6. Data storage and security

COBL_learningoutcome_40x40px_2017_15.png  Learning objectives

When you have completed this lesson, you will be able to: 

  • Explain what data classification is and why data classifications are important 
  • Describe what infrastructure for and guidelines on data storage and security are available at UCPH 
  • Reflect on your own plan to store data securely

____________________________________________________________

 

COBL_litterature_40x40px_2017_18.png  Why focus on storage and security

You may have experienced a ‘data storage scare’ at some point in your studies, such as a missing USB stick, a laptop that crashed before you made a back-up, or the notes you lost before you had a chance to transcribe them. To prevent losing data, accidentally modifying data, or even worse, having sensitive data or confidential data fall into the wrong hands, you should design a solid plan for managing and storing your data securely whenever you start a new project. In this lesson we take you through the various steps to consider.

Please not that you can read more about the long-term storage of your data after your project has ended in Lesson 8. Data preservation

____________________________________________________________

 

COBL_videolecture_40x40px_2017_4.png  Information security

Information security is a collective term for the actions taken to protect information (such as the data or material you work with in your Bachelor or Master project) from unauthorised access, (mis)use, disclosure, modification, destruction, or loss.

Here is a video that introduces the concept:

If you experience access denied, reload the page or try another browser
For English subtitles, please look for the CC icon in the lower right corner of the video and press English.

____________________________________________________________

 

COBL_litterature_40x40px_2017_18.png  Data classification

A first step in deciding how to safeguard your data is to classify your data. Data classification is the process of categorizing the data and materials in your project based on their sensitivity or confidentiality and on their importance. The purpose of a data classification is determining the appropriate level of protection and the necessary procedures you have to have in place.

UCPH's classification model is based on the following parameters: 

  • Confidentiality: How important is it that the data are kept confidential? This parameter applies to non-personal data
  • Sensitivity: How important is it that the privacy of people is safeguarded? This parameter applies to personal data
  • Integrity: How important is it to prevent data loss or unintended modifications of data?
  • Availability: How important is it that data remain available to you without interruption?
  • Value: How valuable is your data? How many resources are needed to recreate the data?

You can read more about UCPHs data classification model on UCPHs webpages on information security.

We will not go through that model in detail here. However, if you continue at UCPH as a PhD student or researcher in the future, it is important that you familiarize yourself with the model at that point.

For the purpose of this course, it is most important that you can distinguish between the following data types we already introduced on lesson 2.Research Data- types formas and sizes:

  1. Personal data

Personal data are data that can directly or indirectly identify a person. Personal data can be divided into:

  • Non-sensitive personal data, such as a CV, address, date of birth, tax records.
  • Information about criminal matters, such as convictions or an address in prison.
  • Sensitive personal data, such as race, political views, health information, sexual orientation.

You can read more about personal data types on the website of the Danish Data Protection Agency Links to an external site.. Access to personal data by unauthorized persons, or loss of personal data, can have consequences for the persons who provided the data. Therefore, when you manage personal data you should adhere to the General Data Protection Regulation. This among other means you must have the necessary security measures in place.

  2. Confidential data

Confidential data are data other than personal data to which only a limited number of people should have access, and where accidental or deliberate exposure of the data can have considerate consequences. Examples are:

  • Company data (trade secrets) are data owned by a company or organization. Some students may be allowed to use company data in their projects, but often will have to agree to keep these data confidential.
  • Data that have commercial potential are data that could, for example, form the basis for inventions or patent applications. Access to these data need to be protected until the patent has been applied for.
  • Classified government data are data produced by government agencies and involve national security or sensitive intelligence information. These data need to be protected against unauthorized access if they can cause harm to society.
  • Sensitive biological data is information about endangered animal or plant species, where their survival is dependent on the protection of their location data. This can for example be the case in ecological, environmental and citizen science projects.
  3. 'Normal' data

You may work with data that do not necessarily need to be kept confidential. This is the case when there are no ethical or legal reasons for access protection and the data can be disclosed without negative consequences. Some examples are:

  • Publicly available data sets made available through online databases or data repositories.
  • Data presented in scientific publications that are openly accessible in order to share scientific conclusions.
  • Anonymized personal information where it is impossible to (re)identify the persons who provided the data.
  • Non-sensitive economic data such as economic indicators, market trends, and other non-sensitive business-related data that are publicly released by government agencies or research organizations.
  • Archaeological data from archaeological excavations or studies that do not involve sensitive cultural or heritage information.

