most common way of sharing sensitive personal data is by putting in place strict procedures that users have to follow before they access such data.
Please contact your School's Contract Manager for advice.
Sensitive personal data
Sensitive Personal Data relates to the subject's:
- Racial or ethnic origin
- Political opinions
- Religious beliefs or other beliefs of a similar nature
- Membership of a trade union
- Physical or mental health or condition
- Sexual life
- Commission or alleged commission of any offence
- Involvement in criminal proceedings for any offence or alleged offence committed by them, including outcomes such as judgement and sentencing.
It should be noted that there are specific conditions when processing sensitive personal data.
There are legal and ethical obligations when you conduct research with human participants. Find out more about how to apply for ethical approval.
Personal and sensitive personal data fall within the remit of the Data Protection Act 2018. However, anonymised data do not fall within such remit as it is not possible to identify participants.
Having said that, it is important to acknowledge that many methods produce pseudonymised data rather than truly anonymous data and from 25th May 2018 pseudonymised data may fall within the remit of the GDPR; careful consideration should be taken on the methods used to anonymise data.
More information on how you can effectively anonymise data can be found here:
- JISC website
- Information Commissioner's Office website
- UK Anonymisation Network (UKAN) website
- UKAN's Anonymisation Decision-Making Framework.
A key principle of data protection is 'data minimisation'. If data is not collected, the risk of its future misuse is automatically reduced.
You should consider for example, whether satisfactory research outcomes can be achieved without collection of personal data or with only minimal collection of personal data. This might mean that your research does not require a subject's date of birth, just their age range, or just the first part of their postcode rather than their full address (Data Protection and Research Data, JISC).
Further information about confidentiality, data protection and informed consent is covered in our pages on research ethics.
The lifespan of data and retention guidelines
City advises researchers to keep their data for the completion of their project + 10 years. Some funders, however, might have some additional requirements; please check your funder's website for more information.
|Records required to demonstrate good research practice (i.e. research data management plans, consent forms).|
|Records containing personal information relating to clinical or public health studies funded by the Medical Research Council.||Retain for 20 years after the completion of a research project. Please check the MRC guide for more information.|
Primary research data (and where possible/relevant specimens, samples, questionnaires, transcripts) including data generated in the course of a project which may have a secondary use of other research and learning.
In exceptional circumstances primary research data such as videotapes might need to be retained as well. For example, disciplines such as Speech Therapy might need to keep the original tape (instead of only the transcript) as it might include elements that cannot be replicated by any other means.
|Records documenting the registration of intellectual property, the registration of intellectual property rights (e.g. and trademarks applications and certificates).||Retain permanently.|
|Records relating to IPR licensing agreements.||Destroy 7 years after the intellectual property rights have lapsed.|
|All other records generated during a research project and not covered by any of the above disposal classes.|
Retain for whichever is longer:
Records of projects which:
|A full set of records should be preserved permanently.|
|Conducting a clinical trial (CTIMP)|
Trial data must be kept for 5 years after the end of the trial and data used for marketing authorisation must be kept for 15 years.
However, some other data may be required to be kept indefinitely; please check the MHRA guidance on record retention.
|Working papers for the preparation of publications, audio-visual presentations etc. to disseminate research results (NOT interim or final research reports).||Publication/Delivery + 1 year.|
|Final versions of publications and presentations made to disseminate research results (NOT interim or final research reports).||Publication/Delivery + 3 years.|
|Records documenting the management of internally-funded research projects.||Completion of project + 3 years.|
|Records documenting the management of externally-funded research projects.||Completion of project + 6 years.|
* an earlier version of the above table was presented as part of the 'Research Records' paper in the Research Ethics Committee in October 2014.
Most data can be digitised.
However, if for some reason any of your data cannot be stored online and your School does not have any storage space to accommodate such a request, City has a contract with an off-site archiving facility called 'Restore', which researchers can use to archive hardcopies.
Please note that the cost will come out of the School budget.
Storing hardcopies of data (i.e. documents, hardware)
Responsibility for the provision and maintenance of suitable storage and secure disposal facilities rests with Schools, who are responsible for arranging with the school administrator or faculty assistant the identification, allocation and management of space and facilities to meet the needs of their staff and subject areas.
The requirements for data storage and archiving will vary depending on the academic discipline and may also be dictated by the funding body and/or publisher where relevant.
Archiving hardcopy data and documents
Please consider scanning hard copies to minimise the amount of space required to store data. To store hardcopy documentation:
- Please order archiving boxes from your School Administrator.
- Fill the boxes with the paper materials.
- More than one type of document can be placed in a box but where possible, it is helpful to keep project documents with similar destruction dates together.
- Use the Project Archive Log to note which documents are stored in each box.
- Print one copy of the log for each box and place on the external side.
- If you are using more than one box, please number the boxes (1/3, 2/3, 3/3).
- Please notify your School Administrator when the boxes are ready for archiving.
The boxes will be stored in a secure locked store room in your Department until capacity is reached. If capacity is reached in the store room staff will be notified to identify which documentation can be securely stored with an external storage company. This cannot happen without the Principal Investigator's consent.
Retrieving hardcopy data and documents
To retrieve your archived box please email the saved completed copy of the Project Archive Log to your School Administrator or Faculty Assistant and indicate which box number you wish to have. Boxes will be returned to you within 7 working days from the day of your request (or 14 working days during the summer holidays).