Protect the data
Data security, in this context, means to store the data securely throughout the research project. You can protect the security by changing passwords regularly, never send passwords by e-mail, and always log out when you leave your workstation. You should also be careful when you store data on external devices. Most HEIs have adopted guidelines for data security based on information classification levels. These guidelines contain rules for data management on desktop and laptop computers, other external media, and cloud services. Apart from the HEI guidelines, the Swedish Authority for Privacy Protection have some advice on information security.
Secure data management during the project means, in short, that the data need to be accessible to people who will work with them, but inaccessible to unauthorised people. You should make sure that the project data are stored in a way that not only protects the data from being lost or corrupted, but also protects them from unauthorised access. Data security is connected to three environments:
- Technical environments: data are stored on secure hard drives, and there are routines for backup and encryption.
- Physical environments: the rooms where computers and hard drives are located are locked or the data material is stored in a safe.
- Administrative environments: the information owner controls who has a key to the physical environments, and who has a password and authority to read and write in the systems.
Because you don’t want to accidentally lose or destroy necessary data, it is important that you have a secure backup solution where you regularly back up your data material. As files can go missing if the hard drive crashes or your computer is stolen, we recommend that original files are never saved on your computer’s hard drive, especially not if your computer is a laptop, but on a secure server. Research data should also never be saved on USB drives, CD/DVD discs, external hard drives, or similar devices (unless there is a copy of the data in a secure storage area), as there is a risk that the storage medium gets broken, is lost, or stolen. If you are unsure of which type of storage solution to choose, consult with your local IT Services. (Read more about storage in connection with personal data in Research material with personal data.)
Information classification is a method for protecting data security. Most HEIs have routines for classification of information assets based on guidelines from the Swedish Civil Contingencies Agency (MSB) (available only in Swedish). As a researcher and employee, you need to be aware of your organisation’s information classification guidelines, so that you can classify the research materials in your project. When you know the data classification level, you can also find out which security measures you need to take to protect the security of the material.
Information classification is the process of assessing how a certain material needs to be protected. The starting point is the security aspects confidentiality, integrity, and availability.
Confidentiality means that the information is accessible only to authorised individuals.
Integrity means that the information is protected from unauthorized modification or destruction, whether from unauthorised access, by mistake or by a system disruption. The information must also be traceable, so that modifications can be traced back to the person who changed the information.
Availability means that the information needs to be accessible as needed, when needed.
Regardless of the local application of guidelines, information classification is a matter of assessing the potential impact if the information would be disclosed to unauthorised people, corrupted, or not accessible when needed. An impact assessment is made using the specific criteria for the HEI. The impact can be, for example, “Low”, “Moderate”, and “High”, depending on what consequences unauthorised disclosure, destruction, or lack of access to the information may have for the organisation or individual. This assessment will then inform how protected the material needs to be.
Example: Data need to be stored with very high security if unauthorised modification, destruction, or disclosure may have severe or catastrophic impact for the HEI, another organisation, or one or more individuals. Those data should be stored on a hard drive with strong authentication, in a locked and protected locker which only a limited number of people can access. If data are being transferred electronically, they need to be protected by qualified encryption. They also need to have qualified protection against unauthorised modification of the material, such as login with certificate-based digital signatures, as well as routines for backup and change logs.
An information classification assessment should be made early on in the project planning. How the project data are classified affects how much time and resources are needed in order to create or gain access to systems and routines that are sufficiently secure. In some cases, you may need to develop a specific storage solution together with your local Security and IT Services.