Aller au contenu principal

Research data management

Recommandations

During the project use the storage tools recommended by the IT department: 

 

For personal data

(i ncluding sensible and/o       r confidential data)

 For other non-personal data and non confidential data

  • Institutional server
  • SWITCHDrive, 
  • SWITCHFileTransfer 
  • SWITCHTube
  • REDCap
  • GitHub/GitLab
  • InfluxDB
  • Microsoft Teams
  • Sharepoint
  • OneDrive

Ask the Sinf for an institutional folder for your project or professional activity.

Do not use your private OneDrive folder that will be deleted if you leave the institution.

In general:

  • Do not use sharing platforms and tools such as : Dropbox, Google Drive, instant messaging, WeTransfer..
  • Use Cryptomator to encrypt the data when storing identifying and sensitive data 
  • Use SWITCHDrive with Cryptomator for external sharing

Data storage

Data storage refers to the recording of data on a physical medium (hard disk, SSD, USB key, etc.), ensuring its integrity, confidentiality and availability. It is also important to reduce the risks of data destruction, deterioration, disclosure, falsification, loss, hacking or theft. The first step is therefore to decide where data can be stored, and what level of security should be applied. The second step is to draw up a Data Management Plan (DMP), incorporating a data value assessment and risk management.

Step 1
  • Identify the type of data you need to manage (whether you've produced it or reusing it)
  • Decide what to protect and calculate the space required
  • Choose the right type of storage for your needs
Step 2
  • Identifying the value of data
  • Identify the risks to which data are exposed
  • Identify how to reduce each risk

This chapter deals with data storage during the period of Use, while extending into the period of Retention :

How to decide what data needs to be protected ?

List all project data:

  • Identify whether it is:
    • personal data (e.g. first name, surname...)
    • sensitive personal data (e.g. gender, religion, health data...)
    • other types of data (e.g. code, metadata...)
  • Identify where the data is stored, if it already exists, and the means of retrieving or accessing it if it is to remain remote
  • Identify whether data is pseudonymized (coded) or anonymized

see the Glossary

 See also : Personal and sensitive data and Anonymization / Pseudonymization

How important is data?

  • Identify the value of data 
  •  The value of data can change during its life cycle: creation, storage, use, sharing, archiving, destruction
  • Organize your data storage according to security objectives
Privacy Integrity Availability
  • Guaranteeing non-disclosure of information
  • Confidentiality of personal information
  • Unauthorized persons cannot access digital or physical information
  • Data accuracy, authenticity and consistency
  • Check data accuracy at time of use
  • Access information when you need it

Security objectives for data storage

Safety objectives

Damage (if the objective is compromised)

Classification categories

Typical classification levels (examples)
Privacy Disclosure Sensitive
  • Public
  • Internal
  • Confidential
  • Personal data
Integrity Modification Critical
  • Low
  • Medium
  • Top
Availability Destruction

What risks is your data exposed to?

  • Identify what the risks are and their level of probability (i.e level of chance that an event may occur). This step is essential if the project contains sensitive and/or highly critical data and will enable you to : 
    • Identify threats according to the project's context
    • Prioritize the safety measures that need to be implemented

Impact Occurrence, probability of occurrence
5

Jeopardize the integrity, confidentiality and availability of project data, or even its survival

 5 This will surely happen in the short to medium term
4 Does not jeopardize the integrity, confidentiality and availability of project data, but is very serious and must be dealt with 4 It may happen sooner or later
3 Can only be tolerated for a short period and temporarily 3 Technically possible but not very likely to happen
2 Consequential but tolerable 2 It may happen one day
1 No remarkable consequences 1 Very unlikely    
  • To help you assess the risk to which data is exposed, you can download this risk assessment tool. It provides a few examples of common risks that may occur.

How can risks be reduced?

 

Storage
  • Encrypt sensitive data. For cloud storage solutions, we recommend Cryptomator 
  • Encrypt mobile workstations and storage media containing search data:
  • Sign documents requiring integrity assurance
Backup
  • Follow the 3-2-1-1-0 rule
    • Keep 3 copies of your data (the main file and 2 backup copies)
    • Store data on 2 different types of media
    • Keep 1 off-site backup copy (e.g. online)
    • Keep 1 offline backup copy
    • Ensure that there are no errors during the restore test
  • Validate backup requirements with the IT department
  • Determine the required backup frequency and retention time (the length of time the backup will be kept in order to restore it, if necessary).
    •   SwitchDrive does not make backups, but replicates data between several servers
  • Make frequent backups of research data
  • Check backups regularly by testing a restore
  • Encrypt backups of sensitive data if project data is also to be encrypted
Access rights management
  • Define authorization profiles by separating tasks and areas of responsibility (role-based management)
  • Limit access to only what's needed
  • Define a unique identifier for each project member and prohibit shared / generic accounts. For example, on SWITCHdrive this is the SWITCH eduID.
  • Limit high-privilege accounts
  • Carry out a scheduled review of authorizations
  • Use different, long passwords for each account min. 17 characters
  • Use a password manager. We recommend Bitwarden or KeePass

 If personal data is shared with collaborators in Europe, the GDPR must also be followed. If personal data is shared with collaborators outside Europe, we recommend that you contact the DPO of the HES-SO Valais-Wallis) to assess the risks associated with this sharing.
E-mail, instant messaging and workstations
  • Use e-mail only for non-sensitive data

What storage options are available?

 What are the possibilities for which types of data?

  • Identify storage possibilities for each institution and for each type of data. The tools recommended by the HES-SO Valais-Wallis according to each type of data :

  • Encrypt data when necessary
  • For more information on the tools, their capacities, advantages and disadvantages, please read the guide Plateformes de stockage

References