Manage, Store & Preserve
Manage data
The management of data encompasses ensuring the security of data which requires paying attention to physical security, network security, plus the security of computer systems and files to prevent unauthorised access or unwanted changes to data, disclosure or destruction of data. UK Data Service
Managing personal data
MANTRA - Stephen Lawrie - Anonymisation of clinical data
10 June 2014
Data that contain personal information should be treated with higher levels of security. UK Data Service
Personal data can be stored in digital files, or can exist in non-digital format e.g. signed consent forms, or interview cover sheets containing names, addresses and signatures. UK Data Service
Anonymisation
Anonymisation is about preserving the privacy of participants. It is a valuable tool that allows data to be shared, whilst preserving privacy. The process of anonymising data requires that identifiers are changed in some way, such as being removed, substituted, distorted, generalised or aggregated. UK Data Service
Balancing anonymisation with keeping data useful
Removing key variables, applying pseudonyms, generalising and removing contextual information from textual files and blurring image or video data could result in important details being missed or incorrect inferences being made. UK Data Service
MANTRA - Lynn Jamieson - Written consent
10 June 2014
Managing data security
MANTRA - John MacInnes - Data security
4 May 2012
Authorisation & Authentication
Authentication and authorization are two vital information security processes that administrators use to protect systems and information.
Authentication verifies the identity of a user or service, and authorization determines their access rights. Although the two terms sound alike, they play separate but equally essential roles in securing applications and data. Understanding the difference is crucial. Combined, they determine the security of a system. You cannot have a secure solution unless you have configured both authentication and authorization correctly.
Data security
Ensuring the security of data requires paying attention to physical security, network security, plus the security of computer systems and files to prevent unauthorised access or unwanted changes to data, disclosure or the destruction of data. UK Data Service
Physical data security
Physical data security includes:
Controlling access to rooms and buildings where data, computers or media are held. UK Data Service
Logging the removal of, and access to, media or hardcopy material in storerooms. UK Data Service
Transporting sensitive data only under exceptional circumstances, even for repair purposes. For example, giving a failed hard drive containing sensitive data to a computer manufacturer may breach security.UK Data Service
Digital data security & access control
Regulating access to data
Sensitive and confidential data can be safeguarded by regulating or restricting access to, and use of, the data. Access controls should always be proportionate to the kind of data and level of confidentiality involved.
When regulating access, consider the following:
Who would be able to access your data?
What might they be able to do with it?
Are any specific use restrictions are required?
How long do you want the data to be available?
Data security risks
Data security arrangements need to be proportionate to the nature of the data and the risks involved. UK Data Service
Data security arrangements need to be proportionate to the nature of the data and the risks involved. Attention to security is also important when data files are to be destroyed. UK Data Service
Open data, sensitive data & controlled data
The UK Data Service refers to three levels/tiers of access for data:
Open data: for data that contain no personal or disclosive information. Open data are licensed under an open license (e.g. a Creative Commons License)
Safeguarded data: For data that contain no personal information, however, is considered to contain a residual risk of disclosure. Safeguarded data are licensed under the end-user license conditions. Users agree to certain conditions, such as not to disseminate any identifying or confidential information on individuals, households or organisations, and not to use the data to attempt to obtain information relating specifically to an identifiable individual. Safeguarded data may have additional conditions, such as requiring data owner permission or prohibiting commercial use. Separating data content according to security needs, e.g. You can store participant names and addresses separately from survey files.
Controlled data: for data that may be disclosive. Controlled data are only available to users who have been approved or authenticated by the relevant data management administrators. The UK Data Service apply the Five Safes principles.
Five Safes framework
For safe use of controlled data, the UK Data Service uses the Five Safes framework, which is a set of principles adopted by a range of secure labs, including the Office for National Statistics.
