Data security protocol

We researchers deal with a lot of data: task data, questionnaire data, MRI or EEG data, but also contact information, health information, etc. Most of these data are highly sensitive, in that the risk of identification is high. Also, most of us probably do not want people who aren't involved in your project to have access to our data without our knowledge. In order to deal with the sensitivity of the data and prevent them from being stolen, it is imperative that we ensure the highest possible data security. This document contains some tips to maximize data security. By following these tips, you can be more confident that your participants’ privacy will be guarded and the university will not get sued :smile:

Loss of data or other problems?

Always report a data breach to the Servicedesk: servicedesk@eur.nl (phone +31 (0)10 408 8880), click here for more information.

General data security principles

Always report a (possible) data leak/breach

• Every loss of data is a potential data leak, such as:
• stolen or lost digital files: USBs, laptops, external hard drives, data that is not backed-up, etc.
• stolen or lost printed personal data, e.g, a note containing a password, lists with grades, etc.
• viruses on your PC or hacked accounts, including phishing mails
• both pseudonymized and anonymized data need to be reported
• Contact your supervisor and Servicedesk (servicedesk@eur.nl)
• Report the (possible) leak as soon as possible, so that we can adequately respond and limit the amount of damage for participants as much as possible. Keep in mind that measures taken are meant to secure the data, not to punish those involved!

Anonymize your data

The best way to guard the privacy of your participants is to anonymize your data, so that the data cannot be traced back to participants (not even with a key containing the name-number links). For longitudinal data, this can get complicated, since you want to be able to link the data of the same subject and may also need the participants’ contact info for next waves.

Choose safe passwords for your devices

This concerns your EUR account, your laptop, your phone (if it has email on it), and all other devices that contain data.

• Use a sentence instead of a word: they are harder to crack and easier to remember (especially when they are long and contain letters, numbers and signs).
• Use a password manager to keep all your passwords safe, such as Lastpass.

Read more about Lastpass

Lastpass is a password manager that can store all your passwords safely in the cloud. You have to think of a master password - a very strong password - only once. As soon as you log in using that password, you have access to all passwords that you saved in your vault. With Lastpass you can (all features):

• Create safe passwords (no creativity required from your end)
• Never again have to remember passwords for all of your accounts by heart
• Store your passwords safely
• Autofill passwords on websites so that signing on will be a breeze
• Share passwords with others (free version: share with 1 person)
• Save secure notes and other details as well

You can either install lastpass on your PC (or download the mobile app) or install an extension in your browser.

• Get started
• More information here
• User manual

• If possible, change your passwords or codes (e.g., to lockers) regularly
• Share passwords only with the people who really need it
• Protect mobile devices:
• Use a safe internet network (preferably Eduroam): never use an open network. Preferably use EduVPN, which is free for university employees and makes sure that the connection is safe.
• Make sure you can wipe the device and change the password(s) from a distance in case of theft or loss
• Make sure to have a copy of the information on the university system
• Always install all security updates and, if possible, antivirus and anti-malware software
• Do not install jailbreak/root (gaining privileged access to the operating system)
• Do not save confidential information, unless it is well-protected

Protect files with passwords too

If a file contains personal data, such as contact information, the link to a participant number or data on the MRI checklist, protect it with a password:

• In Word and Excel: File > Info > Protect document/Workbook structure > Encrypt with password. You can also restrict editing via these options.
• Save the password somewhere safe so that you can always access the document: if you lose the password, you cannot access the document anymore.
• Only give the password to those who really need it. Try to restrict the amount of people that have access to the document.

Keep paper data (logs, questionnaires, MRI checklists) locked up

• Do not leave data behind in labs after testing: take them with you! When testing multiple participants in one day, do not leave data from a previous participant laying around
• Keep papers in a locked closet or a locker and only give access to people that need it
• If necessary, keep a record of who has access
• Do not take papers with such data home or outside, unless strictly necessary

Keep a clear-desk policy

Do not leave any data unattended if you leave your desk for a longer period of time.

• For digital data: lock your screen (Cntrl+Alt+Delete > Enter or: Windows+L)
• For paper data: put them in a closed closet or locker or lock your room if no one else is present
• When testing participants, do not leave data from a previous participant laying around and take them with you when you leave
• This includes all desks: your own workspace, the secretariat, computer room, the lab, etc.

Email safely

• When emailing large amounts of people (e.g., all your participants for a project newsletter), put the email addresses in the BCC (blind carbon copy) field, so that the receivers cannot see who else got the email. Put your own email address in the “To” field.
• Where possible, use your university email, which has a safe connection with the university servers. Avoid using Hotmail, Gmail or Yahoo.
• Never send research data via email (except when encrypted or using tools like SURF filesender).

Print safely

• Use Secure printing to print confidential information via a password: The printer will only start printing when you have filled in a personal pin code. Securely printed documents will be erased from the university servers immediately after printing. The settings of the print job cannot be adjusted at the printer
• When throwing away confidential information on paper, use a container that can be locked (especially made for confidential paper).

Storing your data

Aim not to store data on local drives

• Use the Research Drive, which is automatically backed-up and secured through the university.
• If you are processing data on your local Data drive, be sure to back it up at the Research Drive.
• Don’t use personal accounts to store data long-term: if you leave the university suddenly, your data will not be accessible for others!

Do not store identifiable information on personal devices

• It is only permitted to work with sensitive data when this is necessary for data collection, processing or planning and, officially, only when participants have given their permission.
• If you do work with sensitive data on a personal computer (e.g., laptop), remove the data after the analyses.

Do not store non-anonymized data in the cloud

Never save documents online, just open them. You never know who will get their hands on your data when you store it in the cloud.

• If you want to work at home, use Owncloud to interact with the Research Drive data
• Or use Remote desktop: gives access to your university desktop, see this link for a manual
• Or use SURFdrive, a safe alternative to Google Drive that everyone with a (Dutch) university account has access to (500 GB of personal storage)
• N.B. You can request SURFdrive also for students or give students the link

If using a local drive, laptop, USB, external hard drive, or video camera, the following rules apply:

• If you are processing data on your local drive, be sure to always back it up on the Research Drive
• If possible, protect the device, hard drive or drive with a password
• Do not put the passwords to laptops on the laptop itself
• When the data have been saved at the right location, delete the data from the device (shift + delete or empty the recycling bin)
• If you have to take devices onto the street, bring them to a (safe and appointed) university location as quickly as possible. Do not bring them home unless absolutely necessary.
• If you have to take data home, do let leave them unattended in a (semi)public place (such as a car or library). If possible, leave it in a locked room.

Communication and sharing

Do not share data via email attachments, Google Drive, etc.

• Instead of email attachments, use SURF filesender. Email attachments are saved on mail servers and on your PC, whereas this is not the case with filesender.
• If you are sending an internal email, use a hyperlink or the path to the relevant folder where possible
• If you want others to be able to edit the documents you share, use SURFdrive or share only the relevant files via Research Drive. Be sure the data shared are anonymous.

Do not talk about or analyze individual data in public spaces

For example in the elevator, a common room, public transport, social media, emails, etc.

• Coding videos and audio is only allowed where other researchers from the same project work or in special coding rooms
• Coding audio in a public space is only allowed when others cannot hear the audio, e.g., because you are wearing headphones
• Transcribe audio and video using safe websites such as uitgetypt.nl

Contacting participants outside the university

• When contacting participants outside the university, e.g., via your own mobile phone, make sure not to send any identifiable information via your phone (incl. sms or whatsapp)
• Avoid coupling participant numbers with phone numbers and/or names in emails or whatsapp messages