Please note, that even if there are no ethical or legal reasons to safeguard your data, there may be many other reasons why it could be important to prevent data loss or unauthorized access to the data:

  • If it is important to you that no one else accesses the data until you publish your results in a thesis or publication, or until you have presented the results at a conference.
  • If it took you a lot of time, money or effort to produce the data.
  • If the data are based on rare samples, specimens or artefacts and the data are therefore difficult to reproduce.
  • If the data have value to others and could be used in new projects

I have classified my data – what's next?

The goal of a data classification is to determine what security measures you should have in place to protect your data. There are different types of security measures you should take into account to safeguard your data and whether or not you can use them depends on the classification of data. Consider the following security measures:

  1. Technological measures
  2. Physical measures
  3. Procedural/Operational measures

Below, we go through them one by one.

____________________________________________________________

 

COBL_litterature_40x40px_2017_18.png  Technological measures to safeguard data

Technological measures are the IT solutions you chose to manage and store your data. Below are some guidlines to follow.

Pick the appropriate data storage solution
There are multiple locations in which you can store your digital data, each with their strengths and weaknesses. Below is an overview of storage solutions that will cover most students’ needs. However, there may be specific storage and managements requirements in your particular project or for your specific data type. So always double check with your supervisor about where to store your data.

  UCPH's cloud storage solutions (Microsoft OneDrive)

 At UCPH, all students have access to a Microsoft OneDrive account. It is the default solution that students should use to store normal data.

 Advantages: Microsoft OneDrive is easy-to-use and allows you to share your data with others enrolled/employed at UCPH or elsewhere. Microsoft OneDrive also has automatic version control, so you can keep track of different versions of your files.

Disadvantages: You cannot use Microsoft OneDrive or any other cloud storage solutions for the storage and sharing of confidential or personal data.

Other information: The University strongly recommends that students use UCPH’s Microsoft OneDrive accounts, instead of personal OneDrive accounts or cloud services such as Dropbox or Google Drive. This is due to the security agreements UCPH has set up with Microsoft. Please talk to your supervisor if you want to use other cloud services besides MS OneDrive and ensure that you have discussed the risks and the consequences of such solutions.
  UCPH's network drive for students (T-drive)

At UCPH, all students have access to their own personal T-drive via Webfile. Your t-drive has a storage capacity of 10 GB. It is the default solution to use to store personal or confidential data.

Advantages: Data are automatically backed-up on a regular basis and access to data is password protected and controlled, which makes them suitable for storage of personal and confidential data.

Disadvantages: You will lose access to the T-drive 3 months after your enrolment at UCPH ends.  Your T drive is your personal drive, which means that you cannot use it to share data with others in your project. If you need to share confidential or personal data with others enrolled or employed at UCPH, you will need to ask your supervisor to establish a so-called S-drive and invite you to this S-drive.
  DeiC Storage

The Danish eInfrastructure Consortium (DeiC) is a national organisation and collaboration between the 8 Danish universities and provides data storage, management and compute solutions to these universities. From the end of 2024 all students in Denmark will have access to DeiC Storage.

Advantages: DeiC Storage allows you to share your data with others, enrolled/employed at UCPH or elsewhere. In addition, your data will remain stored at DeiC Storage for at least 10 years, even if your enrolment with UCPH has ended.

Disadvantages: DeiC storage cannot be used for the storage of personal or confidential data. 
  Portable devices such as laptops, USB sticks and portable hard drives

Advantages: Portable devices are convenient to use, for example when conducting fieldwork.

