Guidance for researchers working remotely with participant data

Expand All

 

The University’s data protection policy and the GDPR apply irrespective of location. Appropriate measures need to be taken to ensure personal data can be processed in a secure and compliant way. 

The exact measures to be adopted for each research project will need to be considered on a case-by-case basis as projects will be processing different data, collected from different sources and with different funding requirements. Before any changes take place, consideration should be given to the data privacy and security risks associated with home working and how these risks will be mitigated (for example, by training staff, developing standard operating procedures etc.). Where research projects have undertaken data protection impact assessments (DPIAs), these will need to be reviewed before any changes are made. Any research projects that do not have DPIAs should ensure that one is prepared in advance of any changes (for more information see the Information Compliance Team webpages on privacy by design). The Research Governance, Ethics & Assurance Team should also be consulted to ensure any changes are within the ethical requirements of the project or to submit an appropriate amendment. You may find it helpful to review guidance on research ethics and clinical trials and research governance
You must ensure the agreed data access and sharing protocol is maintained, as failure to do so could invalidate any data sharing agreements and pose a security or data privacy risk.

The University has published general guidance for working remotely and the Information Security Team has guidance on its webpages on how to do so securely.

This guidance assumes that staff are working remotely within the UK. If you are seeking advice about working remotely at a destination outside the UK please contact the Information Compliance Team.  

 

Of significant importance is to review the funders and/or data sharing agreements (where applicable) to identify if minimum security requirements and conditions are set out in contractual T&Cs. For example this may include requirements stating ‘access only permitted on networks that the University manages/owns’. The InfoSec Team have reviewed this particular aspect and deems that access over the MSD IT VPN using a University issued and maintained device provides an equivalent level of security. Deviation from such an approach would require further consideration and approval from the funder and/or data sharing entity as appropriate. 

If you work within a department that has the NHS Data Security and Protection Toolkit (DSPT), or an alternative agreed governance model in place, then you will need to review what access provisions there are for the systems within the scope of these frameworks. It is recommended that you seek advice from your departmental information governance officer. 

In accordance with InfoSec’s information handling rules, and if the data sharing agreement and security protocol permits the use of self-managed (‘personal’) devices to access research data (confidential data classification), then specific authorisation must be sought from the head of department, who owns the risk associated with accessing confidential data on such devices. If self-managed devices are proposed to be used, then you should only access data through the MSD IT VPN (or central IT Services VPN for non-MSD users) and should follow the security guidance for protecting devices on Information Security’s website.

You may need to make some adjustments to your working environment to maintain and protect the privacy and confidentiality of data subjects and shared information, such as:

  • not allowing unauthorised persons to look over your shoulder or listen in to conversations relating to participants and other confidential matters
  • not giving household members access to a University-managed device, or
  • ensuring that all University documents/files are closed on any devices when not in use

However, you should ensure compliance with all principles of UK GDPR. For example: in terms of transparency, you will also need to consider how any operational activities have been described in any privacy notices or participant information sheets provided to participants and whether the proposed way of working would be in conflict with that. In terms of data minimisation, you can ensure compliance by not downloading and saving copies of data onto mobile, laptop or home devices but instead saving data to the University network. No copies of research data containing personal data should be printed off at home. This may also be a contractual condition on the use of the data.
 

 

You may need to make some adjustments to your working environment to maintain and protect the privacy and confidentiality of data subjects and shared information, such as: 

  • phone calls to participants are not undertaken within earshot of unauthorised persons
  • never use speakerphone unless privacy can be guaranteed 
  • always use headphones if the phone call is made using computer software

 

University mobile phones

In general terms, University-managed or owned mobiles that have appropriate security settings would be preferred. It is recommended that approval is sought from the appropriate budget holder for any associated billing.   

It is not recommended that personal devices or landlines are used, due to the impracticalities of managing a retention policy when participants’ phone numbers and possibly voicemail messages (if they try to call the researchers) are stored on personal devices. Additionally, consideration should be given to the health and safety safeguards for University staff as a result of the risk of exposing personal phone numbers to participants. 

