Lawful and proper use of solutions for storing data depends on the type of data, how confidential the stored data is and the value represented by the data. This applies to both physical and digital data. As a result, there may be key points of data collecting that can have an impact on where you should place your data, how to protect them and what procedures you must use when processing data.
As an employee at UCPH, you are responsible for ensuring that you are processing data lawfully and in accordance with the rules of the University’s rules and The Danish Code of Conduct for Research Integrity. For instance, you should be aware that the collection and processing of personal data must be reported and registered at the faculty. Read about reporting data collections.
You can contact IT support at South Campus if you need guidance on encryption.
Contact firstname.lastname@example.org if you have questions about data storage that are not answered on this site or if you need other kinds of IT support in connection with processing research data.
Physical storage and confidential and sensitive data
When working with physical data (i.e. not digital data) that is classified as confidential or sensitive, it must be stored under special conditions. Collecting and processing this type of data must be reported to the Faculty, and measures for accessing the physical data must be clear and thoroughly described (in the report).
An office with a lock is rare, as the University's common offices have locks that often give several people access to the office. For highly classified data, rules dictate that only people with a purpose to see the data may have access to it.
If you store confidential or sensitive material in your office, it must be locked in a secured cabinet or the like. It is important to have a clear procedure for storing and supplying keys to the room and cabinet.
You can store sensitive and personally identifiable data in a filing cabinet. The lock on the cabinet must be of reasonable quality. As filing cabinets usually can be broken into in less than 2 minutes, you should consider whether the particular data in question is too sensitive or valuable to be kept in a filing cabinet.
You can use a locked fireproof cabinet to keep valuables that cannot be recreated safe. Many fireproof cabinets look similar to safes but do not have the same level of security that a safe offers. Most fire proof cabinets can, with the right tools, be opened in less than 2 minutes, so it should be carefully considered whether the data is too sensitive or valuable to be stored in a fireproof cabinet.
Safes can be used for storage of confidential and valuable material. This type of storage requires the involvement of a representative from the information security department. Often, a risk analysis will be made alongside, if necessary, an emergency plan.
Contact email@example.com if you wish to obtain and use a safe for data storage.
Climate controlled storage
Some data needs to be stored in a climate controlled manner. This type of storage requires the involvement of a representative from the information security department. Often, a risk analysis will be made alongside, if necessary, an emergency plan.
Contact firstname.lastname@example.org if you need climate controlled storage of data.
Storage of ordinary, confidential and sensitive data on mobile devices
As a general rule, all mobile devices (USB sticks, external hard drives, private laptops, mobile phones, tables etc.) containing sensitive data must be encrypted. You are allowed to put UCPH data on your private computer on the condition that it is protected by a username and password that only you know. Your computer must also have antivirus software installed.
You can get help with encryption at your IT-helpdesk.
Mobile units like USB-keys, laptops and external hard drives may not be used for long-term storage or backup. Instead, use a drive on the UCPH-network for your data.
You may not store confidential data or personally identifiable material on mobile units for longer than necessary. With personally identifiable data, rules apply that require the registration of the data collection to contain a description of how data will be stored periodically on mobile units.
You have to report stolen or lost units containing personal data to you information security representative immediately. This applies to privately owned equipment as wells as that provided by UCPH.
Storage of data on a network drive
Files stored on a network drive are automatically backed up.
By using a (research) project drive, you can share data with others, but it cannot be used for storing and sharing personally sensitive and confidential data.
If you are working with confidential or personally identifiable data, you have to use an S-drive that meets the requirements necessary to comply with the general data protection regulation (GDPR). If you are using the sever to collaborate across institutions and countries, you should be aware of the legal circumstances of, for instance, data ownership and sharing of data, which will have to be made clear.
Personal network drive
Files stored on your P-drive (personal network drive) are automatically backed up. You are allowed to store personally identifiable information on your P-drive as long as you have a valid purpose to do so, e.g. when working with your research data. When that purpose is no longer valid, the personally identifiable information must be anonymised or deleted.
KUnet Group rooms
You can use group rooms on KUnet for collaboration and sharing documents and data but they may not be used for confidential nor personally identifiable data. Data stored in the group rooms are automatically backed up.
You are allowed to use cloud services like Dropbox and Google Drive for collaboration and sharing of non-confidential and non-personally identifiable data. You may not store confidential nor personally identifiable data on cloud services. Data stored on a cloud service must be ensured regularly by backing it up on a KU network drive.
Personal server or NAS
It is possible to set up your own server. If it contains confidential or personally identifiable data, you should be aware that you are responsible for the server meeting the requirements of the law and UCPH’s information security policy, including requirements for logging, access control and back-up. There is a financial cost associated with using your own server (especially for personally identifiable and other confidential data), which you should aware of, for instance, in regards to financing your project.