Search

Research Data Security FAQ

Library


Research Data Security: Frequently Asked Questions 

  1. What is the risk level of my data?
  2. Is a password-protected laptop a secure place to store my data?
  3. How long can/should I keep my data?  
  4. What is encryption? When and how should I encrypt my data?
  5. What is cloud storage? Is it safe to store my data in the cloud? 
  6. Is it safe to store my data on mobile devices such as cell phones or USB keys? 
  7. What is the difference between wireless and wired internet connections? Is one safer? 
  8. What online survey software should I use?
  9. What is the best way to share data with my co-investigators at other institutions?
  10. What is the difference between wireless and wired internet connections? Is one safer?

NOTE: Many of the answers to these questions will depend on the level of risk associated with the data you have collected. If you aren't sure about the risk level of your data, you can reach out to UWinnipeg's Research Data Management Librarian.

What is the risk level of my data? 

Generally speaking, the risk level of your data relates to the sensitivity of your data. Does your research data include personal information or personal health information?

As a general guide, non-sensitive (public) data is data that are freely disclosed to the public or would cause no harm if disclosed to unauthorized individuals (ex. public research data). Internal data is data that may cause minor harm if disclosed to unauthorized individuals (Ex. pseudoanonymized research subject information). Sensitive data are data that may cause moderate harm if disclosed to unauthorized individuals (Ex. research subject personal information such as name, contact information and other personal identifiers). Highly sensitive data are data that would cause considerable harm if disclosed to unauthorized individuals (Ex. highly sensitive research subject information such as personal health information, biometric identifiers, sexual orientation, etc.). If you aren't sure about the risk level of your data, you can reach out to UWinnipeg's Research Data Management Librarian.

Password protected laptops, are they secure enough?

One of the most common ways of collecting and storing data is through the use of a password-protected laptop. While this method might be secure enough for non-sensitive (public) data or internal data, it is not secure enough for sensitive or highly sensitive data.  If the data being collected is sensitive or highly sensitive, additional steps should be taken to protect it including storing the data on a password-protected and encrypted desktop in a locked office, storing the data on a password-protected server and so on.

In some cases, storing data on a portable storage device is a good option to add a level of protection. Some portable storage devices, like USB keys, are not connected to the Internet and as such they are less prone to remote access without permission. However, these small devices may be more easily lost or stolen.

Even if you are collecting non-sensitive data, there are ways to make storage on a password-protected laptop safer. For example, encrypt your hard drive, use anti-virus software and anti-malware regularly, update your computer as soon as updates are available, and avoid common situations where your laptop may get stolen such as leaving it in a vehicle or public place unattended. Perhaps most importantly, regularly back up and secure your data.  

Windows has a free utility to encrypt your hard drive called BitLocker, though is only available for Windows Pro edition. However, Windows Home edition can still read BitLocker encypted drives.

All Macs have drive encryption but it must be enabled. 

How long can/should I keep my data?

The short answer? It depends on your data! But here are some things to look out for:

  1. Researchers need to find a balance between the risks and benefits of retaining or deleting their data, paying special attention to how identifiable or risky the data is. 
  2. Researchers need a plan to manage their data securely on an ongoing basis. Ask yourself, what is my data management plan if I move on from this institution, this field, or this career?
  3. It is not inevitable that you will have to delete your data. If you have a good reason to keep your data, and a robust data management plan that describes your plans for how you will steward the data in the future, it is possible but uncommon to keep it indefinitely.
  4. Pay attention to where you are in the world! Canada’s TCPS 2 sets no specific minimum or maximum periods for retaining data, explaining that “appropriate data retention periods vary depending on the research discipline, research purpose and the kind of data involved.” (1) The UK’s Data Protection Act stipulates that non-research related “personal data must be kept for no longer than is necessary for the purpose for which it is processed” though research related data "may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes...". (2)
  5. Finally, data retention provisions included in any university research grant agreements will take precedence.

