Guidance for researchers working remotely with participant data

Expand All

 

The University’s data protection policy and the GDPR apply irrespective of location. Appropriate measures need to be taken to ensure personal data can be processed in a secure and compliant way. 

The exact measures to be adopted for each research project will need to be considered on a case-by-case basis as projects will be processing different data, collected from different sources and with different funding requirements. Before any changes take place, consideration should be given to the data privacy and security risks associated with home working and how these risks will be mitigated (for example, by training staff, developing standard operating procedures etc.). Where research projects have undertaken data protection impact assessments (DPIAs), these will need to be reviewed before any changes are made. Any research projects that do not have DPIAs should ensure that one is prepared in advance of any changes (for more information see the Information Compliance Team webpages on privacy by design). The Research Governance, Ethics & Assurance Team should also be consulted to ensure any changes are within the ethical requirements of the project or to submit an appropriate amendment. You may find it helpful to review guidance on research ethics and clinical trials and research governance
You must ensure the agreed data access and sharing protocol is maintained, as failure to do so could invalidate any data sharing agreements and pose a security or data privacy risk.

The University has published general guidance for working remotely and the Information Security Team has guidance on its webpages on how to do so securely.

This guidance assumes that staff are working remotely within the UK. If you are seeking advice about working remotely at a destination outside the UK please contact the Information Compliance Team.  

 

Of significant importance is to review the funders and/or data sharing agreements (where applicable) to identify if minimum security requirements and conditions are set out in contractual T&Cs. For example this may include requirements stating ‘access only permitted on networks that the University manages/owns’. The InfoSec Team have reviewed this particular aspect and deems that access over the MSD IT VPN using a University issued and maintained device provides an equivalent level of security. Deviation from such an approach would require further consideration and approval from the funder and/or data sharing entity as appropriate. 

If you work within a department that has the NHS Data Security and Protection Toolkit (DSPT), or an alternative agreed governance model in place, then you will need to review what access provisions there are for the systems within the scope of these frameworks. It is recommended that you seek advice from your departmental information governance officer. 

In accordance with InfoSec’s information handling rules, and if the data sharing agreement and security protocol permits the use of self-managed (‘personal’) devices to access research data (confidential data classification), then specific authorisation must be sought from the head of department, who owns the risk associated with accessing confidential data on such devices. If self-managed devices are proposed to be used, then you should only access data through the MSD IT VPN (or central IT Services VPN for non-MSD users) and should follow the security guidance for protecting devices on Information Security’s website.

You may need to make some adjustments to your working environment to maintain and protect the privacy and confidentiality of data subjects and shared information, such as:

  • not allowing unauthorised persons to look over your shoulder or listen in to conversations relating to participants and other confidential matters
  • not giving household members access to a University-managed device, or
  • ensuring that all University documents/files are closed on any devices when not in use

However, you should ensure compliance with all principles of UK GDPR. For example: in terms of transparency, you will also need to consider how any operational activities have been described in any privacy notices or participant information sheets provided to participants and whether the proposed way of working would be in conflict with that. In terms of data minimisation, you can ensure compliance by not downloading and saving copies of data onto mobile, laptop or home devices but instead saving data to the University network. No copies of research data containing personal data should be printed off at home. This may also be a contractual condition on the use of the data.
 

 

You may need to make some adjustments to your working environment to maintain and protect the privacy and confidentiality of data subjects and shared information, such as: 

  • phone calls to participants are not undertaken within earshot of unauthorised persons
  • never use speakerphone unless privacy can be guaranteed 
  • always use headphones if the phone call is made using computer software

 

University mobile phones

In general terms, University-managed or owned mobiles that have appropriate security settings would be preferred. It is recommended that approval is sought from the appropriate budget holder for any associated billing.   

It is not recommended that personal devices or landlines are used, due to the impracticalities of managing a retention policy when participants’ phone numbers and possibly voicemail messages (if they try to call the researchers) are stored on personal devices. Additionally, consideration should be given to the health and safety safeguards for University staff as a result of the risk of exposing personal phone numbers to participants. 

Chorus

Chorus is not recommended for contacting research participants. The IT Services Chorus soft client and Chorus Web Portal (for managing call forwarding from your work phone to home) are alternative solutions available in the University. However, as Chorus does not encrypt phone calls by default, Chorus does not provide an adequate level of security for data of a confidential classification. 