Disadvantages: Portable devices can easily be lost, damaged or stolen, and therefore considered high-risk storage solutions. They can only be used for normal data, but never be the only location to store your data. Portable devices must never be used to store unencrypted personal or confidential data.  

 

Protect your computer and your passwords
Never share your computer or your logon details with others! Your identity, access rights or privileges can be misused for unauthorised purposes, and you can be incriminated if your logon credentials are shared, leaked or stolen.

Set up good passwords to restrict unauthorized access to files, folders, accounts (e.g. KUmail and Absalon), laptops, portable devices and more.

A secure password is:

Long: A password should consist of at least 12 characters – but preferably more. You do not need to use special characters in your password. The most important thing is to create a long password that is easy to remember.

Strong: Do not create passwords using words that are related to your everyday life, for example, passwords that are easy to guess when someone knows you well. Such information is very easy to find by using a search engine. Weak passwords are, for example, your child's name, your pet, your address, your workplace or other things from your everyday life.

Unique: Avoid passwords that consist of a single word or a number combination. Hackers systematically try to access your account and use long lists of words in different languages that they find by searching in dictionaries, on Wikipedia, in the Bible or other sources on the internet. For example, if your password is 'Summer', 'London' or another word that can be found in a dictionary, hackers can more easily get access to your data.

You can choose to use a password manager to make unique passwords for each log-in place and to keep track of them. Bitwarden Links to an external site. is an example of a password manager to use.  Change your passwords once in a while, for example, every 6 months for user accounts.

 

Encrypt your disks and files
Encryption is the process of converting data into an unreadable code using encryption software. Encrypted data can only be opened by persons who have the relevant decryption key or password. Depending on the software used, you can encrypt data files and folders, but also hard disks and portable devices such as USB sticks. 

 

Make back-ups
Another step to prevent data loss is to make regular back-ups of your data, especially if your data are stored using a data storage solution that does not offer automated back-ups. Choose a backup frequency that matches the amount of work you are ready to lose and never store your backups and original data at the same place (unless it is automatically backed up). Data on the UCPH network drives (T-drive/S-drive) are backed up automatically and data can typically be restored to a previous version.

 

Update your devices
You should regularly update all your devices such as your laptop, smartphone, or tablet, to install the latest security updates. This helps protect your devices against  threats e.g. hackers.

 

Be aware of cyber-threats

  • Learn to recognise phishing mails. Do not reply and do not click on links in emails you are not absolutely sure are secure. If you accidentally click on a phishing link or submit your information, contact KU-IT as soon as possible at UCPH-IT-Support@ku.dk
  • Read and evaluate pop-up windows before clicking OK to them. Especially when the operative system asks you to authorize changes or software installations.

 

Use your email securely

Protect data in transit. If you work with personal or confidential data, these data can be sent from a UCPH email account to another UCPH email account (UCPH Outlook), as these e-mails will be encrypted in transit. Never use a non-UCPH email accounts/addresses to send personal or confidential data! Don’t forget to delete the emails/files in Outlook after the data has been transferred.

  

____________________________________________________________

 

COBL_litterature_40x40px_2017_18.png  Physical measures to safeguard data

Besides safeguarding your digital data, you should also think about how to securely store any physical material used in your project, such as biological samples, notebooks, paper interviews, books and artefacts, as well as how you secure access to digital files. Examples to consider are:

  • locking your office door and shutting down your computer when you leave the office.
  • using a privacy filter on your computer screen to prevent others behind you to see your screen.
  • ensuring that any valuable materials and equipment are not left in plain sight.
  • ensuring that an alarm is set-up on the freezer holding your samples to alert you in case of freezer malfunction.
  • keeping your notes in a locked filing cabinet.
  • ensuring appropriate climate control of storage rooms when you work with valuable samples/artefacts that are vulnerable to fluctuations in temperature and humidity.
  • shredding and properly disposing of paper documents containing personal or confidential information when you no longer need them.
  • having a system in place to document inventory if you work with a large number of samples of artifacts, so you can easily spot if anything is missing.