What is encryption? When and how should I encrypt my data?

Encryption is a method of encoding your data so that only you, or someone you authorize, can access it. Canada's TCPS 2 states that “in general, identifiable data obtained through research that is kept on a computer and connected to the Internet should be encrypted.” (3) There are a couple of different methods of encrypting your data and they both have pros and cons: 

Encrypting Individual Files

Pros: Encrypting only select files such as those that are research related, or those that contain identifying information, keeps your data safe without any extra complications.

Cons: If someone had access to the computer where your data is stored they could break into it and view any non-encrypted files. You also have to remember to individually encrypt each new file you create. 

Encrypting Your Drive

Pros: Encrypting your entire drive protects from anyone to accessing any of your data without your authorization. Encrypting your whole device is also more convenient and less prone to error as all files are encrypted automatically. 

Cons: If you experience any corruption on your drive, it may be more difficult or even impossible to retrieve that data.

Methods to Try

To encrypt your whole drive, or individual files, try VeraCrypt (Windows/Linux/OS) or GNU PrivacyGuard (Windows/Linux/OS). To encrypt and compress files you are going to be sending over the internet try 7-Zip. UWinnipeg's Information Privacy Office provides more guidance on password protection and encryption here.

NOTE: When data requires encryption is can be easy to make the mistake of encrypting some copies of your data but not others. Be sure to encrypt all copies of your data, this includes backups and data stored on mobile devices such as cell phones.

What are cloud services? Is it safe to store, transfer or share my data using the cloud? 

Cloud services store and share data by keeping it on remote servers accessed from the internet. Cloud services can be public or private. While any use of cloud services comes with some inherent risk, the risks for public and private servers are different. Some main differences include server location, server control, and attack surface. With public cloud storage, data is stored in servers that could be anywhere in the world, and thus subject to that country’s laws. With private cloud services your data is stored in local servers. Private companies control public cloud services and the data that is stored there. Access to data stored in private cloud services such as NextCloud is controlled by UWinnipeg. Finally, public cloud services have sprawling infrastructure with many different points where an unauthorized user could attempt to extract data, in some cases private services are less open to such attacks. Whether and what cloud services you can use will depend on the risk level of your data. 

Public Cloud Services 

Examples: GoogleDrive, DropBox, iCloud and Onedrive

If you must use these services, use them for only the lowest risk data.

Private UWinnipeg Endorsed Cloud Services 

Examples:NextCloud, OwnCloud 

While these services are more secure than public cloud storage services they are by no means completely secure. Data should be de-identified before it is uploaded to any of these services and high-risk data should never be stored in the cloud.

Recommendation: To increase protection for NextCloud accounts, UWinnipeg's TSC recommends using Two-factor Authentication.

Is it safe to store my data on portable storage devices such as cell phones or USB keys? 

The answer to this question is different depending on whether we are talking about a portable storage device that has an internet connection, such as a cell phone, or a device that does not have an internet connection, such as a USB key. 

For internet-connected portable storage devices:  

Pros: Collecting data on an internet connected portable storage device such as a cell phone can be a good choice because the technology is ubiquitous, familiar and convenient, it is fast, accurate and portable, and requires low power at a relatively low cost to the researcher. (4) 

Cons: When data is stored on portable storage devices “it can potentially be stolen or improperly accessed – the same holds true during data transmission.” (5) However, “the use of encryption at both the device level and during transmission can greatly mitigate such risks.” (6) That said, smart portable devices such as Google or Apple phones or laptops are often defaulted to backup all data to their cloud system. This means that sensitive data could be inadvertently made available to Google, Apple or a 3rd party backup provider. 

For non-connected portable storage devices:  

Pros: Non-connected portable storage devices do not have the same vulnerabilities as internet-connected portable storage devices, while still providing storage and data transfer options. 

Cons:  Given that they are not connected to the Internet, data transfer can be less convenient. Additionally, some portable storage devices are easily corruptible and not built for long-term storage, for example inexpensive flash drives.

