Resource Overview: Working with Personal Data

Key resources, support and considerations to help you work with personal data.

Here is an overview of key considerations and resources to help you work with personal data. It is useful for researchers working with personally identifiable data in health or social care-related projects. Please note that links to relevant training and guidance will be reviewed and updated regularly.

Topics covered include:

  • Definitions: sensitive data, personal data
  • Key considerations: legal frameworks (GDPR), roles and responsibilities, sponsorship, ethical approval
  • Data Management Plans, Data Protection Impact Assessments
  • Working with NHS data
  • Central University Infrastructure for data storage and transfer
  • Trusted Research Environments
  • Tips for managing personal and sensitive data
  • Information Security and Data Protection
  • Mandatory and suggested training
  • Key contacts

This resource complements the Spotlight Webinars on working with personal data. The webinar series sovers sponsorship, ethics, data protection, open research, data preservation, research contracts and supporting student projects in 30 minute slots.

View Spotlight Webinars

Key concepts

What is sensitive data? What is personal data? 

The term “sensitive data” is a bit of a catch-all term.

In health and social care research, it particularly involves personal data.

  • Personal data can be used to identify an individual person, either directly or indirectly (e.g. name, contact details, information on physical appearance, location data etc.).
  • Personal data also includes special category person data. As well as making a person more identifiable, special category data is more sensitive, and possessing this data makes a subject more vulnerable (e.g. ethnic origin, political opinions, religious beliefs, sexual orientation, genetic and biometric data, health data etc).
  • Personal data also includes data of offenders and suspected offenders. However, it is processed under a slightly different set of laws and receives extra protection.

It is important to note that sensitive data can also refer to commercially sensitive data, data that, if released, could adversely affect rare or endangered species, harm an individual or community or have a significant negative public impact. An overview of what counts as sensitive data can be found here: Working with sensitive data | The University of Edinburgh

Does my data count as personal data? This is a common question, and there is often no black and white answer. Even after removing obvious identifiers (e.g. name, date of birth, hospital number), participants may still be identifiable in some circumstances. For instance, imagine a database of people with an extremely rare condition or data coming from a small population local hospital. Even after names are removed, the combination of their age, sex and postcode might still make them identifiable, as no-one else will tick all the boxes. The more specific information there is, the higher the chance that it can be strung together (on its own, or combined with a different dataset) to render the participant identifiable

If you are unsure whether your data counts as personally identifiable or not, there are several teams that can support you with this.

Research Data Support Data Protection Officer

My data counts as personal data... what does this mean for me?

Legal Framework

If you are processing personal or identifiable data, various legal frameworks (e.g. GDPR) come into play. You can find University guidance on this through the Data Protection Office. More information is also available via UKRI and ICO.

UK/EU GDPR applies to:

  • Anyone in the UK/EU who processes personal data anywhere in the world.
  • Anyone outside the UK/EU who processes personal data on UK/EU citizens.

Understanding roles and responsibilities

You will need to understand who the data controller and data processor is for your research.

It is also necessary to carefully review your funder’s requirements in terms of how data should be handled in the short, medium and long term.

Depending on the source of your data, there may be a Data Sharing Agreement in place, which will specify how data needs to be handled. For example, the (American) National Institutes of Health (NIH) have a specific data sharing policy and principles of best practice for protecting participants. The Research Contracts Office at the university can help you putting data sharing agreements or other research contracts in place.

Sponsorship (for health and social care research)

All health care and social care research requires sponsorship. Sponsors are different from funders. Sponsors have overall responsibility of your research project and make sure it is feasible, safe, legal, ethical and meets all regulatory requirements.

Sponsorship should be obtained before ethical approval. In fact, the sponsor will instruct which type of research ethics committee (REC) the project should be submitted to.

ACCORD provides sponsorship for University of Edinburgh and/or NHS Lothian-led projects in health and social care. As part of the sponsorship review process, ACCORD will assess whether your plan for data collection and storage meets key requirements in terms of data protection and security. University of Edinburgh systems for data storage and management are known to them, and may be approved depending on the wider context of the proposed study and other safeguards. You get get in touch with their governance team through

Ethical approval

Please note that you will need to obtain ethical approval for your project if working with sensitive data. The ethics committee will review the purpose of the project, the impact on participants/subjects and the way you intend to process data (collection, storage, analysis, deletion). Please see more information on obtaining ethical approval from one of the University's research ethics committees here. For projects that involve NHS patients, their tissue or their data, you will need to get NHS REC approval, rather than a University REC approval.

