Data management plan, physical security and encryption
When you do a project (or write a bachelor's or master's thesis), you must be consciously aware of how research data will be processed (such as anonymization/archiving/reuse/erasure). This applies both during the project and at the end of the project. How research data will be processed is to be laid out in a data management plan.
For projects with external financing, more and more often a data management plan is required. You are encouraged to use the Norwegian Centre for Research Data's (NSD's) template:
If you will be processing personal data in your project, see the Personal Data Management Guidelines for Research and Academic Work at MF, or go directly to the NSD website to notify them of your project.
Please note: As a rule, you cannot use private devices to store sensitive personal data, and processing such data requires extra security measures.
Lockable rooms, safes and cabinets can provide extra security for both laptops and other storage devices. Devices such as memory sticks, external hard disks and voice recorders are small and easily lost or damaged. Such devices should be locked up when the work day is over. Devices like these should be put in secure storage at the end of each work day. If you are processing sensitive personal data or confidential data, encryption is recommended in addition.
Encryption is in many cases the the answer when processing sensitive personal data or confidential data.
Consider - preferably together with IT - what is to be protected and whether a Word document of the transcription with a good password is sufficient. (Word 2016 uses AES-256, which is good). A good password when it comes to encryption is a sentence etc. preferably more than 15 characters long.
If the material is collected (data set / multiple files) in such a way that an encrypted folder/disk/memory stick is necessary, we recommend Veracrypt (https://www.veracrypt.fr/). See the separate instructions on using this (link forthcoming).
- With encryption, one must be careful to retain one's password. There is no password recovery. If the password is forgotten or lost, the data will also be lost.
- Using encryption has a big weakness: one must unlock the encryption in order to create and use information. When the data are unlocked, they are susceptible to information loss in the same way as when data are not encrypted. It is therefore of the utmost importance to show good discipline by turning the encryption back on again when one is not working with the information, even though it can be convenient to take shortcuts here.
- Experience indicates that most encryptions become weaker or hackable over time. It is therefore important to have a good overview of back-up copies of the data even though they are encrypted, and to delete data in line with the data management plan (See the section on data management plans above.)
Voice recorders, video cameras etc. often have limited data protection options. It is therefore important to delete recordings from the device as quickly as possible. Consider using a separate memory card etc. that also can be destroyed when the project is over. You can borrow a recorder from the IT department.
For recording sensitive data, cell phones and tablets are not recommended. Instead, borrow a dedicated recorder from the IT department at MF. We recommend this because, among other things, cell phones are easily misplaced and have continuous internet access, which can potentially lead to data leakage. If you use a cell phone as a recorder, use an app suitable to that purpose with encryption in, for example, TSD (Services for Sensitive Data, University of Oslo etc.).
If sensitive personal data or confidential data is stored in a cloud, it should be encrypted.
Even though transmission to the cloud may have built-in transport encryption (https), the storage will often be unencrypted, be found outside of Norway, and therefore outside our control. For employees, MF's agreement with Box, which has legal clearance to store personal data (data management agreements in order etc.), applies. Remember that if you are dealing with sensitive information, you need to conduct an SRA (see above) here as well to decide on the degree of encryption.
Data from research projects at MF are to be stored in secure archives – either locally at the institution or in national archives – or deleted, in accordance with what is laid out in the project's data management plan. Please contact the IT department for advice concerning how to store your data after project completion.
MF encourages an open science approach whereby both research results and data are made accessible to the degree that this is defendable and possible in view of research ethical and practical considerations, cf. Principles of Open Science at MF.