The five simple protocols:
safe data
safe projects
safe people
safe settings
safe outputs
The 5 Safes of secure access to confidential data. UK Data Service
16 September 2016
MANTRA - Ellie Bates - Dealing with sensitive data
7 April 2014
MANTRA - Ellie Bates - Challenges in working with spatial data
20 November 2013
MANTRA - Ellie Bates - Working with data at different scales and different resolutions
4 May 2012
Store & Preserve data
Keep your digital data safe, secure and recoverable
Ensuring your data are safe is crucial to any research project. A good storage and backup strategy will help prevent potential data loss. UK Data Service
Network security
Network security means:
Not storing confidential data, such as those containing personal information on servers or computers connected to an external network, particularly servers that host internet services. UK Data Service
Security of computer systems
Security of computer systems and files may include:
Firewalls
Password protection
Encryption
Non-disclosure agreements
Cloud Storage
Backup
Destroying data
Firewalls & data security
Locking computer systems with a password and installing a firewall system. Firewall protection, security-related upgrades and patches to operating systems to avoid viruses, trojans and malicious codes. UK Data Service
Password protection & data security
Implementing password protection of, and controlled access to, individual data files, for example, allocating ‘no access’, ‘read only’, ‘read and write’ or ‘administrator only permissions. UK Data Service
Encryption & data security
Encryption can be used for safely storing and sending files. UK Data Service
Security can be made easier by:
Encrypting data containing personal information before these are stored or transmitted. UK Data Service
Why is encryption important?
Encryption is the process of encoding digital information in such a way that only authorised parties can view it.
Individual files can be encrypted, as can folders or entire disk volumes and USB storage devices. Encryption software uses an algorithm to encode information and a decryption key or password to decrypt the information.
Some types of encryption provide greater protection than others, the type and level of encryption used should correspond to the sensitivity of the data being protected.
As a general rule, more bits equals stronger encryption, therefore, 256-bit encryption is stronger than 128-bit encryption; the latter should, ideally, be the minimum level of encryption used.
In addition to securing data, encryption can also be used to verify the sender’s identity and the integrity of the data.
Not sending personal or confidential data via email. This should be encrypted and sent via a secure means, not email. UK Data Service
MANTRA - Ellie Bates - What to consider when dealing with sensitive data encryption
7 April 2014
Non-disclosure agreements & data security
Imposing non-disclosure agreements for managers or those that have access to confidential data. UK Data Service
Cloud security & data security
Cloud-based* storage, such as Google Drive, Dropbox, OneDrive, iCloud or YouSendIt is easy to use, but not necessarily permanent or secure, and therefore may not be suitable for confidential data.. UK Data Service
Cloud data storage should not be used for high-risk information, such as files that contain personal or sensitive information or that have a very high intellectual property or commercial value. While file encryption safeguards data files to a certain degree, it does not negate the requirements of the DPA. UK Data Service
Backups & data security
The form of backup procedure required for a project will depend on local circumstances, the perceived value of the data and the levels of risk of losing data you are prepared to take. Carrying out an informal risk analysis can provide a good indication of backup needs.
Regular backups protect against accidental or malicious data loss and this procedure can be easily automated.
Making backups of files is an essential element of research data management which ensures that original data files can be restored from backup copies, should they get damaged or go missing.
Regular backups help protect against accidental or malicious data loss due to:
human error
hardware failure
software or media faults
virus infection or malicious hacking
power failure
Questions that should be asked:
Is there any backup provision already in place? Find out what backup plans the Department and/or Library follows
Which systems to back up? Develop a strategy for all systems where data are held, including portable computers and devices, non-network computers and home-based computers. It will be important to identify which information on these systems should be backed up. This could be all, some or just the parts that have changed. If your institution does not provide any system backup, you may need to take full responsibility for all your own backups.
What file formats to use? Backups of master copies should ideally be in file formats that are suitable for long-term digital preservation, i.e. open or standard formats as opposed to proprietary ones.
How often should I back up my data? Consider how often changes are made to the data. Consider backing up after each change to a data file or at regular intervals, such as daily or weekly.
How many copies should be made? Most back-up policies would recommend having at least three copies of the data, with at least one being stored offsite.
Where should I store my backups? Depending on the form of backup and the risks associated with data loss, it is most convenient to keep backup files on a networked hard drive. For critical data, not available elsewhere, we would recommend that you also adopt offline storage on optical media, removable hard drives or magnetic tapes. Never rely on pen drives for backup media. Backups that contain personal data require encryption and should be stored securely.
How should I organise my backups? Make sure data are well-labelled, indicating the content and date/time, and well-organised. Without some management, achieving the ultimate aim of restoring lost data may prove difficult.
