Protect your data as a researcher
The following tips from the security organization DKCERT are intended to help researchers protect their research data from loss and/or abuse.
It may have serious consequences if you, as a researcher, do not pay sufficient attention to information security.
- Poor security may allow non-authorized parties to access your experiment data or conclusions before you have the opportunity to publish them.
- Moreover, if the data contain sensitive personal information, you risk prosecution for breaching personal data legislation.
- And if you fail to protect your data properly, there is a risk that they may simply disappear the day before you start to analyse them.
A quick search of the Internet will return a lot of good tips and advice about information security in general. This advice is also relevant to researchers. Here, DKCERT has collected a selection of security tips and hints with the emphasis on the issues that particularly affect researchers.
All information security has to do with protecting three aspects of data:
- Integrity—non-authorized parties must not be able to change the data
- Accessibility—authorized users must be able to access the data they need
- Confidentiality—only authorized users must be able to access the data
When you begin work on a new project, it is a good idea to start by considering the type(s) of data you will be processing. Divide them up into categories depending on how sensitive and/or important they are.
Once you have identified your data, you can run a risk assessment based on the following classification: What risks may pose a threat to my critical data? What can I do to minimize these risks?
Don’t forget: data protection is always the responsibility of the data owner.
Protect any sensitive data you have stored
When you work with confidential data, you must make sure to protect them against non-authorized access. You can apply access control systems to assure confidentiality. To boost security, you can supplement your access control measures with encryption. This will mean that the data are coded—so even if non-authorized parties should gain access to them, they will not be able to read them without the right decryption key.
You can assure accessibility by making back-up copies. This will mean that you always have a copy if the original files are lost in a fire, for example, or on account of a hard drive crashing. Another option is to run two systems in parallel.
As a rule, you—the researcher—should not have to implement access control, encryption or back-up systems yourself. However, you must make sure that the IT systems placed at your disposal deliver the necessary level of protection.
If you choose to place the data from your research project with an external supplier, you need to ask the same questions. For example, will back-ups be taken of your data when they are stored in a cloud system? And does the cloud storage provider live up to the requirements laid down in the Danish Act on Processing Personal Data (Persondataloven)?
Please note that you may also have to notify the Danish Data Protection Agency about your research project. This applies, for example, if you are working with information about the purely private conditions of individuals in a private research or statistical project. Notification is not required for other research projects, but the researchers involved must still comply with the applicable personal data legislation.
Communication of sensitive data
As your research project progresses, it is likely that you will need to communicate with other researchers. This may involve the use of chat systems, email, video conferencing, phone calls or special collaboration platforms. No matter what technology you choose, you should always think about how best to secure your data.
If you are working with data protected by personal data legislation, you need to make sure to fulfil all the requirements. In this context, it may be a good idea to use services that store data locally in Denmark.
If you exchange confidential data in electronic format, you should apply some kind of encryption. This will ensure that non-authorized parties cannot read the data even if they should succeed in intercepting them.
Take care of your hard copies
When you send a document to a printer, it may be seconds or hours before you pick it up. Throughout the period that the hard copy of your work lies unattended, anyone at all can access it. They have time to remove it, or to take a copy of it—which would leave you unaware that your data have fallen into the wrong hands.
Therefore, always make sure to pick up your printed documents as quickly as possible.
You can also use what is known as ‘follow-me-print’ (or ‘pull printing’) if this is an option. ‘Pull printing’ systems queue your printing jobs and only actually print them when you are standing next to the printer to pick up your document.
Even after you have picked up a hard copy document from the printer, it may still constitute a security risk. What happens if it falls into the wrong hands? So once again, you need to have a secure place to store your papers. As a minimum, you should keep them in a locked office, but a locked, fire-proof cabinet may be more appropriate for critical documents.
When a hard-copy document is no longer useful or needed, it is a good idea to shred it. This eliminates the risk of non-authorized parties picking it out of the refuse container.
Destruction of data
It is not only hard-copy documents you need to destroy when they are of no more use to you. It may also be relevant to destroy digital data.
As a rule, it is not sufficient to delete data simply by using the ‘delete’ command in your operating system. If you have physical access to the disk on which the data are stored, you can use special deletion software to delete them effectively. If you have to be absolutely sure, you can use a powerful magnet to wipe the disk completely.
If you have stored your data on a cloud system, it is much harder to ensure that they have been permanently deleted. Check in advance whether the cloud storage provider can guarantee deletion. If not, it would be better to store your data elsewhere.
A number of providers offer services that ask web users questions and collect their answers. This is often an easy and inexpensive way to perform questionnaire surveys.
Before you select a service, however, you should check where it stores its data. If you will be working with sensitive data that are subject to personal data protection legislation, you must make sure that the service complies with all the applicable rules and regulations.
Always make sure to ask who has access to the data collected by the service. Once again, this is particularly important if you will be working with sensitive personal information or other types of confidential data.
Travel and conferences
When you travel on business—to conferences and meetings, for example—make sure to take good care of your equipment. Never leave a bag containing your laptop, tablet or smartphone unattended, not even in the conference auditorium.
If you need to access the Internet, it is best to avoid Internet cafés and other places that provide open wireless networks. If you have to use a wireless network, you should use a VPN (Virtual Private Network) solution. This will ensure that your communication is encrypted.
Never read confidential information on a screen while you are sitting in a bus, train or plane. This may expose you to what is known as ‘shoulder surfing’, which means that the person sitting behind or next to you can read along with you. Consider protecting your computer screen with a filter that restricts the angle from which it can be read.
Also think about what you say during telephone conversations you have in public places.
Only ever use power units that you have brought with you. Avoid taking advantage of offers such as free USB charging systems in airports and similar. Using these services may expose you to the risk of connecting to an external drive that non-authorized parties can use to make copies of your data.
General information about information security
- Protect your equipment against harmful software by installing security software such as antivirus programs
- Always keep your software—both operative systems and applications—updated to the latest version
- Use secure passwords (combinations of capitals and small letters, numbers and special characters)
- Do not use the same password for multiple services
- Use a password manager program to keep track of your unique passwords
- Avoid lending or borrowing USB pens, as they may often be infected
- Always take a sceptical approach to the contents of emails, even though they may seem to stem from a trustworthy source
- Never open attachments or links you receive in unsolicited emails
- Use two-factor authentication where possible. These are systems that—over and above a password—require you to enter a one-time code on certain occasions.
General advice about mobile units
The following advice applies to smartphones, tablets and laptops:
- Protect your unit with an access code
- Encrypt the data stored on the unit
- Limit the number of apps that have access to the institution’s systems. If possible, protect them with an extra code
- The Danish Data Protection Agency: Research in the public sector
- The Danish Data Protection Agency: Research in the private business community
- Researcher portal: Research involving personal data
For additional information, please contact:
Torben Sørensen, journalist for DKCERT/DeiC