CREATE & MANAGE DATA
STORING YOUR DATA
Physical security, network security and security of computer systems and files all need to be considered to ensure security of data and prevent unauthorised access, changes to data, disclosure or destruction of data.
Data security may be needed to protect intellectual property rights, commercial interests, or to keep sensitive information safe. Arrangements need to be proportionate to the nature of the data and the risks involved. Attention to security is also needed when data are to be destroyed.
Physical data security requires:
- controlling access to rooms and buildings where data, computers or media are held
- logging the removal of, and access to, media or hardcopy material in store rooms
- transporting sensitive data only under exceptional circumstances, even for repair purposes, e.g. giving a failed hard drive containing sensitive data to a computer manufacturer may cause a breach of security
Network security means:
- not storing confidential data such as those containing personal information on servers or computers connected to an external network, particularly servers that host internet services
- firewall protection and security-related upgrades and patches to operating systems to avoid viruses and malicious code
Security of computer systems and files may include:
- locking computer systems with a password and installing a firewall system
- protecting servers by power surge protection systems through line-interactive uninterruptible power supply (UPS) systems
- implementing password protection of, and controlled access to, data files, e.g. no access, read only, read and write or administrator-only permission
- controlling access to restricted materials with encryption
- imposing non-disclosure agreements for managers or users of confidential data
- not sending personal or confidential data via email or other file transfer means without first encrypting them
- destroying data in a consistent manner when needed
- remember that file sharing services such as Google Docs or Dropbox may not be that secure
Note that deleting files and reformatting a hard drive will not prevent the possible recovery of data that have previously been on that hard drive.
Security of personal data
Where the safeguarding of personal data is involved, data security is based on national legislation, the Data Protection Act 1998, which dictates that personal data should only be accessible to authorised persons. Personal data may also exist in non-digital format, for example as patient records, signed consent forms, or interview cover sheets containing names, addresses and signatures. These should be protected in the same secure way as digital files and stored separately from data, whether in digital or non-digital format.
Data that contain personal information should be treated with higher levels of security than data which do not. Security can be made easier by:
- anonymising or aggregating data
- separating data content according to security needs
- removing personal information, such as names and addresses, from data files and storing them separately
- encrypting data containing personal information before they are stored - encryption is certainly needed before transmission of such data.
How confidential data or data containing personal information are stored may need to be addressed during informed consent procedures. This ensures that the persons to whom the personal data belong are informed and give their consent as to how the data are stored or transmitted.