Management and storage of research data
With the following steps you can store data (files) safely. Please request help with a low threshold from the Tampere University Research Data Services regarding processing of research data, from IT Helpdesk regarding information security or from the Data Protection Officer (via email dpo [at] tuni.fi) regarding data protection.
Steps to store your data safely
- 1
Define the data classes of your data
Find out what kind of data you have so that you can determine the data classes according to the guidelines at Data classification and handling. The data class of data affects its protection requirements. Protection requirements affect where and how data may be processed.
A scientific research plan and basic material, as well as information on technological or other development work, are confidential if it is university data or data from a commissioned study carried out by the university and access to the data by third parties could cause harm to the performance or utilisation of the research or development work, its evaluation, its researcher, or harm to its client. The information may also be confidential for other reasons.
If your material contains personal data, it should be processed and protected as required by personal data regulation. If your files contain information from people or about people, you are likely to process personal data. Anonymization of personal data is difficult and pseudonymized personal data is still personal data.
If your material contains data belonging to special categories of personal data referred to in Article 9 of the EU General Data Protection Regulation (GDPR) or data related to crimes or offences referred to in Article 10 of GDPR, the services and storage locations used must be suitable for them in terms of data security. Instructions can be found on the pages Data protection, Data protection in research, Processing personal data and Selecting storage location.
- ⚠️ If you have personal data, you must always carry out a data protection risk assessment of the processing, see the pages Data protection in research – general instructions and Data Protection Impact Assessment (DPIA).
- ⚠️ If you have material belonging to special categories of personal data or other data whose leakage into the wrong hands could potentially lead to more than minor damage, the processing must be subject to a thorough data protection impact assessment (DPIA), see the page Data Protection Impact Assessment (DPIA) for instructions on how to do so.
- 2
Select the storage location
Select the best storage location according to the guidance at Selecting storage place. Confidential research materials under the responsibility of the University may only be processed on the University's equipment and in the University's storage locations.
If you have special categories of personal data:
- Data may only be processed on a computer centrally maintained by IT Services.
- If a student needs to process special categories of personal data, the faculty must enter into an extended resource agreement for the student and request via IT Helpdesk a centrally managed computer (similar to that of the staff) for the student.
- 3
Encrypt the data
Encrypt your data with a special program at least when the confidentiality requires so. If you process material belonging to special categories of personal data, data must be always stored encrypted with a special software.
The best solution for encrypting and processing data using the storage locations provided by Tampere Universities' is software called Cryptomator, see instructions on the page Cryptomator encryption software.
However, for sending data encrypted, it is best to use either VeraCrypt or 7-Zip software, because they store the files into a one large, encrypted file. The instructions for VeraCrypt are on the page VeraCrypt encryption software and the instructions for 7-Zip are on the page Encrypting files.
The protection of all the mentioned software is strong enough for the storage of all types of personal data, including the special categories of personal data. All mentioned software is available to university staff's computers through our regular software distribution channels. If you cannot find the software for a Mac or Linux computer, contact IT Helpdesk. All mentioned software is free so that anyone can install it on their own computer from the internet with no charge.
Additional instructions:
- Handling encrypted files: Process (view, edit) files encrypted with an encryption program so that you always open the files directly from the virtual disk drive created by the encryption program. Also store any results that may have been generated during processing directly on that virtual disk drive. That is, do not copy files from the virtual disk drive to any other location for processing, as this will easily leave a copy of the files in an unencrypted place after processing. This is a principle that you may have to be flexible about in some special processing situation, but then those extra copies in unencrypted places must be removed as soon as possible and with care.
- Encrypting using a USB drive or stick:
- If you want to store especially sensitive data, such as the special categories of data specified in the Article 9 of the GDPR, on an ordinary external USB stick or disk, you will have to first encrypt the stick or disk on the file system level. On a Windows computer, it means encrypting the USB stick or disk with BitLocker, please find instructions below. For Mac computers, the respective instructions are available on Apple's web page. Only after that you can store especially sensitive data on the USB device encrypted with one of the afore mentioned programs. Note that a USB drive or stick encrypted in a Windows computer at the file system level only works in Windows. Macs have a similar situation.
- You can also request a USB disk from IT Helpdesk that automatically encrypts all content and runs on all operating systems. Especially sensitive data must be encrypted with an encryption program also when stored on such a disk.
- If the USB stick or disk needs to be delivered to another person, provide the password or code needed to open the disk to the recipient with a different method than the password you used in the encryption software: for example, one by text message and the other by encrypted e-mail. Tell the recipient from where to acquire and install the encryption software you have used or save the installation files and portable version of the encryption software to the disk for all required operating systems.
- Transferring encrypted data: Encrypted data, including special categories of personal data, can be transferred safely by packaging and encrypting them using VeraCrypt or 7-Zip as described above into a single file and sending that file by Funet FileSender. The password for opening the encryption must be sent by SMS to the recipient's personal phone number. In this way, you can transfer data safely to outside of our Universities or from a Windows machine to a Mac or vice versa.
Other services for storing data
Research Data Services
Research Data Services is the one-stop-shop for providing research data management services and tools for the staff and students at Tampere Universities. Our services involve the University Library’s data support, IT Services, research and innovation services, legal services, document management, and the Finnish Social Science Data Archive, which is a specialist in the management of research data. Via Research Data Services, you may reach experts specialised in, for example, research data protection and research ethics. Please see research data management guide.
Services of CSC
CSC offers Sensitive Data Desktop, which is a general tool for processing sensitive data remotely. CSC Secure Desktop is Linux-based and has limited software collection now.
CSC's service Fairdata IDA is a safe and easy-to-use storage for research datasets and metadata. IDA can be used with multiple interfaces. The data uploaded to the services is saved into projects and the users can be affiliated with multiple separate projects. Data uploaded to IDA is also checked for malware and backed up. You can log into IDA with your organizational account and after that apply for storage space. To continuously store data in IDA, the CSC project associated with the data needs to be kept active even when the data is published.
More info on CSC's services: docs.csc.fi, research.csc.fi, my.csc.fi.
Operating environments for Secondary Use of Health and Social Data
Increasingly, sensitive data can only be processed in the data provider’s own remote access environment. These include, for example, the Fiona service of Statistics Finland, Findata’s Kapseli service and the remote access environments of hospital districts. In these cases, the functionalities, and costs of using remote access platforms should be considered when planning research projects.
Termination of data processing
Often, the processing of different data is subject to conditions set by the donor of the material or due to regulation. For example, the storage period of data containing personal data is limited. On the other hand, due to the limitation of storage space, it is important to take care of either proper storage or destruction of the data at the end of active use. If you need support in planning the processing of the data, contact the Data Service: researchdata [at] tuni.fi (researchdata[at]tuni[dot]fi).
IT Helpdesk
0294 520 500
it-helpdesk [at] tuni.fi (it-helpdesk[at]tuni[dot]fi)
helpdesk.tuni.fi