Data protection in research: Application service providers

Components

Staff and students often use application service providers to assist them with disseminating information, meeting and collaborating online, or compiling surveys for research purposes. When we use these services, you should always look to anonymise responses wherever possible. However, it is often a requirement that some form of personal data relating to participants are shared with that provider, in the form of IP address, email address, or general response to surveys or collaboration requests.

In instances where personal data are used, the application service provider is acting as a ‘processor’ to the University. It is therefore very important that the terms and conditions of these application service providers are reviewed to ensure that the personal data the University is responsible for are adequately protected.

The Data Protection team and Information Security, alongside IT Vendor Management have reviewed the terms and conditions of some application service providers, and are satisfied that the University’s data are adequately protected. These are set out below. Researchers can use these providers knowing that data are adequately protected in respect of the data protection legislation and information security measures, and do not need to notify the Data Protection team of their use. Please note that other teams may still need to be consulted as per usual university procedure.

Where one of these authorised service providers is used for your research project, you are still expected to ensure the following guidance notes are met:

  • If the processing of personal data are required you should consider what personal data are necessary, adequate, relevant and not excessive to achieve your purpose. If using surveys, consider if anonymised returns could be used.
  • The research data protection assessment procedure should be followed, with the proposed use of the application service provider included in the existing documentation (i.e. in EthOS, or the separate Research DPIA).
  • Ensure that you clearly inform participants that the provider is a recipient of the personal data they provide, and the reasons for this.
  • Provide participants with a hyperlink to the provider’s privacy notice.
  • MMU remains responsible for the retention of the data collected by the application, and you must work with the provider to ensure it is retained in line with retention and disposal requirements. You must securely manage any data extracted from the tool in line with the rest of your project data.
  • Please remember that all Information security policies and procedures will need to be followed. Please refer to The Information Security policy site or contact infosecurity@mmu.ac.uk for guidance.

The Data Protection team intend to expand this list along-side Information Security, to include other types of application service provider.

If the application service provider is not on the authorised online solutions list, the researcher must contact IT Support to enquire about its use. The researcher is also required to follow usual Information Security policies and procedures, and can refer to The Information Security policy site or contact infosecurity@mmu.ac.uk for guidance.

Key considerations

It is the University’s view on the use of external platforms in research (some of which are set out below) that participants should not be disadvantaged if they do not wish to sign up to such services and accept the associated terms and conditions and privacy policy.

We always recommend using internal university solutions where possible. These are services that the university has formally licensed and entered into contract. Such contracts have been assessed by the University, and the data protection provisions reviewed to ensure they are of an acceptable standard.

Where an internal solution does not exist, appropriate considerations should be given to the use of external providers. Some providers do allow for viewing and contribution without users creating an account. This should be the preferred option where it is available.

Authorised List

  • 1. Sharing and storage

    Research Data Storage (RDS)

    Manchester Metropolitan University’s Research Data Storage (RDS) platform is available to staff and postgraduate research students, and provides a secure, accessible and highly available data storage platform for researchers to store active research data from live projects. The platform is accessible by researchers at MMU through a networked storage location. You can find out more about it on Manchester Metropolitan’s Intranet pages.

    Dropbox Business

    Dropbox Business is available to staff and postgraduate research students only. This is an authorised university solution. It should be used for sharing data externally only. You can find out more about it on Manchester Metropolitan’s Intranet pages.

    Microsoft OneDrive

    OneDrive can be used by undergraduate and postgraduate taught students for storage and for sharing data externally. It can also be used by staff and postgraduate students.

  • 2. Surveys

    You should always consider exactly which personal data (if any) are required when designing your survey, and use the minimum amount possible to achieve your purpose. Remember that many surveys will collect IP address as standard - make sure you switch this off if you do not require it.

    Internal survey solutions

    Consider whether an internal survey solution is sufficient to support your needs.

    SharePoint - Internal survey recipients only

    A SharePoint survey is likely to be an excellent option if those being surveyed are internal only. SharePoint surveys can be efficiently configured and provide all anticipated survey functionality. SharePoint survey is particularly good if you are collaborating on the survey with other colleagues and you all need access to the survey data. SharePoint is part of the existing tools available to university staff. A survey can be created by someone with administrator admin rights: Site Setting > More Options > List > Surveys.

