Data ownership is the university’s- I get that. They are required to store it for a further 5 years. But because it is sensitive and must be stored on encrypted university RDS, I can’t access it after I graduate. Only current staff and students have RDS access. But it is my data. I want to continue analysing it. Has anyone else solved this problem?

Never experienced this problem but you might be able to get a guest account. I know several universities have accounts for unpaid research associates, placement students and visiting researchers. You would need to ask your supervisor to create a fake role so you qualify for a guest account.

Considerations;

1) Does it really need to classify as 'sensitive' - which generally implies it's personal data with particular sensitivity (unless you've been researching the University's latest shady cash/league table-grab, and it's sensitive in that more colloquial sense). Is it sensitive data because analysis critically requires you track back a case to a specific individual, or is their name just sat in a column for no good reason? If you cannot tie it to an individual directly or indirectly, and have certainty of that, anything else typically becomes irrelevant. Absolutely cases exist where personal data is required, but I've more often seen students get completely caught up in all the red-tape around managing personal data when it may well have been viable to anonymise at point of collection, or they've mistakenly assumed their data is personal or sensitive when it isn't.

2) What many people do is quietly put in on a pen drive, and analyse/publish later. They get away with this in 99.9% of cases because Universities don't actively hunt them down, or indeed care at all about this kind of data breach unless they risk any liability (in which case they care very much). To get in trouble on this you'd probably not only need to 'steal' the data, but also publish something unethical, that someone takes notice of, and a witch hunt begins. I don't recommend you take this approach, obviously, but what a lot of people would do would be to anonymise the data then copy it.

3) Proper thing to do is ask *academically* for access rights explaining you intend to publish to the benefit of the institution. Do not ask ITS. What ITS will say to 'can I access the RDP after leaving for [complex reason]' is 'no', ticket closed, policy followed, easy life. What you need is an 'on high' instruction to ITS to make it happen from an academic.