By Kirsty, on 16 February 2022
When working with an external collaborator from another university, an industrial partner, or obtaining access to pre-existing data provided by a third party there are data management responsibilities to be aware of. Transfer of data can involve legally binding agreements governing data storage and usage. Even if a legal agreement is not required, managing the transfer and sharing of data can be challenging. Here’s a short guide to services and support at UCL.
Where to put your data?
There are several systems for storing data at UCL, depending on your needs. Here is a quick guide to determine the most suitable choice when transferring data in from external sources.
- Dropbox (www.ucl.ac.uk/dropbox/) Not to be confused with the commercial service of the same name! This service is simple and convenient if you want to transfer a small number of files to or from an external collaborator outside of UCL as a one off and needs no specific security requirements
- SharePoint and OneDrive for Business Is a better option if you need to transfer files between yourself and a collaborator more frequently. Once you are set up with this system it can be configured to allow an external user access.
- Research Data Storage Service Is for large scale data storage and supports rapid transfer of large files. Once a project is set up it can be configured to allow access for external users. This is an excellent system to use for the transfer of very large data volumes.
- Data Safe Haven This secure data storage service is suitable for personal identifiable data, and could be used in other instances when a higher level of security is desired. It conforms to the ISO 27001 standard for information security management and the NHS DSP requirements. A level of training and verification is required to get set up on the platform, so if your project requires this it’s best to begin the process as soon as possible.
- The UCL Jill Dando Institute runs a specialised laboratory for processing data which is highly sensitive such as confidential crime data. This is probably beyond the needs of the majority of UCL projects. These facilities are suitable for those that require a system which is a Police Assured Secure Facility or need to work with UK government data marked as OFFICIAL-SENSITIVE and OFFICIAL. Similar to the Data Safe Haven there is a vetting and training process to get access.
Using surveys to collect data
Recently there has been move toward doing survey work largely online to support social distancing. Using online survey tools can be an efficient way to gather responses from participants and may even allow for an increase in the size and scope of a study, but there are data security concerns to be aware of.
- Questionnaires can be constructed using a variety of online tools. For any research that doesn’t involve collection of identifiable personal information there is no special requirement here. In fact, the free google forms service might fit the needs of many projects.
- UCL has access to some in-house tools that provide some extra functionality. If identifiable or otherwise sensitive data is being collected the REDcap tool can be used to send this data directly into the Data Safe Haven.
- Of course, some projects may still make use of an in-person paper survey form. In these cases, if the forms contain identifiable or sensitive information it is necessary to store the documents in a physically secure location. If the data needs to be converted into electronic format then it should be stored in the Data Safe Haven system.
- For survey work involving in-depth interviews with participants, the situation is a little more difficult. The nature of these sorts of interviews increases the likelihood of sensitive information being given. When conducting in-person interviews consider using recording devices with built-in encryption. If recording a zoom or teams interview make sure the recording is transferred as quickly as possible to safe storage and is not left in cloud storage for any length of time.
Data Transfer Agreements
You may require a kind of contract to get data from a third party, and there might be conditions attached to the permission to use this data. These kinds of contract are called Data Transfer Agreements (DTA) might need to be in place and is very likely to be part of the process when working with a commercial partner. Academic collaborators should also consider having a DTA drawn up, just to ensure clarity of how the data is being processed and prevent any disputes that could otherwise arise.
A data transfer agreement (DTA) is a specific version of a materials transfer agreement, which is a type of contract used when physical objects materials with scientific or commercial value and transferred between UCL and a third party. Both of these are handled by UCL Research and Innovation services who can provide more information and guidance on this if required.
Do also be aware that a data transfer agreement can be put in place by UCL staff and students when giving data to an external organisation too. They work both ways! If you ever need to share data with an external collaborator always consider if a DTA is necessary. It might be a useful tool to make sure your data is used for its intended purpose and is looked after properly.
This agreement is important as it outlines your responsibilities and permissions with respect to the data and is a legally binding agreement. There may be restrictions on what it can be used for, who can access it, and what security will be in place to protect the data. The agreement will specify details such as whether the data can or cannot be shared with other staff at UCL, with external partners, and what kind of security arrangements are required for storage.
Data Sources with specific application processes
A great deal of data is collected by government departments, healthcare providers and other services which can potentially be very valuable for researchers. UK law permits data the secondary use of personal data collected for reasons such as health, policing, education to be re-used for research if it is deemed to be in the public good. While specific agreements with other universities or commercial partners can be covered with DTAs, these data providers have well defined processes for granting access as they deal with relative large volumes of requests. Depending on the type of data you may have to meet security requirements. The UCL Data Safe Haven often helps with this. Here are some examples of data access services:
Need further guidance?
This is a brief overview of a big topic, so if you want further guidance on any of these points several teams across UCL can assist.
- Information Governance assist with Data Safe Haven related questions: firstname.lastname@example.org
- The Data Protection team also assist with questions around handling personal data: email@example.com
- For more general enquiries the library research data management teams are a good first contact point and can direct you to the appropriate person: firstname.lastname@example.org