____________________________________________________________

 

COBL_litterature_40x40px_2017_18.png  Procedural and operational measures to safeguard data

The way you organise your project and design your methods can also influence the security of your data.  Examples of procedural/operational measures to consider are:

  • Ensuring that a plan for security is drafted and agreed upon (e.g. with your supervisor) at the start of the project and recorded in your data management plan. This also includes planning what data must be destructed and what could be kept after the end of your project.
  • If you work as part of a team, limiting access to any personal or confidential data in your project to specific people, instead of to the whole team.
  • Anonymizing any personal data as soon as possible.
  • Questioning the security of any software tools or services you use to manage your data, if they are not provided by the university. Check with your supervisor if you are unsure.

____________________________________________________________

 

COBL_videolecture_40x40px_2017_4.png  Data storage and security in practice

Bachelor student Frida Birkedal Christiansen and supervisor Nicole Schmitt, Faculty of Health and Medical Sciences, talk about data storage and security. 

____________________________________________________________

 

COBL_quiz_40x40px_2017_1.png  Test yourself

Check whether you captured the main points of this lesson:

Quiz: Data Storage and Security

____________________________________________________________

 

COBL_tasks_40x40px_2017_10.png  Continue with your DMP

Address how you will store and secure the digital data and physical material in your project by answering the questions in section 6. Storage and Information Security of your data management plan (DMP):

 

6.a Describe where you will store digital data and physical material.

6.b Describe what you will do to make sure your data/material are protected against loss, theft, unauthorised modification, and unauthorised access.

 

If you haven't begun filling out your DMP yet, you can find the DMP template here:  UCPH DMP Template for Students Download UCPH DMP Template for Students

Remember to discuss the data management plan with your supervisor at the start of your project. Keep the DMP stored along with your data.

____________________________________________________________

 

COBL_sparks_40x40px_2017_19.png  Practical tips and resources for data storage and security

1. Classify your data at project start: as a minimum, determine whether you will be working with personal data, confidential data or normal data.

2. When determining where to store your data, use the storage solutions offered by UCPH as a starting point:

Who needs access to the data?

Personal or confidential data 

Normal data

 – Only yourself

T-drive

MS OneDrive

– Others at UCPH

S-Drive, set up by your supervisor

MS OneDrive

– Others outside UCPH

Contact KU-IT and ensure there is a contract regulating data access

MS OneDrive

DeiC storage (from winter 2024/2025)

Find information about storage solutions here:

  • T-drive :  KUnet > Study information > [Choose your study portal] > Planning your studies > Rules and dispensations > How to collect and process personal data > How should I store files that contain personal data?
  • S-drive: Direct your supervisor her.
  • MS OneDrive
  • Information about DeiC Storage will be available from winter 2024/2025.

In some specific situations, the University’s storage solutions are not suitable. If this is the case for your project, please ensure that you and your supervisor have reviewed whether the storage solution you want to use has the appropriate security features to safeguard the class of data in your project. If you need help with this,  ask your supervisor to contact KU-IT.

3. Consult the guidelines on information security on study programme’s information pages at KUnet > Study Information > [Choose your study portal] > Campus, student life and IT > IT and Support > IT security (English)

You can also watch a number of short videos on IT security: 

On the importance of locking your computer and doors
About phishing e-mails
About the security of physical material

4. When you work with personal data, take the GDPR course for students Links to an external site. (only for UCPH users) and consult the pages on study portal about managing and storing personal data: KUnet > Study Information> [Choose your study portal] > Planning your studies > Rules and exemptions > How to collect and process personal data (English)

5. If you want to know what UCPHs rules are for data storage and security, consult The UCPH policy on research data management and the The UCPH policy on information security.

6. Look up terms related to research data management in the RDM Glossary.

____________________________________________________________

 Published in 2024