Microsoft Teams Meetings

As an alternative to a phone call it is possible to use Microsoft Teams to set up a virtual meeting with participants using their email address (if held).

If the participant’s email address is already held, you will need to consider how compatible this use is with the purposes for which it was originally collected and take into consideration the privacy information provided to the data subject. Ethical consent may be required to collect email addresses if not already held. It is recommended that the Research Governance, Ethics & Assurance Team is consulted. 

Microsoft Teams may not be appropriate if there are contractual requirements stipulating that research data is only permitted on networks that the University manages/owns. 

The participant would receive an invitation email from the organiser with a link to join the meeting. If the participant is using a laptop/computer they will be able to join the meeting within their default internet browser. If the participant is using a mobile phone/tablet they will be required to download the Teams app. 

You will need to consider how to manage data privacy risks and such steps to mitigate these risks could be outlined in a standard operating procedure (SOP) for the trial or study. All researchers involved should be trained on the procedures and records of training maintained.

  • Double-check email addresses have been entered correctly prior to sending invitations and take care to ensure that the field has not incorrectly auto-populated – guidance can be found on IT Service’s page on arranging meetings on Teams
  • Make sure that your working environment is set up appropriately before the start of the meeting, to ensure that you can maintain and protect the privacy and confidentiality of data subjects such as having headphones and not allowing unauthorised persons to look over your shoulder.
  • Make use of the ‘lobby’ function, to prevent any uninvited attendees from trying to join the meeting so that individuals joining the meeting need to be ‘let in’ – for help with setting this up IT Services has guidance on arranging meetings on Teams
  • Instruct participants to provide their unique study number/code as their ‘name’ when entering the ‘lobby’ to limit the capture of directly identifiable information 
  • Consider the management of participants’ data in Teams and Outlook. In order to manage destruction/deletion of personal data, the organiser will have to delete the occurrence of the meeting in their Teams calendar once it has taken place in order to remove the history of the meeting (and the participants’ email addresses) from their Teams and Outlook calendar. This action will trigger a cancellation email to the attendees (it is suggested that a reason for the cancellation is provided to avoid confusion such as ‘meeting completed’). The organiser will then need to delete the invitation emails from their sent items in Outlook given that Microsoft Teams and Outlook are linked. 
  • Any other staff attendees, or external collaborators working on the University’s behalf, would have to also take the same steps in order to delete the participant’s data from their calendar and conversely delete the invitation/cancellation emails from their inboxes
  • It is not currently possible to delete chat history from Microsoft Teams, therefore you need to ensure that the participants do not use this function and determine how this risk will be managed (for example a reminder on the invitation email and at the start of the meeting)

For further advice and support on the use of Microsoft Teams, you can contact the IT Services helpdesk at help@it.ox.ac.uk.
 

 

In order to safeguard participant's privacy, the University's data protection by design framework must be followed for research proposing to record participants. 

Do I need to record? 

There is now a demand to be able to hold participant interviews and collect data remotely using video-conferencing tools. However, you should first consider whether there is a need to record participants. For research, the University generally relies on ‘public interest task’ as its lawful basis for processing personal data. To rely on this lawful basis, the recording must be necessary for an active research activity and there must be ethics approval in place to conduct that activity.  If you do need to record research participants, explain why this is necessary in your ethics application.

Video recording in Microsoft Teams

Microsoft Teams is the University’s approved tool for virtual meetings and the only tool approved for confidential subject matter. Microsoft Teams has the functionality to video record meetings, but you will still need to consider the risks described in the sections above when setting up a virtual meeting for the purposes of recording. To find out more, visit IT Services’ page on recording meetings.

Necessity and proportionality

Consider the necessity and proportionality of video recording. For example, if a video recording is necessary to capture an assessment of the participant, the video recording should be limited to that assessment only, as it may not be necessary to record the entire meeting for the purpose of the research.

It is now possible to transcribe Teams meetings using the transcription function in Teams without recording audio or video – see ‘Transcription in Teams’ section below for further detail. This may be done as an alternative or supplement to audio recording.