    Microsoft Forms - Internal and external survey recipients

    Forms can be used for external survey recipients as well as internal. Feedback from those who have used MS Forms is that it is superior to the functionality provided by external survey platform providers. It is an increasingly popular option. MS Forms allows for the easy creation and configuration of surveys, anonymous surveying, specific routing depending upon a previous answer and export of data to Excel for further analysis. The survey can be configured so that anyone with the survey link can complete it. The link can be placed on the website or shared in e-mails etc. Please do note that MS Forms is linked to your personal OneDrive account. Unless the survey is of a personal nature it is important to store the survey results in an appropriate location where others you are working in collaboration with can also access the data and not to create a silo of data. Anyone with an Office 365 account can do this by logging in at office.com and selecting MS Forms.

    External survey solutions

    These external solutions should only be used where internal options are not viable.

    Jisc Online Survey

    Data is hosted in a UK data centre. It is clear that the provider hosts and processes data only for client purposes and in accordance with client instructions as per the terms and conditions. There is a good level of overall assurance.

    Qualtrics

    Data is hosted in a data centre in the USA, but Qualtrics do use Standard Contractual Clauses which covers the restricted transfer of personal data to the USA. Qualtrics offer a good level of assurance.

    Please note that the University does have license restrictions for use of Qualtrics. Researchers should raise a ticket with the IT Helpline to query availability of this application.

    Survey Monkey

    Data is hosted in Dublin, an EEA based data centre. There are good information security and confidentiality assurances. Survey Monkey has up to date UK GDPR terms and conditions, and can be used if Jisc Online and Qualtrics are not suitable.

  • 3. Messaging, meeting and collaborative web platforms

    Microsoft Teams

    Microsoft Teams is available to staff and students, and can be used to organise meetings and host events. It should be the first option for meeting online. Further information about teams functionality is available here.

    Zoom – University account use only

    The University has signed up to Zoom and has its own account. Zoom can only be used by exception in special circumstances where Microsoft Teams cannot offer the same functionality. Private accounts on Zoom should not be used by researchers.

    Researchers will need to make a business case to apply for a license. This can be raised through the IT Helpline.

    MIRO

    MIRO is on online collaborative whiteboad platform. MIRO will use information that users provide when they sign up to the service for their own purposes as identified in their privacy policy. They may combine this with marketing information which is commercially available to them, and with other information if users use social media credentials to sign up via single-sign-on (Facebook and Google etc.). MIRO have non-exclusive use of any information you add to the platform.

    MIRO is based in the USA, and has standard contractual clauses in place to meet adequacy and security requirements.

    Where you use your university email address, MIRO considers the University to be the customer, meaning University administrators may be granted access to the account you have created.

    A comprehensive data processing agreement is in place, which sets out all required measures as stipulated by the UK GDPR.

    Please note that the University does not hold a site licence for MIRO, and the software will only be deployed on request to the IT helpline.

  • 4. Teaching and Learning – Internal solutions

    (Note – only University staff members are able to host sessions on these platforms)

    Padlet

    Padlet is an online tool that is best described as an online notice board. Padlet can be used by students and teachers to post notes on a common page. The notes posted by teachers and students can contain links, videos, images and document files.  Padlet boards can be used within live sessions synchronously or as asynchronous work between sessions.

    The University has signed up to this service, to allow Manchester Metropolitan staff members to use the platform for teaching and learning with their students. Padlet meet privacy notice and online cookie requirements, and use Standard Contractual Clauses to secure any transfers from the UK to the United States. Guidance to staff members is available on the University’s intranet pages.

    Padlet process information about users, including IP address, device and browser information, battery and signal strength, and state they may match personal information of users with other personal information about them they have obtained through other sources. Profiles are accessible to all other Padlet users. Privacy notice available at: https://padlet.com/about/privacyThe University has a privacy notice for online applications which is relevant to use of Padlet – available here.

