Research Data Storage & Security

Generally speaking, the risk level of your data relates to the sensitivity of your data.

Low Risk:

• Publicly available data where there is no reasonable expectation of privacy, regardless of sensitivity or identifiability.
• Data collected with no information that could reasonably identify individuals or groups.
• Data contains no confidential, private, or sensitive information.
• Data subjects are not vulnerable in the context of the research and would not be harmed if a breach were to occur.

Medium Risk:

• All identifiers collected have been stripped so that data has no information that could reasonably identify individuals or groups.
• Data may contain information originally collected as confidential, private or sensitive.
• Data subjects are not vulnerable in the context of the research and would not be harmed if a breach were to occur.

High Risk:

• Identifiers remain and/or (re)-identification is possible or probable.
• Data contains confidential, private or sensitive information.
• Data subjects may be vulnerable in the context of the research and may be harmed if a breach were to occur.

Extreme Risk:

• Data acquired through an agreement (formal or informal) with a custodian, barring further use or retention.
• Identifiers remain and/or (re)-identification is possible or probable.
• Data contains confidential, private or sensitive information.
• Data subjects are vulnerable in the context of the research and would be harmed if a breach were to occur.

For more information, see the Sensitive Data Toolkit for Researchers Part 2: Human Participant Research Data Risk Matrix by the Portage Network Sensitive Data Expert Group.

If you aren't sure about the risk level of your data, you can reach out to UWinnipeg's Research Data Management Librarian.

Collecting and storing data on a password-protected laptop is usually secure for low and medium risk data but it is NOT secure for high or extremely high risk data. If the data being collected is high or extreme risk, store the data on a password-protected and encrypted desktop (as they are less portable and more difficult to steal) in a locked office and/or on a password-protected server, etc.

For added security, encrypt your hard drive, use anti-virus software and anti-malware regularly, update your computer as soon as updates are available, and avoid common situations where your laptop may get stolen such as leaving it in a vehicle or public place unattended. Perhaps most importantly, regularly back up and secure your data.

Even for low risk data, it is best to take steps to secure your data to reduce the risk of having to redo work if your data is accidentally deleted or your laptop or portable hard drive gets lost or stolen.

Windows has a free utility to encrypt your hard drive called BitLocker, though is only available for Windows Pro edition. However, Windows Home edition can still read BitLocker encrypted drives.

All Macs have drive encryption but it must be enabled.

It depends on your discipline, and the type and purpose of your data as well as the requirements of your publisher or grant, but here are some things to consider:

• Find a balance between the risks and benefits of retaining or deleting your data, paying special attention to how identifiable or risky the data is.
• Plan to manage your data securely on an ongoing basis. What is your data management plan if you move on from this institution, this field, or this career?
• It is not inevitable that you will have to delete your data. If you have a good reason to keep your data, and a robust data management plan that describes your plans for how you will steward the data in the future, it is possible but uncommon to keep it indefinitely.

Encryption is a method of encoding your data so that only you, or someone you authorize, can access it. As a general rule, identifiable data obtained through research that is kept on a computer and connected to the Internet should be encrypted. There are a couple of different methods of encrypting your data and they both have benefits and disadvantages:

Encrypting Individual Files

Pros: Encrypting only select files such as those that are research related, or those that contain identifying information, keeps your data safe without any extra complications.

Cons: If someone had access to the computer where your data is stored they could break into it and view any non-encrypted files. You also have to remember to individually encrypt each new file you create.

Encrypting Your Drive

Pros: Encrypting your entire drive protects from anyone to accessing any of your data without your authorization. Encrypting your whole device is also more convenient and less prone to error as all files are encrypted automatically.

Cons: If you experience any corruption on your drive, it may be more difficult or even impossible to retrieve that data.

Methods to Try

To encrypt your whole drive, or individual files, try VeraCrypt (Windows/Linux/OS) or GNU PrivacyGuard (Windows/Linux/OS). Programs such as MC Office and Adobe also offer file-level encryption. These programs are recommended when there are few files to encrypt. To encrypt and compress files you are going to be sending over the internet try 7-Zip. UWinnipeg's Information Privacy Office provides more guidance on password protection and encryption.