Where a recording is necessary, Microsoft Teams does not have the functionality to isolate audio from a video recording of a virtual meeting. There are a couple of ways to restrict the recording of the meeting to audio only:

All attendees must switch off their cameras before starting the recording. This can only be done by each attendee. The onus is therefore on the participant to disable their own camera feed as it cannot be switched off by the meeting organiser. With this approach, there is a risk that participants may accidentally enable their camera during the recording and the researcher may inadvertently capture their video feed. As a safeguard to ensure that only audio is captured, the template invitation email to the invitees could be edited to remind them to ensure their webcams are switched off prior to joining the meeting. Researchers should then remind all attendees in the meeting and check that all cameras are switched off before pressing record.  

Where it is necessary to record the audio feed only but you need to be able to see the individual during the recording, Microsoft Teams can be used to facilitate interviews/focus groups with participants with the audio of the interview recorded on a separate encrypted dictaphone device (personal mobile phones would not be appropriate) or using the ‘Voice Recorder’ app (available on Windows 10) on a separate laptop.

Security

Before the meeting starts, you should ensure that your working environment is set up appropriately to maintain and protect the privacy and confidentiality of research participants, such as using headphones and not allowing unauthorised persons to look over your shoulder.

This is of particular importance if the interview is being recorded using a dictaphone or voice recorder, as this approach will require the audio to be played over the computer speakers.

Once complete, the recordings made in Teams are saved on Microsoft Stream. The organiser must ensure that the permissions to the recording are set appropriately whilst the recording is stored by Microsoft and restricted to those with a need to know. For guidance on this, check IT Services’ page on recording meetings. The default permissions for the recording are set with the person who made the recording (the meeting organiser) as the owner of the video and, if applicable, the internal Nexus 365 users who were on the meeting invite are set as viewers. External or guest meeting participants will not have access to the recording.

It is recommended that any recordings made through a separate device are transferred to the University IT network as soon as possible (for example restricted access folder, password-protected format) and deleted from the device. There are data security risks with this approach, particularly around secure destruction of data held on the device and also the risk of loss of device (and subsequent loss of personal data held on the device), which could result in a personal data breach.

If you intend to use a third party transcription service, it must:

  • have undergone a third party security assessment (TPSA) and assessed as low risk for confidential data
  • have a contract using the University’s standard template for supply for services, or have been approved by the Purchasing Team in accordance with the University’s Financial Regulations

Retention 

As the Teams recording will be on an individual organiser’s account as opposed to a shared mailbox, it is recommended that recordings are downloaded and saved to the University IT network (for example restricted access folder, password-protected format) for data availability and business continuity purposes and so the retention policy for that data can be easily managed. The recording will exist in Microsoft Stream as long as the owner keeps it there or for as long as their account exists. Once downloaded, the recordings should be deleted from the organiser’s individual Microsoft Stream account.

Note that when a user deletes a recording, it is sent to the recycle bin and they have 30 days to recover this before it is permanently deleted. Recordings can also be permanently deleted from the recycle bin before the automatic 30 days.

It is good practice to delete the recordings once these have been transcribed, unless there is a justifiable reason to retain the recordings.

Transparency

It is important that participants are informed about the proposed recording activities through the participant information sheet.  There should also be a record of participants' consent to the recording.  Please refer to guidance on obtaining participants' informed consent.

 

If it is only necessary to record the meeting for the purposes of transcription and later analysis, it is now possible to transcribe Teams meetings using the transcription function in Teams without recording audio or video. Please note that you must be using Teams within the University’s subscription to Nexus365 for Business and be on a desktop computer.  The built-in live transcription feature in Teams can be activated at any time during a call.  Navigate to the meeting control toolbar at the top of the screen and look for the three dots icon for ‘More Actions’. Select ‘record and transcribe’, then the option ‘Start Transcription’ should be selected to begin transcribing the call.

Once the meeting is concluded, or whenever you’d like to stop transcribing, navigate to the same ‘More Actions’ menu and select ‘Stop transcription’. Transcription will also stop automatically when everyone leaves the call. Once the meeting is over, the transcription can be viewed and downloaded under the meeting event calendar.

The recording function within Microsoft Teams is switched off by default to discourage the inappropriate use of recording. For information on video recording for other purposes not relating to research participants, please see the Information Compliance pages on general video conference recording.

See also