...
explained how to comply with them in the case of research.
3.1.1. Systematic management of information security
Systematic information security risk assessment and the implementation, monitoring and improvement of security measures are primarily carried out by the University of Tartu. The university is also responsible for ensuring that the information systems, tools and services provided to researchers are sufficiently secure to process personal data. Systematic approach also implies assessing and managing data protection risks (see also 2.14).
It is the researcher’s responsibility to be aware of information security risks, follow agreements and guidelines, and seek assistance when necessary. The university’s guidelines on cybersecurity may be helpful.
3.1.2. Needs-based access to personal data
Access rights management is one of the most common security measures a controller may implement. A prerequisite for restricting access is a clear overview of the researchers who need to process personal data for research purposes. It is important to ensure that those who do not need to process personal data cannot do so intentionally or unintentionally. If students are involved at any stage of the research, a confidentiality agreement must be concluded with them.
It may be necessary to retain log files to verify access rights, especially in the case of long-term research where large amounts of sensitive data are processed. It is also worth paying more attention to access rights if it is known that members of the research team will change more frequently than usual.
3.1.3. Secure transfer of data
If personal data need to be transferred to another researcher or research institution, it must be ensured that their integrity and confidentiality are not compromised in the process. For example, where possible, the transfer of a copy of personal data by email should be avoided if the recipient can be given access through the information system where the data are stored. If sending the data by email is the only possible solution, the data should be encrypted, or other measures should be taken to avoid the possibility that the data can be seen by anyone other than the addressee.
An example of a security risk is transferring personal data via a memory stick or other external data carrier that could be lost. However, if this is done, both the data carrier and the data file on it should be encrypted to ensure security.
3.1.4. Secure storage of data
When storing data, they must be protected against unauthorised modification and access. This depends on the opportunities available for the researcher and the tools used:
...
There are many other criteria to be taken into account for securely storing personal data, such as the sensitivity of the data, the amount of data, the availability of the data, the possibility of managing access, and the equipment and software used for processing.
3.1.5. Backing up data
Back-ups help ensure the integrity and availability of data if they are destroyed or significantly damaged by accident, malicious activity or negligence. The 3-2-1 rule is used in data management: data should be backed up in at least three copies, on at least two different data carriers or environments, one of which should be located elsewhere.
...
Chapter “Storage and back-up” of the guidelines on creating the data management plan by the University of Tartu Library
3.1.6. Awareness of the possibility of breaches
Breaches should be reported immediately to the senior specialist for data protection by email to andmekaitse@ut.ee (see also 3.5).
3.1.7. Appropriate services, software and tools for processing personal data
The tools used to process personal data must ensure the secure processing, confidentiality, availability and integrity of personal data, as well as the legal protection of the data subject. A distinction can therefore be made between tools based on whether the data are only accessible to the processor or also to the creator of the tool and the service provider, e.g. the owner of the survey environment, the repository administrator or the company licensing the software.
...