Research - Analysis - Evaluation

RAE Consulting

Today's Date:

Last updated: 20 September, 2007

Document made with Nvu

Data Security Statement

RAE Consulting makes extensive use of Information and Communications Technology (ICT) in its research activities and we take extremely seriously the need to maximise the security of our ICT systems and the data they hold. Dr Alex Gibson is accountable for the physical security of RAE Consulting's ICT systems and all data collected by, or entrusted to, RAE Consulting. This policy statement articulates the principal mechanisms by which such data are made secure.

RAE Consulting will strictly adhere to all conditions under which data are either collected on behalf of, or made available by, its clients or third parties. This includes conditions relating to the physical security of data, as well as their subsequent use.

RAE Consulting avoids using identifiable individual-level data wherever possible. Where this is unavoidable for data linkage or other purposes, the data are AES encrypted and kept on a dedicated password-protected non-networked device in a secure office. The data are anonymised as soon as possible and all identifiable data (electronic or otherwise) are promptly destroyed (see below).

All sensitive data, including all non-public domain individual-level data whether anonymised or not, are AES encrypted to ISO/IEC 10118-3:2004 standard and kept on password-protected devices with appropriate inbound network firewalls located in a secure office. CD, DVD and hard-drive backups of sensitive data files are similarly encrypted and stored in a physically secure location.

Access to all sensitive data is strictly restricted, and is only permitted with research contractors or collaborators with the express agreement of clients or third party data providers, and only when a comparable level of data security (including disposal) can be assured by the contractor/collaborator. Identifiable individual-level data are never shared with research contractors/collaborators. Sensitive data remains encrypted when transmitted, with a separate delivery mechanism used to transmit the encryption key.

Research data, once anonymised, aggregated or otherwise made demonstrably non-disclosive, will be shared with research contractors/collaborators as demanded by each research project. As a matter of good practice, these data are encrypted whenever transmitted.

As and when research outputs are made public, whether by means of formal publication or otherwise, Dr Alex Gibson is responsible on behalf of RAE Consulting for ensuring that it is non-disclosive and that the characteristics or circumstances of individuals cannot be inferred or reverse engineered.

RAE Consulting does not sell on or otherwise dispose of data devices or data media. All such devices and media are physically destroyed beyond reasonable recovery.