    All Padlets should be set to ‘secret’, not ‘public’. Posts should not include personally identifiable data, and individuals should not be asked to create an account where it can be avoided; they will still be able to read and contribute to Padlets without needing an account.

    Vevox

    Vevox can be used for live polling, question and answer sessions, group discussion and surveys.

    The University has signed up to this service, to allow Manchester Metropolitan staff members to use the platform for teaching and learning with their students. Vevox meet privacy notice and online cookie requirements. Guidance to staff members is available on the University’s intranet pages. The University has a privacy notice for online applications which is relevant to use of Vevox – available here.

    Vevox offer appropriate assurances to protect University data when Researchers use the University account.

    Mentimeter

    Mentimeter is an interactive presentation system which can be used to improve engagement; to engage with the delivery of a session, provide feedback, host questions and answers, and discussions and surveys.

    The University has signed up to this service, to allow Manchester Metropolitan staff members to use the platform for teaching and learning with their students. Mentimeter meet privacy notice and online cookie requirements. Guidance to staff members is available on the University’s intranet pages. The University has a privacy notice for online applications which is relevant to use of Mentimeter – available here.

    Mentimeter implement appropriate technical and organisational measures to protect University personal data. There is a compliant contract in place, which meets the required standards.

    Kahoot

    Kahoot can be used for live polling, question and answer sessions, group discussion and surveys.

    The University has signed up to this service, to allow Manchester Metropolitan staff members to use the platform for teaching and learning with their students. Kahoot meet privacy notice and online cookie requirements. Guidance to staff members is available on the University’s intranet pages. The University has a privacy notice for online applications which is relevant to use of Kahoot – available here.

    Kahoot have considered its obligations under the data protection legislation and offer appropriate assurances to the University in the protection of its data.

    Nearpod

    Nearpod is a web-based tool which helps users to make interactive, instructional resources whether in the classroom or online.  It merges formative assessment and dynamic media for live and self-paced learning experiences inside and outside of the classroom. This includes interactive presentations that can be created to contain quizzes, polls, videos, collaboration boards, and more.

    The University has signed up to this service, to allow Manchester Metropolitan staff members to use the platform for teaching and learning with their students. Nearpod meet privacy notice and online cookie requirements. Guidance to staff members is available on the University’s intranet pages. The University has a privacy notice for online applications which is relevant to use of Kahoot – available here.

    Nearpod meet all necessary requirements to process University data, and do so in a matter compliant with UK data protection legislation.

Not recommended

  • Messaging, meeting and collaborative web platforms

    Zoom – Private account

    Microsoft Teams should always be the first option for conducting meetings, conferences and collaboration between staff and students, and research participants.

    Although researchers are able to use the Zoom and Skype University accounts, private use of Zoom and Skype is not recommended.

    WhatsApp

    WhatsApp is an encrypted communications platform, which allows users to message, voice call, video call and share content. ‘Groups’ can be created to allow mass messaging.

    WhatsApp are a part of the Facebook Companies, and receives information from and shares information with the other Facebook Companies. This includes account information including phone number, transaction data, mobile device information and IP address, amongst other data. However, neither WhatsApp nor Facebook can see any messages sent between users, and use end-to-end encryption to protect privacy. Details of contacts aren’t shared either.

    Information is transferred globally, depending on a range of factors. WhatsApp use data centres in the USA, and rely on Standard Contractual Clauses to do this.

    Upon users downloading WhatsApp, the user will be asked to  give the app permissions to access all the contacts in their phone’s directory, and subsequently to give permission for WhatsApp to upload all of the user’s phone contacts to their servers. If you use an MMU device to do this which contains contact details of staff, students and other third parties with a connection to the University, you are allowing WhatsApp to process personal data controlled by the University without justifiable reason.

    In addition, WhatsApp forbids all non-personal use of the service (i.e. for University research purposes), meaning that the agreement has to be independent between the researcher and the application, and the participant and the application. As the University is responsible for any research data collected by its researchers, this type of direct relationship between users and WhatsApp is not suitable.

    WhatsApp should not be used for University research.