Important planning documents

Data Management Plan

You are required to formally document how you aim to store and – if appropriate share your data through a Data Management Plan, e.g. using DMPOnline. DMPOnline has funder and University templates, with tailored guidance for each question. You can also have your Data Management Plan reviewed by one of the experts in the University Research Data Support Team and get feedback.

Data Protection Impact Assessment

To help you assess the risks associated with processing of person data, and ensure you comply with various legal frameworks, you need to fill in a Data Protection Impact Assessment.

Please note: If you have successfully obtained ACCORD sponsorship, a DPIA is not necessary.

NHS data

Working with NHS data

NHS Lothian

ACCORD provides sponsorship for University of Edinburgh as well as NHS Lothian-led studies involving humans, their tissue or their data. They can give advice on what additional approvals and pathways are necessary to work with NHS data. Amongst many helpful resources, their website includes information on NHS Lothian requirements for Information Governance and IT Security.

View the University guidance on the requirements for access, security and information governance of NHS Lothian data for research.

DataLoch provides a safe and secure environment for accessing routinely collected health and social care data. See also trusted research environments below.

Beyond Lothian

The Health Data Access Tool Kit helps you understand which approvals you need to access routinely collected NHS data, and points towards key considerations you need to address for a successful application.

The HDRUK Innovation Gateway | Homepage ( lets you search and request hundreds of health datasets and research tools.

Please note: Consent from research participants or NHS Caldicott Guardian approval may be required to obtain data

Data storage and transfer

Personal data - data storage and data transfer options  

Disclaimer: Each project leader and data processor is responsible for their own data. Please consider guidance or limitations set out by the data provider, funder or study sponsor, e.g. ACCORD. This is a rough guide whether systems are likely to be suitable and approved.

Please note: If researchers are working directly with NHS Lothian data, data should be kept on NHS Lothian servers. NHS Lothian data should only be transferred to University of Edinburgh servers if appropriate data sharing agreements and approvals are in place and the data has been de-identified.

Central University Infrastructure 

Summary of data tools


For active research data. In general, DataStore is suitable for personally identifiable data with suitable safeguards (for example pseudonymisation and encryption), which is the responsibility of the data holder. However, it will always depend on the wider context of the research project and the details within the data management plan, all of which will be taken into consideration during the sponsorship approval process with ACCORD (see above).

Security Features

  • Not publicly accessible or discoverable, remote access through VPN
  • Behind institutional firewall and local firewall on the server; additionally, router has Access Control Lists
  • Critical security patches are kept up to date
  • Only provides web access through DataSync
  • Directory permissions are restricted to the owner and group
  • Data recovery possible for set timeframe
  • Large scale tape library back up data is not recoverable without the correct permissions (i.e. striped across many tapes and metadata required to reconstruct). Back-ups are deleted securely after set timeframe
  • Access to physical servers, network hardware etc is controlled electronically and logged
  • Server within University of Edinburgh, no data on third party servers

Things to be aware of

  • Not automatically encrypted – you will need to manually encrypt desired folders
  • Does not currently use two factor authentication
  • Various security aspects are user controlled: secure deletion, password strength and timeline for changing, access given to group members and approving new users, folder configuration, control of number and location of physical copies of data
  • No image specific security in place
More on DataStore Compare OneDrive & Sharepoint


For long-term data retention or archiving. Data on DataVault is automatically encrypted, and is approved for storing sensitive data by the University. It has approval from NHS Lothian to store pseudonymised health and social care data on a case by case basis. However, you may need to provide justification for retaining personal data (e.g. data protection exemptions, permission from ethics committee).

Security Features

  • All data is encrypted
  • Sensitive data is labelled as such to ensure safeguarding upon retrieval
  • Restricted access (the current data owner or nominated individuals only)
  • Several features to prevent corruption of data e.g. fixity checks, files saved to three widely separate locations
  • Server within University of Edinburgh, no data on third party servers

Things to be aware of

  • You may need to provide justification for retaining personal data (e.g. data protection exemptions, permission from ethics committee)
  • DataVault owners have to be a member of UoE, so when researchers leave, they need to transfer vault ownership. More info on roles and permissions here
  • There is an ongoing cost associated with Datavault if project is > 100 GB
More on DataVault Compare DataShare


For data transfer. Is approved for sensitive data if suitable safeguards in place (e.g. encryption). It is important that you discuss the transfer of sensitive data with all parties involved and have the necessary agreements in place.

