Guidance on platforms, systems and storage of research data

Platforms to support remote interactions with participants

For audio and video interviews you are recommended to use Microsoft Teams. For online surveys, you are recommended to use JISC Online Surveys and/or Microsoft Forms. All three platforms are UK GDPR compliant. If researchers are using Microsoft Forms to create surveys, they must provide a privacy notice when collecting personal data (such as first name, last name, personal e-mail address); guidance on data protection and research, specifically with regards to personal data, must be consulted. University of Dundee privacy notice templates specifically for Microsoft Forms do not exist at this time. However, there is a general privacy notice template on the data protection web pages along with self-help guidance for researchers.

Interviews should not be recorded using personal mobile phones.

It is possible to record interviews conducted in Microsoft Teams and set access permissions to the recording. The recording is held securely and can be accessed in either OneDrive or SharePoint. Non- channel meetings will be stored in the OneDrive of the person who clicked the record button in a special folder labelled “Recordings” – that sits at the top of the recorder’s OneDrive. Example: Recorder’s OneDrive for Business/Recordings. Channel meetings will be stored in a folder labelled “Recordings” within the Team’s site document library. Example: Teams name - Channel name/Documents/Recordings.

The recording can be archived in Microsoft Stream, the recorder is the owner of the audio/video and the person/people who were invited to the meeting (for example, a participant who is being interviewed individually, or several people participating in a focus group from different locations) are the viewers. No other people will have access to the recording unless the owner of the recording grants them permission. Sharing of confidential information should only occur in accordance with the approved project protocol.

Researchers must (where possible) work with University approved software and hardware rather than any personal or local alternative. This is particularly important where special category (sensitive) data is collected.

Where research is conducted overseas, researchers must inform the participants that their data will be held on a European server. They should work on any identifiable data locally and store the data securely on University systems. They must inform participants that this is their intention and gain consent.

Should researchers wish to share data with their supervisors they must provide an anonymised dataset.

Guidance on the requirements when working with international partners and/or suppliers has been produced by Legal and Information Governance. Countries that have received an EU adequacy decision have been identified by the European Commission as offering an appropriate level of data protection.

Where research is conducted overseas and researchers want to share personal data with colleagues in countries not in the EU or in countries that do not have an EU adequacy decision, or vice versa, they must be aware that any transfer of personal data to a third party (including sharing, transfer or processing on behalf of the University) must be governed by an appropriate agreement that meets the requirements of UK GDPR. There are no exceptions to this general requirement.

Students (including postgraduate researchers) must discuss the most appropriate technology to use for their project with their supervisor.

Storage of research data

Research data should be stored on JISC Online Surveys, Microsoft Forms, Microsoft Stream, SharePoint or OneDrive. Ideally, the device used should have an encrypted hard drive.

Researchers must ensure that devices being used to store data are not left unattended and are locked when not in use. Devices should also have strong password protection (use of a 14-digit password is recommended). Finally, researchers should make themselves familiar with the protocol for reporting a data breach should that occur (contact Data Protection immediately).

Students (including postgraduate researchers) should discuss the most appropriate way to ensure that the data are stored and shared securely with their supervisor.

Advice on use of software/systems/apps to collect personal data or special category data

The University has made a substantial investment in secure and licensed online systems, and we have data-sharing agreements with these platforms. As stated above, only approved systems can be used for the collection of personal and special category data.

Other platforms that are nominally free may not be as secure and may use or share personal data - and that of research participants/partners - with other companies, as a cost of using these tools. In addition, the servers on which data are held could potentially be based outside the EEA and may not comply with the UK GDPR.

If using plug-ins, apps, or other software, such as free transcription, anonymisation or data analysis software or electronic research notebooks, always read the terms and conditions of any tools and be aware of the potential risks to your and others’ personal data.

There is further information on University approved systems at the University guide to data protection when remote working.