Chorus

Chorus is not recommended for contacting research participants. The IT Services Chorus soft client and Chorus Web Portal (for managing call forwarding from your work phone to home) are alternative solutions available in the University. However, as Chorus does not encrypt phone calls by default, Chorus does not provide an adequate level of security for data of a confidential classification. 

Microsoft Teams Meetings

As an alternative to a phone call it is possible to use Microsoft Teams to set up a virtual meeting with participants using their email address (if held).

If the participant’s email address is already held, you will need to consider how compatible this use is with the purposes for which it was originally collected and take into consideration the privacy information provided to the data subject. Ethical consent may be required to collect email addresses if not already held. It is recommended that the Research Governance, Ethics & Assurance Team is consulted. 

Microsoft Teams may not be appropriate if there are contractual requirements stipulating that research data is only permitted on networks that the University manages/owns. 

The participant would receive an invitation email from the organiser with a link to join the meeting. If the participant is using a laptop/computer they will be able to join the meeting within their default internet browser. If the participant is using a mobile phone/tablet they will be required to download the Teams app. 

You will need to consider how to manage data privacy risks and such steps to mitigate these risks could be outlined in a standard operating procedure (SOP) for the trial or study. All researchers involved should be trained on the procedures and records of training maintained.

  • Double-check email addresses have been entered correctly prior to sending invitations and take care to ensure that the field has not incorrectly auto-populated – guidance can be found on IT Service’s page on arranging meetings on Teams
  • Make sure that your working environment is set up appropriately before the start of the meeting, to ensure that you can maintain and protect the privacy and confidentiality of data subjects such as having headphones and not allowing unauthorised persons to look over your shoulder.
  • Make use of the ‘lobby’ function, to prevent any uninvited attendees from trying to join the meeting so that individuals joining the meeting need to be ‘let in’ – for help with setting this up IT Services has guidance on arranging meetings on Teams
  • Instruct participants to provide their unique study number/code as their ‘name’ when entering the ‘lobby’ to limit the capture of directly identifiable information 
  • Consider the management of participants’ data in Teams and Outlook. In order to manage destruction/deletion of personal data, the organiser will have to delete the occurrence of the meeting in their Teams calendar once it has taken place in order to remove the history of the meeting (and the participants’ email addresses) from their Teams and Outlook calendar. This action will trigger a cancellation email to the attendees (it is suggested that a reason for the cancellation is provided to avoid confusion such as ‘meeting completed’). The organiser will then need to delete the invitation emails from their sent items in Outlook given that Microsoft Teams and Outlook are linked. 
  • Any other staff attendees, or external collaborators working on the University’s behalf, would have to also take the same steps in order to delete the participant’s data from their calendar and conversely delete the invitation/cancellation emails from their inboxes
  • It is not currently possible to delete chat history from Microsoft Teams, therefore you need to ensure that the participants do not use this function and determine how this risk will be managed (for example a reminder on the invitation email and at the start of the meeting)

For further advice and support on the use of Microsoft Teams, you can contact the IT Services helpdesk at help@it.ox.ac.uk.
 

 

The information below sets out the points of consideration for data protection when remotely recording participants. As outlined above, you should undertake privacy by design for projects proposing to remotely record participants. The Research Governance, Ethics & Assurance Team should also be consulted to ensure any changes are within the ethics requirements of the project or to submit an appropriate amendment. 

Do I need to record? 

With the move to remote working, there is now a demand to be able to hold participant interviews and collect data remotely using video-conferencing tools. However, in the first instance you should consider whether there is a need to remotely record participants if it was not necessary to record them prior to a remote working situation. For research, the University generally relies on ‘public interest task’ as its lawful basis for processing personal data. To rely on this lawful basis, the recording must be necessary for an active research activity and there must be ethical approval in place to conduct that activity.

Video recording in Microsoft Teams

Microsoft Teams is the University’s approved tool for virtual meetings and the only tool approved for confidential subject matter. Microsoft Teams has the functionality to video record meetings, but you will still need to consider the risks described in the sections above when setting up a virtual meeting for the purposes of recording. To find out more, visit IT Services’ page on recording meetings.

