When collecting data from human participants you need to ensure that the data you collect are handled and stored securely and in accordance with legislative frameworks governing data protection, organisational information governance requirements, and research ethics and governance. The procedure outlined below has been developed with these frameworks in mind, and is designed to provide a clear, consistent approach that can be used for all trainee data (unless there are particular reasons why your data require a different approach).
What constitutes data?
The data you need to think about storing includes:
- Clinical recordings made on placement
- Research data e.g. interview recordings, questionnaires, transcripts, coded/analysed data
- Personal information collected during a study i.e. consent forms, expression of interest forms, email addresses
These data may be in paper form, or electronic (or both), so you need to think about storage of both formats. You also need to distinguish between how you will store data whilst the study is taking place and how it will be stored after the study has finished.
As the information governance of trusts can differ, methods of data collection, transfer, and storage may vary from placement to placement. Trainees should check with their supervisor regarding local policy when they first arrive on placement and contact the relevant assignment co-ordinator in the event of any issues. Clinical recordings should be stored on secured university file stores. Portable storage media (such as SD card, encrypted USB) should be used for data transportation ONLY and considered insecure with appropriate care taken to ensure data security. Details on the management of recordings can also be found in the guidance for specific assignments.
Storing data during a research study
Whilst the study is taking place you (the trainee) will be responsible for the data. You need to explain how you will store all data in a way that keeps it secure e.g. electronic data in password protected file space on the University server, and/or on encrypted electronic devices (see below).
As chief investigator for the study, the thesis supervisor is the named data custodian on the ethics application and must therefore be able to access the data throughout your study. This process needs to be described in your participant facing documents so that participants know how data will be managed. We advise that you store all of your data electronically. This can be achieved for all participant facing documents by using university approved digital platforms, such as Qualtrics, to share your information sheet(s) and collect completed assent and consent forms, and demographic questionnaires. If you do use paper documents, e.g. consent forms, these need to be scanned to create a digital copy and the hard copy should then be destroyed. At the outset of the study, you will need to create a OneDrive folder for the storage of the data and share this with your thesis supervisor. You should encrypt all your data to ensure that it is stored securely. You will need to share the password for the documents with your thesis supervisor so that they are able to access these.
We recommend that data containing personal details that would lead to the identification of participants (e.g. participants’ email addresses, expression of interest forms BUT NOT consent forms) should be deleted/destroyed as soon as possible. If people provide you with their contact details in order to be contacted about taking part in your study, these should be retained only until they have participated in the study, or until they have informed you that they do not wish to take part. However, if a participant says they would like to receive a summary of the research at the end of the study, it would be appropriate to retain their contact details until this summary has been sent out. Once the study is completed, contact details should be deleted and you should confirm in writing (by email) that this action has been completed with your supervisor.
We advise that, as far as possible, data are stored electronically in your personal file space on the University server, rather than on laptops, PCs or other devices. If you do store data on any devices other than the server, it must be encrypted. The server is secure, so any files stored there do not need to be encrypted. However, where you are storing data containing sensitive material or identifiable personal information, individual files should also be password-protected as an additional security measure.
If identifiable data are stored on a portable device, e.g. a laptop or USB drive, the University advises that encryption should be used. More information on how to do this is available from the ISS page on encryption. If it is not possible to encrypt the data at a particular stage (such as while on a video camera’s storage), there needs to be confirmation that any identifiable data will be transferred and then deleted from the device as soon as possible. If you are using digital recording devices for research, the encryption capabilities of the devices or a process to mitigate a lack of such should be mentioned in any ethics application.
Long-term storage of research data
You also need to explain what will happen after the study has been completed i.e. what data will be stored, where they will be stored and who will be responsible for them. Long-term data will be stored by the DClinPsy admin team and can be shared with your thesis supervisor on request. If your supervisor also wishes to store the data after the study ends, you will need to discuss this with them before and indicate this on your ethics application, participant information sheet and consent forms. In the past, most data have been stored in paper form. For practical and safety reasons, we advise trainees to keep data for storage after the end of the study in electronic form, unless there is a particular reason for keeping paper documents. The data that should be retained for storage includes the consent forms, all raw data (e.g. interview transcripts and completed questionnaires) and any coded data produced during analysis.
Once the final version of your thesis has been submitted, you will need to share your research data with the Research Coordinator for long-term storage. We would recommend that you do so by sharing the OneDrive folder you use to store the data in during the study. The data will then be saved on a password protected file space on the server. You will also need to confirm the password that has been used to encrypt the documents and the period of time that the data needs to be stored for. On your ethics form, you will need to state that your data will be transferred electronically using a secure method that is supported by the University.
Applying for ethical approval
To gain ethical approval for your project, you will need to develop an application on REAMS. REAMS is the Research Ethics Application Management System for Lancaster University. Once completed by you and signed off by your supervisor, your REAMS application will be reviewed by the Faculty Research Ethics Committee. The system can be accessed remotely via the web. You do not have to be on site or connected to the Lancaster University VPN. We recommend using a desktop PC, laptop or tablet for the best user experience. The REAMS form will adapt as you progress so that you are provided with questions relevant to your study. You can share your REAMS application with your supervisor through the platform. You should expect a REAMS review to take between 4 and 10 weeks, depending upon the level of approval you need and REC availability. Make sure the detail you provide is as clear and accurate as possible to help the committee fully consider your plans, and proof read all participant facing documents extremely carefully prior to submission.
If you think you may need ethical approval from the Health Research Authority for a study conducted within the NHS and/or social care, complete the decision tool checklist and discuss your plans with your supervisor. HRA applications are submitted through IRAS. Your approved application will then need to be processed through REAMS. You should expect a HRA ethics review to take between 8 and 16 weeks, depending upon the level of approval you need and REC meeting availability. We recommend you attend the REC review meeting to address the panel’s queries or questions, either in person or via a digital platform.
Faculty Ethics Committee
How to submit an application in REAMS
Contacting NHS R&D Offices
Health Research Authority
NHS tutorial video
NHS decision tool
ISS page on encryption