Security Features

  • Requires HTTPS for connecting to web interface
  • Files are encrypted in flight using TLS
  • Server within University of Edinburgh, no data on third party servers.

Things to be aware of

  • Only data in motion is encrypted. Files stored on server are not encrypted – this needs to be set up manually
  • Various security aspects are user controlled e.g. sharing configurations
More on DataSync

Trusted Research Environments 

If research data requires advanced security, it should be kept in a controlled and secure environment. The following ones are recommended by the University of Edinburgh:

EIDF - Edinburgh International Data Facility - EIDF provide a range of security environments. Access depends on which service you want to use, how much resource you require and what type of user you are. Please contact them to explore the available options.

Dataloch - a service developed by the University of Edinburgh and NHS Lothian offering secure access to a predetermined set of health and social care data for approved applicants.

LRSH - Lothian Research Safe Haven - more info on the ACCORD website, who would be involved from the outset.

Data Management

Top Tips for Managing Personal and Sensitive Data

These tips provide a general overview of things to consider for managing data in your research project. They are by no means a finite “to-do” list; instead, they are intended to get you thinking, and go off and explore certain areas in more depth using the links provided. After all, every project is unique, and will therefore have a unique set of requirements, which should be documented in things such as your data management plan or data protection impact assessment.

This may sound daunting, but there is lots of support around for this! If you want to discuss your individual project requirements further, you can get in touch with the Research Data Support Team or Data Protection Officers. Some Schools/Institutes also have a Data Manager who you can ask for advice.


  • If working with personal data, or other types of sensitive data, you should consider whether encryption is necessary. Using a Data Protection Impact Assessment, you can weigh up the risks for and against this.
  • If you decide that encryption is the right way to go, you can read more about University Guidance on encryption, as well as UK Data Service Guidance.


  • Think about options to de-identify at the point of collection. We recommend coming up with an anonymisation or de-identification plan and to keep a change log too. That way, you can make sure de-identification is consistent and done properly.
  • Anonymisation completely removes identifiers, and irreversibly prevents the identification of data subjects. This is difficult to achieve, more often the data is pseudonymised.
  • With pseudonymisation, key identifiers are removed/replaced and a key is created to enable re-identification. You should store the key in a separate encrypted container, and make sure you only have one copy of these. Pseudonymised data still counts as personal data.
  • See University Guidance for anonymisation/pseudonymisation of data, as well as the Information Commissioner's Office Guidance.

3rd party servers

  • Please make sure that sensitive/identifiable data is not stored on or transferred through 3rd party servers outside of the UK/EU, especially if they have not been vetted or contracted by the University of Edinburgh.
  • In general, the use of third-party servers is riskier, and you may violate the University’s data protection agreements.
  • Instead, the University provides secure facilities for data storage and sharing (see above).

Portable devices  

  • e.g. laptops, audio recorders, tablets, USB sticks, audio/video recorders. Please note that University-managed devices are often encrypted from the onset.
  • Proposed use of these devices should be documented in the data management plan, ethics application and sponsorship application.
  • Sometimes remote desktop connections can be an alternative to portable devices, but you need to check whether working remotely is authorized by the PI and covered in the relevant data sharing agreement and/or data management plan.
  • For storing data:
    • We strongly recommend not using any of these options as a primary location for storing any data, but especially sensitive data. The risks of loss, theft, damage, etc. are too high.
  • For collecting data:
    • Only use these devices for data collection if you have the necessary permissions in place, and make sure they are encrypted to a high standard.
    • If the devices can be connected directly to the network (using the VPN), data collected should be saved directly to DataStore, not kept on e.g. laptop hard drives.
    • If devices cannot be connected to the network directly (e.g. recorders), data should be saved on DataStore as soon as possible and securely deleted from the device. Writing a back-up schedule can help with this.

Access configurations

  • It is up to the user or group to configure shared group storage spaces or access controls for certain data. The need to access data may change across a project, as do the roles and responsibilities of group members and collaborators.
  • It is advisable to limit data sharing and authorised individuals, and regularly review user permissions.