What is the best way to share data with my co-investigators at other institutions?

Before you share any data collected from human participants in any way, the key is to render that data as low risk as possible, for instance, by de-identifying it. Ideally, those collecting the research would remove all identifying personal information before the data was shared with research partners at other institutions.   

Use the following as general guidance, though always select a method of communicating your data that is consistent with its risk level:

Non-sensitive (public) data: Share data using UWinnipeg email and cloud services including free personal cloud services (Google Drive, DropBox, iCloud, Onedrive etc.)

Internal or sensitive data: Share encrypted and password-protected files via UWinnipeg email and UWinnipeg approved cloud services.

Highly sensitive data: Share data hand to hand on a password-protected and encrypted data storage device. Maintaining ethical high-risk data transfer between institutions may require individualized strategies. Contact UWinnipeg's Research Data Management Librarian for more information. 

What online survey software should I use? 

Qualtrics is web-based, research survey software that offers many advanced, but user-friendly, features. Qualtrics enables users to do surveys, get feedback, and conduct polls using a variety of distribution means. Qualtrics is cloud-based software and has proven to be a versatile resource for our researchers. The company migrated the servers available to University of Winnipeg researchers to Canadian sites to enhance data security. (7) Other survey services should be avoided particularly those located in the USA like SurveyMonkey.

What is the difference between wireless and wired internet connections? Is one safer?  

When it comes to connectivity, computers at UWinnipeg fall into 3 categories: computers that connect to the Internet wirelessly, computers that connect via wired networks and computers with no internet connection at all. These three different kinds of computers also represent three different levels of data security. Wireless connections are the least secure. Wired network access is more secure than wireless. Finally, using a computer that is not connected to the internet is the most secure way to store your data. 

Notes  

  1. “Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans (TCPS 2)", Government of Canada Interagency Advisory Panel on Research Ethics, Accessed April 13, 2020, https://ethics.gc.ca/eng/documents/tcps2-2018-en-interactive-final.pdf.
  2. "Principle (e): Storage limitation,"Information Commissioner's Office, Accessed April 30, 2020, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/storage-limitation/.
  3. Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans (TCPS 2)", Government of Canada Interagency Advisory Panel on Research Ethics, Accessed April 13, 2020, https://ethics.gc.ca/eng/documents/tcps2-2018-en-interactive-final.pdf.
  4. Trucano, Michael. "Using mobile phones in data collection: Opportunities, issues and challenges," Edutech. April 18, 2014, Accessed April 13, 2020, https://blogs.worldbank.org/edutech/using-mobile-phones-data-collection-opportunities-issues-and-challenges.
  5. Ibid.
  6. Ibid.
  7. "Research Support Fund: Accountability and Public Acknowledgement,"University of Winnipeg Research Office, Accessed April 13, 2020, https://www.uwinnipeg.ca/research/research-support-fund.html.

Works Cited

"Principle (e): Storage limitation,"Information Commissioner's Office, Accessed April 30, 2020, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/storage-limitation/.

"Research Support Fund: Accountability and Public Acknowledgement,"University of Winnipeg Research Office, Accessed April 13, 2020, https://www.uwinnipeg.ca/research/research-support-fund.html.

"Retaining personal data (Principle 5),"Information Commissioner’s Office, Accessed April 13, 2020. https://ico.org.uk/for-organisations/guide-to-data-protection/principle-5-retention/.

Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans (TCPS 2)". Government of Canada Interagency Advisory Panel on Research Ethics. Accessed April 13. 2020, https://ethics.gc.ca/eng/documents/tcps2-2018-en-interactive-final.pdf.

Trucano, Michael. "Using mobile phones in data collection: Opportunities, issues and challenges," Edutech. April 18, 2014, Accessed April 13, 2020, https://blogs.worldbank.org/edutech/using-mobile-phones-data-collection-opportunities-issues-and-challenges.

Adapted with permission from Chandra Kavanaugh.