Are there any tools I can use to help with backing up? It is good to use an automated backup process to back up frequently used and critical data files. Windows and MacOS both have backup tools built-in, File History and Time Machine respectively, which make backing up easy and as simple as a few clicks.
How about backing up personal data? Where data contain personal information, care must be taken to create only the minimal number of copies needed, for example, a master file and one backup copy, which is encrypted and securely stored. Otherwise, there could be a proliferation of data files containing personal information, which will be harder to securely destroy at the end of a project.
How can I verify and validate backup files? It is important that you verify and validate backup files regularly by fully restoring them to another location and comparing them with the original. Backup copies can be checked for completeness and integrity, for example by checking the file size, date and MD5 checksum value, It is also worth considering how long the backed-up data should be retained and if any data retention policies apply to it.
MANTRA - Lynn Jamieson - Importance of backing up research data
4 May 2012
MANTRA - Richard Rodger - Backing Up Data
10 June 2014
MANTRA - Jeff Haywood - Importance of backups in research
3 November 2011
MANTRA - John MacInnes - Primary data versus secondary data
4 May 2012
Destroying data & data security
Data needs to be securely destroyed once it is no longer needed, as merely deleting files and reformatting a hard drive will not prevent data recovery. UK Data Service
Prevent unauthorised destruction of data. UK Data Service
Erasing Data
Simply deleting files and reformatting a hard drive will not securely erase information, meaning that it will still be possible to recover the data that was previously on the hard drive.
It is essential to have a strategy for reliably erasing data at various stages in the data cycle.
Take note: During research, copies of data files that are no longer needed may be destroyed. It is often useful to keep ‘working’ files safely in order to backtrack in the research process.
Hard Drives
For hard drives, which are magnetic storage devices, deleting files does not permanently erase a file from the physical drive; rather it only removes a reference to the file.
It takes little effort to restore files deleted in this way and explains why data can be recovered from some damaged hard drives. Files need to be overwritten numerous times to ensure they are effectively unreadable.
Software is available to help erase files from hard disks, meeting recognised erasure standards. Example software is: BCWipe, WipeFile, DeleteOnClick and Eraser for Windows platforms; and Permanent Eraser for MacOS platforms.
The most reliable way to dispose of data is physical destruction. This will of course be much more difficult – and often impossible – to achieve where cloud storage has been used.
It is therefore imperative that researchers ensure that cloud storage is appropriate for the specifics of their research project. A risk-averse approach for all drives is to encrypt devices before first use when installing operating software and to physically destroy the drive using a secure destruction facility, approved by your institution when data need to be disposed of.
USB Flash Drives
Flash-based storage devices, such as memory sticks, are constructed differently to hard drives. Techniques for securely erasing files on hard drives cannot be relied on to work for solid-state disks as well, so physical destruction is advised as the only certain way to erase files.
Paper and Optical Discs
Shredders certified to an appropriate security level should be used for destroying paper and optical media.
The German Institute for Standardization (DIN) has standardised levels of destruction for paper and discs that have been adopted by the shredding industry.
For shredding confidential material, adopting DIN 3 means objects are cut into two-millimetre strips or confetti-like cross-cut particles of 4 x 40 mm. The UK government requires a minimum standard of DIN 4 for its material, which ensures cross-cut particles of at least 2 x 15 mm.
MANTRA - John MacInnes - Corrupted hard drive
4 May 2012
This unit introduces you to legal and ethical considerations for researchers working with sensitive data
After completing this unit you will understand:
▪ what sensitive data are
▪ what data protection laws are and how they apply to research data
▪ what types of research will be subject to ethical review
▪ what consent documentation is appropriate to ensure you meet your ethical and legal obligations
▪ the key aspects of data management needed to safeguard sensitive data
▪ where to find appropriate data protection training
This unit introduces you to issues involved in storing, securing and backing up your research data.
After completing this unit you will:
▪ know how to protect your data by taking adequate precautions.
▪ be aware of the options available to you to safely store your data.
▪ recognise the importance of data backups.
▪ understand password safety guidelines.
▪ know how to encrypt and destroy sensitive data when required.