File Sharing

  • If transferring sensitive/identifiable data, the requirements and the process should be carefully discussed with the parties involved. Data sharing may not be necessary – an alternative is working on shared folders in DataStore.
  • All data flows leaving the University must be documented with a Data Protection Impact Assessment and lodged with the Data Protection Office.
  • Never use email, Dropbox or Google Drive for file sharing. Make sure you use secure channels and SFTP.

File deletion 

  • Think about how long you need to keep your data for, taking into consideration funder and sponsor requirements and relevant legislation. Document it in your data management plan.
  • Secure deletion is not achieved by the delete key or moving something to the desktop recycling bin. Instead, you can use secure disk eraser programmes - see University guidance. You can get in touch with the Research Data Support Team to discuss further options for secure deletion, such as file-level delete applications for Windows or secure delete applications in Linux coreutils.

Do not store copies of identifiable data on a device unless explicitly approved by your sponsor and ethics committee.


Information Security and Data Protection

For sensitive and identifiable data, it is key to prevent unauthorized access through good information security. Data Protection encompasses a set of laws, regulation and guidance on collecting and using personal data.

University of Edinburgh Resources

Other Resources



University of Edinburgh - mandatory training

  • Data Protection Training: online self-paced course on Learn. Compulsory for all staff and strongly recommended for students. Self-enrol via People and Money.
  • Information Security Essentials: Online self-paced course. Compulsory for all staff and strongly recommended for students. It is divided into five modules. Self-enrol on Learn.
  • Data Protection for Research: online self-paced course on Learn. Compulsory for academic research staff. Self-enrol via People and Money.

University of Edinburgh - additional training and workshops

  • Working with sensitive data workshop: This training is provided by Research Data Service, with scheduled sessions at various points during the semester – in person or online. You can view the course schedule and the timings following the link above.
  • Workshops run by Edinburgh Clinical Research Facility, e.g. “Research, GDPR and Confidentiality”: There is a limited number of subsidised spots on these courses for members of the NHS or the University of Edinburgh. See full list of training using the link above.
  • The Spotlight Webinar Series covers seven 30 minute webinars on working with personal data. Topics include: sponsorship, ethics, data protection, research contracts, open science, data preservation and supporting student projects,

Other training providers

Summary and Helpful Links

What counts as sensitive data? What counts as personal data?

Guidance on GDPR and legal frameworks

Guidance on data sharing agreements, data transfers, research contracts

Guidance on Data Protection Impact Assessments (DPIAs)

Guide to anonymisation/pseudonymisation of data

Guide to encryption

Guidance on research integrity

Guide to secure deletion

Guidance on Information Security in research

Guidance on accessing/working with NHS data

Key Contacts

  • ACCORD: Mandatory first point of contact for conducting a clinical-based study at the University of Edinburgh. They issue sponsorship, which also entails support on protocol development, regulatory compliance and risk assessment. Accord ( You can directly get in touch with their governance team at
  • College-level ethics committees: Ethical approval should be obtained once sponsorship is in place. See here for links to the various college contacts and processes: Research Ethics (
  • Research Data Service: Supporting researchers to manage their data through all stages of a research project. Appointments may be made for in-person or Teams meetings, 1:1. Experience with managing sensitive data. Contact | The University of Edinburgh
  • Information Security: Provides access to a library of guidance and advice on information security, as well as diverse training courses. The Information Security Team can also provide guidance on research projects. Information Security | Information Security (
  • Data Protection Office: For policies and guidance on data protection, including carrying out a data protection impact assessment (DPIA) for a research project. This is the right team if you want to report a data protection breach, or if you have a have a data protection query. Data Protection | The University of Edinburgh
  • Research Contracts Office: Helps with data sharing agreements, data transfers and other research contracts: Setting up research contracts | Edinburgh Research Office
  • CMVM IS Bioquarter and Central Support: Support with various hardware and software requirements of your research. View their SharePoint site for an overview of services and support or submit an IS ticket for queries.
  • Data Managers: Many schools and departments have Data Managers that can help with specific data management queries. If you are in CMVM, contact the data managers here:
  • MRC Regulatory Support Centre: Support and guidance for those conducting research with human participants, their tissue or data (not just MRC-funded projects). About us and contacts – UKRI