Data security and information classification
Research data can be difficult to recreate and sometimes contain confidential information. Planning how data will be stored and protected is therefore important. The choice of working methods and technical solutions should ensure that data is not lost, that the management and storage solutions meet the requirements of information security and that data subject to confidentiality is not disclosed.
Read more about the university's recommendations for information security and take part in the University's course on basic information security.
See also the guide on storage, encryption and sharing of data.
Contact the Security and Safety Division for advice: security@uu.se
Information classification
In order to find the right type of solutions for data storage and other management, it is important to know what legal and other requirements the type of data you are dealing with poses. Information classification of the project data should therefore be done before a project start, as the outcome affects the time and resources needed to establish procedures and access sufficiently secure systems.
Information classification is made by assessing needs and data in relation to three factors: Confidentiality, Integrity and Availability. The classification is made one with a scale of 0–3 for each factor and the result is usually referred to as the CIA value (KRT in Swedish). You can make a classification of your data yourself using the guide from the University. In the guidance, there is also more information about KRT values.
Confidential information in research data
Some data processed in research contains information that, for ethical, legal, commercial or other reasons, should be protected from unauthorized access. It is often a matter of information which, under the Public Access to Information and Secrecy Act (2009:400), is subject to confidentiality. It can be information:
- which may be directly or indirectly linked to individuals
- who are protected by copyright or intellectual property rights by some party
- relating to national security or dual-use products (i.e. both civilian and military uses)
- about protected species or biologically sensitive locations
- that are the basis for patentable inventions
In order to prevent unauthorised access to this type of information, it is important to classify information (see above) and to choose technical and administrative solutions that ensure an adequate level of security. See also Storing data and collaborating.
If data with confidential information will be handled by external parties, agreements on liability as well as security measures and procedures shall be ensured by contracts. Keep in mind that in cooperation with, for example, private companies, staff in that activity are not subject to confidentiality in the same way as employees in public activities. – See also Permits and agreements.
Routines for information security
Before initiating a project, the technical and administrative procedures required to maintain an adequate level of security in the handling and storage of data throughout its life cycle should be planned and documented.
All employees in a project, both internal and external parties, should be informed about which data is confidential, as well as what solutions and procedures to follow to ensure that only authorized persons have access to the material. See also Routines for secure information management.
Project managers are responsible for data management within a project, but especially in the case of larger projects it is recommended that other persons in the project has the responsibility for monitoring how data is managed.
Keep in mind to:
- keep software up to date on the devices that generate, transmit or have access to data with confidential data
- not send sensitive data via email and avoid handling confidential information in public places or over public networks
- when necessary ensure that project employees also have a secure IT environment at home
- make sure that project members are aware of information security guidelines
Control of data access
Document which colleagues that have access to data and what level of permission they should have - edit and/or read permissions. Provide access at the lowest appropriate level and ensure that only authorized persons have access to the devices and systems where data is generated, stored or processed. It is often a better solution to provide file or folder-level access to a storage space than sending confidential data as attachments to emails. If email is used to send data then encryption should be applied.
No chain is safer than its weakest link. It is therefore important that all systems where data is handled or transmitted have an adequate level of security – from own computer and email management to platforms used for analysis and solutions for storing data after completion of a project. Avoid unnecessary transfer of data sets with confidential information and encrypt data moving between different systems if necessary. Ensure that data is deleted if it is no longer used for further analysis on a platform.
Data containing personal data is confidential information which, according to the Data Protection Regulation (GDPR), may only be processed if technical and organizational measures ensure protection against unauthorised access and loss of data. When handling sensitive personal data, higher security requirements are imposed and the chosen storage solution should, if possible, support two-factor authentication. Data containing personal data can also be encrypted or encoded to increase the level of security. See also Storing data and collaborating.
Open science and confidential information
The transition to open science and the demands for transparency and reproducibility in research are increasing expectations that research data should be made openly available. However, if the data contains information that is confidential for some reason, the possibilities to publish this data may be very limited.
Data that cannot be shared openly can still be described, for example in a data repository. There you can specify contact details and the conditions for others to access the data. However, for data with high confidentiality and high protection value, in some cases it may also be justified to refrain from describing the data publicly, as knowing that certain information exists increases the risk of attempted data breaches.
Data containing personal data is usually confidential and can in most cases only be published in anonymous form. See Sharing and publishing personal data.
Confidentiality and long-term preservation
The need to protect certain information from unauthorised access is often long-term and persists even after a research project is completed. Therefore, be sure to choose storage solutions and protective measures that offer a sufficiently high level of security, even in the long term. Also strive to ensure that information about the confidentiality of data does not become personally dependent, because responsible researchers can leave the university. Confidentiality of data and other research documents must therefore be documented in order to ensure that a future confidentiality review can give an accurate picture of the potential protection value of the material.