Scholarly research strives to be transparent and open as a rule, but at times there are ethical, legal or commercial reasons to not share all data openly at all times. For all types of research data, preventing data loss or manipulation is equally important as providing access to data for all authorized users. Data where restricted access is necessary due to risks associated with unauthorized access are said to be confidential data or sensitive data.
The level of confidentiality depends on the severity of consequences if there is a data breach. With higher level of confidentiality, more thorough security measures are necessary to prevent risks of unauthorized access. Contact IT Support for more advice om information classification.
This is not a complete guide that goes into detail for all types of confidential data and all types of research projects. The guide focus on general good practices at different stages and levels in research while details of specific technical measures may vary from case to case.
Avoid using e-mail or direct links for data transfer
Don’t send confidential data via e-mail or share unrestricted links to folders containing confidential data.
Avoid working with confidential data in public places over public networks
Skip the free wi-fi on cafés, hotels etc. when transferring data. Also make sure that your home-based network is password-protected if you work from home.
Avoid clicking on links in unknown e-mails or other messages
Only click on links when you trust the sender, and you are certain that the message is actually from the supposed sender. Be careful also when downloading files.
Make a plan
Before starting your study, make a plan for how to work with data. If you handle confidential data you need to plan how to store, share and analyze that data to avoid unnecessary risks for data leakage. When a data breach may cause harm, a risk assessment is recommended to find out if extra security measures are needed.
Arrange training
Ensure that everyone involved in the project is aware of what data has to be treated as confidential and what this implies for data management. For higher level of confidentiality, user education for working with sensitive data is recommended.
Have all collaborators agree on important practices
In collaborative projects, discuss data management with all collaborators and agree on a common platform for storing, sharing and accessing data. Make sure that you can control access rights and trace who has accessed the data (i.e. logs and versioning exists over the time of the project). Have licenses/agreement in place with the platform service provider that ensures access in a controlled way for the lifetime of the project and a plan on what will happen to the data after the project. For larger projects, it is of special importance to make someone in the project responsible for data management.
Keep control of who has access to data
Create and update a list of all persons and systems that are allowed to access the data, and maintain control over who has access to the data. Ensure that project manager/ the person responsible for data management keeps control over access to data in the project.
Control data access on an appropriate level
Set access control on folder level rather than sharing links and give only access to people at the lowest level necessary. That is, add people who need to work with the data to the folder as co-owner/editor if they need to process the data and as viewer if they only need to view the data but not edit the data files.
Control physical access
Make sure that no unauthorized persons have physical access to devices used to generate, process or store sensitive data.
Be careful with data in the analogue world
Confidential data is still confidential when printed on paper or communicated orally, so don’t leave the papers in the printer or at the coffee table together with your unlocked laptop on the airport when you go grab another coffee. Don't talk loudly in public spaces about sensitive information.
Minimize data transfer
Minimize unnecessary transfer of data. Necessary transfer should occur though, i.e. to achieve good redundancy, for back-up/archiving or for using computational services. If you need to transfer data to a web-based software/service used for a limited time, make sure data is erased after use of the service. Also ensure that you have safe copies of all the data you need before deleting it from such a service.
Use encryption during transfer and storage
Whenever unauthorized data access can cause severe damage, use encryption as a security measure.
Enable multi-factor authentication
Enable multi-factor authentication if available in systems used, to add an extra security layer. Multi-factor authentication is emerging as a requirement for access to very sensitive data such as sensitive personal information.
Describe the data and how to get access to the data
Even though confidential data cannot be published as fully open data it is good research practice to document the data with sufficient metadata so that someone else can understand how the data was used to achieve the published results. It is also important to describe how/if data is accessible. In most cases, the metadata including information on conditions for how to get access to data should be published even for confidential data while restricting direct access to the data.
Unsure on what to publish? Make a risk assessment first
There are a few circumstances where data is subjected to secrecy and has a very high protection value where publishing the metadata should also be restricted due to a high risk for security breach when describing how to get access to the data. If you suspect this may be the case, perform a risk assessment with focus on information security before publishing any description of your data.
