Researchers have an independent responsibility to familiarise themselves with data management routines and to follow them in order to safeguard information security. Research data is valuable and must be protected because it is the product of intellectual effort, time and money, and is often demanding or impossible to replicate. When collecting and storing personal data, information security requirements become even stricter.
INN University as an organisation is primarily responsible for preventing, detecting and managing possible breaches of information security, i.e.:
- Unauthorised parties gaining access to confidential data (=confidentiality).
- Information and systems being modified, damaged or deleted in unauthorised or unintended ways. (=integrity).
- Information and systems being lost or unavailable when needed (=availability).
In addition, your personal ‘netiquette’ always has a bearing on information security.
As a researcher, you are responsible for:
- Following ‘Guidelines for research data at INN University’.
- Always using the University’s data services based on Feide logins when processing personal data or other data that should be protected.
- Not exchanging data via e-mail, Messenger, SMS or memory devices.
- Never using private cloud services or private file folders for the collection and storage of project data. This applies to Google Drive, iCloud, Dropbox, personal Office 365 services, Filr, Slack, Figshare and more. These are examples of digital services with which INN University or the Norwegian higher education sector as a whole does not have a data processing agreement. In practice, this means that data ends up outside of INN University’s ownership and protection and becomes a breach of information security in accordance with articles 29 and 30 of the General Data Protection Regulation (GDPR).
As a researcher at INN University, you are permitted to:
- Use your own personal equipment/devices, such as PCs, Macs, smartphones or tablets. Who owns the device is irrelevant. The important aspect is which cloud service account you log into; as a minimum, you must always log in using Feide.
Why must you only use INN University’s data services when processing active research data?
- The data services that INN University and/or the higher education sector have entered into data processing agreements with are all based on Feide logins as a minimum to ensure that you can get started correctly. These services have been developed with privacy by design, greatly reducing the likelihood of security breaches.
- INN University owns the data and will be the data controller for personal data while your project is ongoing. If data is released to personal cloud service accounts, INN University will lose ownership and can no longer fulfil the processing responsibility as required by the General Data Protection Regulation (GDPR).
- The services chosen all enable access to data for partners in a safe and traceable manner.
Why these limitations? Why are things so strict when it comes to research data? What are the applicable principles?
- Project data must be stored in one place! You must not duplicate data via e-mail attachments, Filesender, copies to private folders, memory sticks, external hard drives, etc. If you want to share data with others, you must assign access to your own or your project team’s INN University OneDrive/SharePoint, Educloud or TSD folder. This must be done in order to comply with the data protection principles of the GDPR regarding data security, access, correction and deletion. For example, if one of your informants exercises their right to control of their own data and wishes to correct or erase data, this would not be possible if data is spread across multiple locations and to several partners, including a transcription service. The ultimate consequence of a breach of the GDPR is a project suspension and notification to the Norwegian Data Protection Authority.
- In any case, duplication of datasets will require careful control of the latest version of raw data and analysis files. It is easy to make mistakes, and it is far safer to store data in one place with access control and a log of who has opened different file folders.
- Active research data cannot be duplicated or removed from the ‘room’ into which one has logged in. Researchers with access rights must log in to access the data, the data must not be sent to them. If research data is to be made available to others, the project manager determines access rights, write and/or read permissions, for all or parts of the data sets.
- You cannot store research data in private cloud services, only cloud services owned by INN University or the higher education sector: For example, an Office365 account that includes SharePoint and OneDrive folders must be created with your employee/student Feide user account, NOT with a private account without a Feide login and with an email address other than inn.no! SharePoint and OneDrive folders via Feide must be preset not to sync with corresponding private accounts.
Active research data must be stored in one place. If several people are to work on the same data, access to the ‘data room’ is allocated, and data must never be duplicated and sent out or transferred to other people’s computers by e-mail/USB etc or cloud accounts. The principle is data access control and not the sharing and copying of data while the project is in progress.