Necessity and proportionality

Consideration should be given to the necessity and proportionality of the video recording. For example, if a video recording is necessary to capture an assessment of the participant, the video recording should be limited to the assessment only as it may not be necessary to record the entire meeting for the purpose of the research. 
 
It may only be necessary to record the audio feed of the meeting for the purposes of transcription and later analysis. However, Microsoft Teams does not currently have the functionality to isolate audio from a video recording of a virtual meeting. In order to restrict the recording of the meeting to audio only, all attendees must switch off their cameras before starting the recording. This can only be done by each attendee. The onus is therefore on the participant to disable their own camera feed as it cannot be switched off by the meeting organiser. With this approach, there is a risk that participants may accidentally enable their camera during the recording and the researcher may inadvertently capture their video feed. As a safeguard to ensure that only audio is captured, the template invitation email to the invitees could be edited to remind them to ensure their webcams are switched off prior to joining the meeting. You should then remind all attendees in the meeting and check that all cameras are switched off before pressing record.  

Where it is necessary to record the audio feed only but you need to be able to see the individual during the recording, there will be a risk of over-collection of personal data. You will need to consider how to mitigate those risks to avoid processing more personal data than necessary, for example, deleting the video as soon as the transcription is complete, ensuring data security measures are in place to protect the data until it can be destroyed and only using a third party transcription service:

  • that has been subject to a third party security assessment (TPSA) and is assessed as low risk for confidential data
  • whose contract uses the University’s standard template for supply for services or has been approved by the Purchasing Team in accordance with the University’s Financial Regulations

It is possible to create closed captions for recorded videos in Microsoft Stream. Further work to explore this functionality and the potential production of transcripts continues and further guidance will be issued in due course.

Security

Before the meeting starts, you should ensure that your working environment is set up appropriately to maintain and protect the privacy and confidentiality of data subjects, such as using headphones and not allowing unauthorised persons to look over your shoulder. 
Once complete, the recordings are saved on Microsoft Stream. The organiser must ensure that the permissions to the recording are set appropriately whilst the recording is stored by Microsoft and restricted to those with a need to know. For guidance on this, check IT Services’ page on recording meetings. The default permissions for the recording are set with the person who made the recording (the meeting organiser) as the owner of the video and, if applicable, the internal Nexus 365 users who were on the meeting invite are set as viewers. External or guest meeting participants will not have access to the recording.  

Retention 

As the recording will be on an individual organiser’s account as opposed to a shared mailbox, it is recommended that recordings are downloaded and saved to the University IT network (for example restricted access folder, password-protected format) for data availability and business continuity purposes and so the retention policy for that data can be easily managed. The recording will exist in Microsoft Stream as long as the owner keeps it there or for as long as their account exists. Once downloaded, the recordings should be deleted from the organiser’s individual Microsoft Stream account.

Note that when a user deletes a recording, it is sent to the recycle bin and they have 30 days to recover this before it is permanently deleted. Recordings can also be permanently deleted from the recycle bin before the automatic 30 days.

Transparency

It is important that participants are informed about the proposed recording activities through participant information sheets.

 

Microsoft Teams virtual meetings can be used to facilitate the interviews with participants but the audio of the interview recorded in a separate encrypted dictaphone device (personal mobile phones would not be appropriate).  

Make sure that your working environment is set up appropriately to ensure that you can maintain and protect the privacy and confidentiality of data. This is of greater importance if the interview is being recorded over a dictaphone as this will require the audio to be played over the computer speakers. 

It is recommended that any recordings captured through the device are transferred to the University IT network as soon as possible (for example restricted access folder, password-protected format) and deleted from the device. There are data security risks with this approach, particularly around secure destruction of data held on the device and also the risk of loss of device (and subsequent loss of personal data held on the device) which could result in a confidentiality and an availability personal data breach.

The recording function within Microsoft Teams is switched off by default to discourage the inappropriate use of recording. For information on video recording for other purposes not relating to research participants, please see the Information Compliance pages on general video conference recording.  

See also