There is a 3-2-1 rule for data storage: store 3 copies of data, on at least 2 different media, with at least one copy in a separate location.
For data collected by or on behalf of the University you should use the University network or your University OneDrive account as the primary storage location during the active phase of the project. Both local network storage and OneDrive will provide data security, replication in separate data centres, automated backup, and 3-month file recovery. Raw data and master versions of files should be stored here as read-only files with appropriate access controls. Sensitive/confidential data can also be stored in these locations.
Data collected in the field should be stored securely, backed up using local devices in the absence of an internet connection, and transferred at the earliest opportunity to the primary storage location.
University storage solutions
The University storage solutions described below can be used to store and share research data. They are all suitable for the storage of personal data and other confidential information (OneDrive and Teams both use the University SharePoint service, maintained on UK-based servers). Care should be taken if you store confidential information in OneDrive and Teams, as these both allow file sharing, including with people outside the University.
Information about these services and how to apply for them can be found under File Storage (login required) in the DTS service catalogue.
- Your University OneDrive account allows you to store and share up to 5 TB of data at no cost. OneDrive can be used to share files and folders with project collaborators external to the University. Data must be stored and shared in accordance with the OneDrive Data Security Policy. DTS provides information about OneDrive.
- For group access with small to medium-volume storage requirements, staff can set up a collaborative share for the project of up to 100 GB at no cost (thereafter £1.20 per GB per year).
- Microsoft Teams provides file storage and sharing capability. Any member or guest of a Team has access to all files held in the Team, so personal data or other confidential information should be stored in Teams with caution. Teams should not be used as a primary store for research data, although it can provide secure file sharing. DTS provides information about Microsoft Teams.
- If storage requirements are significantly higher than 100 GB, you can use the University's Research Data Storage service, which is a dedicated high-volume data storage service provided at different specifications and costs (per TB per year). Capacity can be requested in increments of 0.5 TB. The minimum subscription term is one month. For grant costing purposes we would recommend costing by the year. Information about the service is available on the Academic Computing Team website.
For those undertaking computing-intensive research, the Academic Computing Team website provides information about the Reading Research Cloud computing platform and the Reading Academic Computing Cluster.
If data are acquired using specialist infrastructure, such as the ISIS neutron and muon source, or the JASMIN supercomputing environment, raw data may be stored in the facility infrastructure, and data copied or extracted locally as required.
You may need to address storage of non-digital data, e.g. signed consent forms, in appropriate secure environments.
The basic principle of information security is that information should be accessible only to those for whom access is authorised. In the case of confidential and legally-protected information, such as personal data, this principle must be observed with care and you must put in place appropriate access controls to keep data safe from unauthorised access.
Confidential information should be managed in accordance with the University's Data Protection, Encryption and Remote Working policies, which can be found on the Information Compliance Policies web page. Information about sensible approaches to the storage and sharing of personal data can be found in the IMPS guide to data protection for researchers.
The University network and OneDrive provide warranted security for the storage of confidential information. Data can be transferred to the University network via VPN, which is an encrypted channel, and can be safely moved between devices and shared with others using your OneDrive account. Microsoft Teams can be used to store/share confidential information, but it is not recommended for this purpose, as any member or guest of a Team will have access to all its files.
If you are using personal and portable devices to collect and store confidential data, such as audio recorders, video cameras, laptops and tablets, removable hard drives, and USB sticks, the devices should at the very least be protected by username and password and have adequate firewall and anti-virus protection.
Device-level protection may not in itself be sufficient if the data are highly sensitive. You may additionally need to password-protect individual files, or better still encrypt them or the folder area in which they are stored. The University's Encryption Policy provides instructions on how to encrypt files and storage areas. The UK Data Service also provides guidance on data encryption methods.
Be aware of the risks involved in using third-party cloud-based services for the storage and sharing of files, such as Dropbox or GoogleDrive. While such services have benefits if you are processing or sharing data with colleagues outside the University, they are not necessarily secure, and are often located overseas. Using these services to store and transfer personal data could put you in violation of the UK Data Protection Act, which states that data should not be transferred to other countries without equivalent levels of legal protection.
Considerations of information security also apply if you are using third-party services to collect (and thus store) personal data, as not all services are compliant with UK Data Protection law. For guidance on use of online survey tools and information about services available to University staff see the section on Research ethics and data protection.
You should also be careful about transferring confidential data by other unsecured methods, such as email. Data transmitted via email are likely to pass through and remain on a number of servers, so you should avoid sending confidential data by such means. If you do send confidential information by email, you should at the least encrypt files.
Another approach to the storage of personal data is to remove individual identifiers from a data file (such as participants' names and contact details) and store them in a separate secure location. You can use a unique ID or pseudonym to maintain the link between the personal data and the related data held separately.
The UK Data Service provides further guidance on data storage.
Physical data should be stored in offices or other storage areas that can be locked and are accessible only by authorised persons. If the data are stored in offices that remain open throughout the day, they should be kept in a locked storage area, such as a desk drawer, cupboard or filing cabinet.
Signed consent forms or other non-digital records may contain identifying information and should be stored separately from data files, although an anonymous ID system can help link the two sets of materials together if required (e.g. for re-contacting purposes).