NOTE: When data requires encryption is can be easy to make the mistake of encrypting some copies of your data but not others. Be sure to encrypt all copies of your data, this includes backups and data stored on mobile devices such as cell phones.

Cloud services store and share data by keeping it on remote servers accessed from the internet. Cloud services can be public or private. While any use of cloud services comes with some inherent risk, the risks for public and private servers are different. Some main differences include server location, server control, and attack surface. With public cloud storage, data is stored in servers that could be anywhere in the world, and thus subject to that country’s laws. With private cloud services your data is stored in local servers. Private companies control public cloud services and the data that is stored there. Access to data stored in private cloud services such as NextCloud is controlled by UWinnipeg. Finally, public cloud services have sprawling infrastructure with many different points where an unauthorized user could attempt to extract data, in some cases private services are less open to such attacks. Whether and what cloud services you can use will depend on the risk level of your data.

Private UWinnipeg Endorsed Cloud Services

Examples: NextCloud

While these services are more secure than public cloud storage services they are by no means completely secure. Data should be de-identified before it is uploaded to any of these services and high-risk data should never be stored in the cloud.

Recommendation: To increase protection for NextCloud accounts, UWinnipeg's TSC recommends using Two-factor Authentication.

Public Cloud Services

Examples: GoogleDrive, DropBox, iCloud and Onedrive

If you must use these services, use them for only the lowest risk data.

The answer to this question is different depending on whether we are talking about a portable storage device that has an internet connection, such as a cell phone, or a device that does not have an internet connection, such as a USB key.

For internet-connected portable storage devices (e.g. smart phone):

Pros: Collecting data on an internet connected portable storage device such as a cell phone can be a good choice because the technology is ubiquitous, familiar, convenient, fast, accurate, portable, and requires low power at a relatively low cost to the researcher.

Cons: Data stored on or transferred from portable storage devices increases the risk of it being stolen or improperly accessed. However, encrypting the device and files reduces the risk of a data breach. Smart portable devices such as Google or Apple phones or laptops are often defaulted to backup all data to their cloud system potentially making sensitive data inadvertently available to Google, Apple or a 3rd party backup provider.

See UWinnipeg's Information Privacy resources on Protecting Personal Information on Mobile Devices

For non-connected portable storage devices (e.g. USB key):

Pros: Non-connected portable storage devices do not have the same vulnerabilities as internet-connected portable storage devices, while still providing storage and data transfer options.

Cons: Data transfer can be less convenient. Some portable storage devices are easily corruptible and not built for long-term storage, for example inexpensive flash drives. Such devices are often small and easy to lose or break.

Qualtrics is web-based, research survey software that offers many advanced, but user-friendly, features. Qualtrics enables users to do surveys, get feedback, and conduct polls using a variety of distribution means. Qualtrics is cloud-based software and has proven to be a versatile resource for our researchers. The company migrated the servers available to University of Winnipeg researchers to Canadian sites to enhance data security. Other survey services should be avoided particularly those located in the USA like SurveyMonkey.

Before you share any data collected from human participants in any way, the key is to render that data as low risk as possible, for instance, by de-identifying it. Ideally, those collecting the research would remove all identifying personal information before the data was shared with research partners at other institutions.

Use the following as general guidance, though always select a method of communicating your data that is consistent with its risk level:

• Low risk data: Share data using UWinnipeg email and cloud services including free personal cloud services (Google Drive, DropBox, iCloud, Onedrive etc.)
• Medium and High risk data: Share encrypted and password-protected files via UWinnipeg email and UWinnipeg approved cloud services.
• Extreme risk data: Share data hand to hand on a password-protected and encrypted data storage device. Maintaining ethical high-risk data transfer between institutions may require individualized strategies. Contact UWinnipeg's Research Data Management Librarian for more information.

When it comes to connectivity, computers at UWinnipeg fall into 3 categories: computers that connect to the Internet wirelessly, computers that connect via wired networks and computers with no internet connection at all. These three different kinds of computers also represent three different levels of data security. Wireless connections are the least secure. Wired network access is more secure than wireless. Finally, using a computer that is not connected to the internet is the most secure way to store your data.