Sensitive Data Storage

Working with sensitive data, special data security and protection measures must be taken to prevent unauthorised access, ensure confidentiality and comply with legal and regulatory requirements. Appropriate storage of sensitive data helps to protect both the privacy of research participants and the integrity of the research.

Generale principles for sensitive data storage

  • Safe storage: sensitive data is stored only on University-approved and secure systems that meet security and regulatory requirements. Where it is necessary to store data in physical format (including paper documents), store it in a secure location (e.g. in a locked cabinet with restricted access). Destroy unnecessary documents using secure destruction methods (shredders, etc.) and record this in a document destruction record
  • Avoiding local data storage: private computers, USB and unauthorised cloud systems are not suitable for storing sensitive data
  • Access control: Access to sensitive data should be restricted to authorised researchers. This applies to both physical and electronic data. For example, when using cloud services, the person(s) who will have access to the file can be selected. Always consider whether each member of the research team needs access to all folders containing files, or whether only individual documents and files are sufficient
  • Encryption (English: encryption): sensitive data must be stored in encrypted form using secure algorithms. Encryption protects data by converting it into an unreadable format. Encryption is usually already provided on the University’s secure servers and approved tools and platforms. If data requires additional protection, encryption of individual files or folders before upload can be used
  • Password protection: Where data is stored outside centralised systems, it must be encrypted and protected with secure, unique passwords
    Secure password requirements:
    • Sufficient length – at least 8 characters (12 or more are recommended)
    • Unique – don’t use the same password on multiple sites or devices
    • Complex – includes numbers, symbols, uppercase and lowercase letters
    • Non-personal information – avoid names of pets, family members, birth data, addresses or other easily guessed data
    Additional safety measures:
    • Activates two-factor authentication
    • Change your passwords regularly, especially if you suspect a security breach
  • Firewall (English: firewall) and secure access: Activate the firewall on your device to help block unauthorised access attempts and protect your traffic. Check the status of your firewall regularly to make sure it’s working properly. Do not open suspicious email attachments or links that may compromise your device
  • Use of appropriate cloud solutions: Make sure any cloud services are GDPR compliant before using them. Use university-approved cloud solutions that ensure data protection (not, for example, your personal Google drive or Dropbox)
  • VPN use: When working remotely, use the university VPN, which encrypts the data connection and protects sensitive data. Avoid public WiFi For networks without VPN protection
  • Data minimisation: Keep only the data you need to achieve your research objectives and avoid making unnecessary copies.
  • Anonymisation or pseudonymisation: Anonymises or pseudonymises data, to prevent the identification of individuals.
  • Safety audits: regular reviews of who has access to sensitive data and how, to prevent unauthorised access. Identify the person responsible for data storage.

What if I need a specific data processing tool for my research project, but I don't know if NIDA has been made for it?

Be sure to contact your university or institute's data protection officer, IT security officer or lawyer to find out, whether the tool already already exists been used before assessed. N if necessary Specialist will assess, whether it is suitable for use with sensitive personal data and will help to design risk management within the specific projectos.

Sensitive Data Storage

Working with sensitive data, special data security and protection measures must be taken to prevent unauthorised access, ensure confidentiality and comply with legal and regulatory requirements. Appropriate storage of sensitive data helps to protect both the privacy of research participants and the integrity of the research.

Generale principles for sensitive data storage

  • Safe storage: sensitive data is stored only on University-approved and secure systems that meet security and regulatory requirements. Where it is necessary to store data in physical format (including paper documents), store it in a secure location (e.g. in a locked cabinet with restricted access). Destroy unnecessary documents using secure destruction methods (shredders, etc.) and record this in a document destruction record
  • Avoiding local data storage: private computers, USB and unauthorised cloud systems are not suitable for storing sensitive data
  • Access control: Access to sensitive data should be restricted to authorised researchers. This applies to both physical and electronic data. For example, when using cloud services, the person(s) who will have access to the file can be selected. Always consider whether each member of the research team needs access to all folders containing files, or whether only individual documents and files are sufficient
  • Encryption (English: encryption): sensitive data must be stored in encrypted form using secure algorithms. Encryption protects data by converting it into an unreadable format. Encryption is usually already provided on the University’s secure servers and approved tools and platforms. If data requires additional protection, encryption of individual files or folders before upload can be used
  • Password protection: Where data is stored outside centralised systems, it must be encrypted and protected with secure, unique passwords
    Secure password requirements:
    • Sufficient length – at least 8 characters (12 or more are recommended)
    • Unique – don’t use the same password on multiple sites or devices
    • Complex – includes numbers, symbols, uppercase and lowercase letters
    • Non-personal information – avoid names of pets, family members, birth data, addresses or other easily guessed data
    Additional safety measures:
    • Activates two-factor authentication
    • Change your passwords regularly, especially if you suspect a security breach
  • Firewall (English: firewall) and secure access: Activate the firewall on your device to help block unauthorised access attempts and protect your traffic. Check the status of your firewall regularly to make sure it’s working properly. Do not open suspicious email attachments or links that may compromise your device
  • Use of appropriate cloud solutions: Make sure any cloud services are GDPR compliant before using them. Use university-approved cloud solutions that ensure data protection (not, for example, your personal Google drive or Dropbox)
  • VPN use: When working remotely, use the university VPN, which encrypts the data connection and protects sensitive data. Avoid public WiFi For networks without VPN protection
  • Data minimisation: Keep only the data necessary to achieve the research objectives and avoid making unnecessary copies
  • Anonymisation or pseudonymisation: Anonymises or pseudonymises data, to prevent the identification of individuals
  • Safety audits: regular reviews of who has access to sensitive data and how, to prevent unauthorised access. Identify the person responsible for data storage.

What if I need a specific data processing tool for my research project, but I don't know if NIDA has been made for it?

Be sure to contact your university or institute's data protection officer, IT security officer or lawyer to find out, whether the tool already already exists been used before assessed. N if necessary Specialist will assess, whether it is suitable for use with sensitive personal data and will help to design risk management within the specific projectos.