For personal data, security means, in particular, ensuring the integrity, availability and confidentiality of the data. Security is ensured by both technical means (e.g. equipment, software) and organisational measures (e.g. access rights, training). To ensure that security is maintained, the adequacy of the tools and measures used must be reassessed from time to time. For example, the measures taken for a research project conducted five years ago may no longer be adequate for a new project.
The integrity of personal data is compromised by any activity that involves unauthorised modification or deletion of data, such as theft, cyber-attacks, technical failures of equipment and systems, or accidents. In the case of research, it can even mean the failure of the study because there is no longer enough data or the data cannot be analysed. Integrity can also be undermined by negligence when researchers accidentally alter or delete data. Back-up and data processing software that does not modify the underlying data during analysis can help protect against such errors.
Availability requires that personal data are easy to use for the purpose for which they were collected. For example, storing data on an offline device may be secure, but it can significantly reduce availability if researchers have to physically go somewhere to analyse the data each time. At the same time, the most convenient and popular tools are not always the most secure. So it is important to find the right balance.
The confidentiality of personal data is compromised when private information becomes known to unintended outsiders. For example, when leaving your workplace without locking your computer or office or working on a laptop or phone in a public place (public transport, café, park), nearby people may see files containing personal data. In particular, organisational measures can help prevent such problems. Malicious attacks aimed at stealing or leaking personal data are an even bigger threat. It is, therefore, a good idea to pseudonymise personal data to reduce the damage to people’s privacy caused by possible data leakage or theft.
Below, we have commented on some of the advice given in the European Data Protection Board’s Guidelines 4/2019 on Article 25 of the GDPR, “Data protection by design and by default”, and explained how to comply with them in the case of research.
explained how to comply with them in the case of research.
3.1.1. Systematic management of information security
Systematic information security risk assessment and the implementation, monitoring and improvement of security measures are primarily carried out by the University of Tartu. The university is also responsible for ensuring that the information systems, tools and services provided to researchers are sufficiently secure to process personal data. Systematic approach also implies assessing and managing data protection risks (see also 2.14).
It is the researcher’s responsibility to be aware of information security risks, follow agreements and guidelines, and seek assistance when necessary. The university’s guidelines on cybersecurity may be helpful.
3.1.2. Needs-based access to personal data
Access rights management is one of the most common security measures a controller may implement. A prerequisite for restricting access is a clear overview of the researchers who need to process personal data for research purposes. It is important to ensure that those who do not need to process personal data cannot do so intentionally or unintentionally. If students are involved at any stage of the research, a confidentiality agreement must be concluded with them.
It may be necessary to retain log files to verify access rights, especially in the case of long-term research where large amounts of sensitive data are processed. It is also worth paying more attention to access rights if it is known that members of the research team will change more frequently than usual.
3.1.3. Secure transfer of data
If personal data need to be transferred to another researcher or research institution, it must be ensured that their integrity and confidentiality are not compromised in the process. For example, where possible, the transfer of a copy of personal data by email should be avoided if the recipient can be given access through the information system where the data are stored. If sending the data by email is the only possible solution, the data should be encrypted, or other measures should be taken to avoid the possibility that the data can be seen by anyone other than the addressee.
An example of a security risk is transferring personal data via a memory stick or other external data carrier that could be lost. However, if this is done, both the data carrier and the data file on it should be encrypted to ensure security.
3.1.4. Secure storage of data
When storing data, they must be protected against unauthorised modification and access. This depends on the opportunities available for the researcher and the tools used:
- only the university’s work computer can be used to store personal data collected for the university’s research. This is usually a laptop the researcher takes to work, on a business trip and home. A situation where unauthorised persons could access a work computer containing sensitive data must be avoided;
- the university cannot be held responsible for data processing on the researcher’s personal computer. If data becomes public when using a private computer (a data breach), the researcher is liable to the data subjects and the university; must remedy the situation for the data subjects and report to the Data Protection Inspectorate;
- a device not connected to the network is more secure than a connected device because it is much more difficult to attack;
- a single-user device is more secure than a multi-user device.
There are many other criteria to be taken into account for securely storing personal data, such as the sensitivity of the data, the amount of data, the availability of the data, the possibility of managing access, and the equipment and software used for processing.
3.1.5. Backing up data
Back-ups help ensure the integrity and availability of data if they are destroyed or significantly damaged by accident, malicious activity or negligence. The 3-2-1 rule is used in data management: data should be backed up in at least three copies, on at least two different data carriers or environments, one of which should be located elsewhere.
One of the three copies should be the working copy, where data can be modified, supplemented and deleted during the work. The second copy is necessary in case of damage to the working file, accidental deletion of important data or destruction of the working file. The third copy is a backed-up copy stored on another device or environment (cloud, etc.) and is not easily accessible. For example, it is good to store data not only on a work device but also on a university’s network drive, server or cloud environment. When using a cloud service, it is important to ensure that the university has a contract with that environment. Storing data on two data carriers helps ensure that if something happens to one (fire, flood, theft, etc.), the data will remain available on the other. In this case, it is important to assess the risks: for example, having a back-up in another room of the same building may not protect against fire.
At the same time, back-up must be well thought out, fit for purpose and in line with the data minimisation principle. Data cannot be duplicated just in case (without a clear purpose and need). For advice and assistance on backing up, contact arvutiabi@ut.ee.
Read more: Chapter “Storage and back-up” of the guidelines on creating the data management plan by the University of Tartu Library |
3.1.6. Awareness of the possibility of breaches
Breaches should be reported immediately to the senior specialist for data protection by email to andmekaitse@ut.ee (see also 3.5).
3.1.7. Appropriate services, software and tools for processing personal data
The tools used to process personal data must ensure the secure processing, confidentiality, availability and integrity of personal data, as well as the legal protection of the data subject. A distinction can therefore be made between tools based on whether the data are only accessible to the processor or also to the creator of the tool and the service provider, e.g. the owner of the survey environment, the repository administrator or the company licensing the software.
If the data move outside the university, the tool’s suitability for research purposes must be carefully assessed. For that, consult the data protection policy of the service provider or software owner. If the processing of data is not described in sufficient detail or the policy raises doubts, the service or software is probably not reliable.
In case of questions or doubts, consult the university’s chief information security officer. It is sometimes possible to mitigate legal and technical risks in a contract with the service provider, for example, by agreeing that data will only be stored on the university’s servers.
The services and software provided can work in three ways.
- They do not transfer any personal data: such solutions are always more secure, as the data being processed remain only on one device or information system the researcher uses. For example, the software for qualitative data analysis usually stores interview transcripts on the researcher’s device and does not transfer the data anywhere. In this case, security depends on the researcher’s actions, including where and how the person stores the interview recordings, transcripts or parts of them. It should be noted that project files created by the software may contain personal data.
- They transfer personal data within the research institution: an example of such a solution is a cloud service managed by the university or software licensed from a company that ensures that the data are only stored on the university’s systems. It is important to remember that the researcher must verify the solution’s security.
- They transfer personal data outside the research institution: in this case, adequate security and legal protection must be ensured. Particular attention should be paid to solutions where personal data are automatically transferred outside the EU, for example, where all the data entered are stored on servers located in third countries (see 2). In such cases, an additional safeguard, such as a contract between the university and the service provider, is generally required. If the data are stored on a server in an EU member state, this offers adequate legal protection, but care must be taken to ensure that this is done securely.