Data storage and security: Special Licence data
Safeguarded data should always be handled carefully. In addition to the stipulations for using End User Licence that we saw on the previous page, there are a number of rules that must be adhered to when using Special Licence data.
Special Licence data collections are anonymised but contain more detailed information than End User Licence (EUL) data and thus are considered to have an inherently greater risk (i.e. of re-identification and attribution of information to a respondent) associated with them; hence the extra conditions around their use.
If you are applying to use Special Licence data, and you have a created a Data Management Plan for the research project, it is useful to refer to any processes agreed with your organisation, and to include these in the project application.
Special Licence
data:
- must only be accessed in an organisational setting, via an endpoint device (e.g., PC, laptop or thin client) on a closely controlled LAN with restricted access and must not be accessed at a private residence. Working at home is not permitted unless explicit permission has been applied for, via the Service
- must be stored in physically secure conditions (e.g. any portable or printed copies must be stored in a locked cabinet with restricted access)
- must be held on an endpoint device that is in a room that is locked when unattended
- must have access appropriately restricted where stored on a cloud-based service. The service must store data in the UK or an EEA Adequacy-based data centre, and access must only be available via personal authentication, to those approved to use the data
- must be accessed on a site which has security standards that meet the guidelines in this guide
- must only be accessed must only be accessed at an appropriate site according to the access requirements set by the data owner
Encryption/passwords
- must be encrypted when not in use, using passphrases instead of passwords
- must be protected by a screen lock with an interval of no more than fifteen minutes and that requires a secure password to unlock it
Data deletion
- Special Licence data must be deleted upon project completion. Not deleting data or going on to use it for a different project constitutes a breach of the licence.