Data security guidance
If you intend to hold data for research purposes it is of paramount importance that the security in place meets the minimum standards required by the providing data holding organisation. In practice, the more secure the setting that a researcher is working in then the more relaxed a data holding organisation maybe in allowing access to their sensitive data.
A data holding organisation that is considering handing over an administrative dataset will typically be concerned about six key things:
- Physical security
- Hardware security
- Software security
- Data handling practices
- Staff (i.e. who has access)
- Access policies and procedures.
Below is advice on creating a safe setting using this list. The recommendations here are by no means exhaustive and you should refer to more extensive documents on this topic such as the Thomas and Walport 2008 review of data sharing.
This concerns the perhaps slightly mundane matter of locks, doors and windows. It is normal to require that the doors are solid (i.e. don’t contain glass) and that walls have no internal windows. It is also good practice to require that the locking system is independent of the standard system within the organisation.
It also is common practice for two separate locking systems to be in place, for example a combination lock and a key or swipe system. The principal here is to require something you have such as a key, and something you know such as a combination to ensure security of access.
Ideally, secure data laboratories will not be on the ground floor of a building unless they are internal (i.e. have no windows to the outside world). Where this is not possible the best practice is to install additional security measures to guard against forced entry, for example security bars.
The minimum standard for security on any platform that the data is stored or analysed on is that it is standalone (i.e. not connected to the outside world). This includes either a single standalone machine or a standalone network. The platform should be protected by a boot up password.
If the platform or machine that the data is stored on is to be disposed of, then all hard disks must be properly cleaned. It is not sufficient to just delete the files as this does not irretrievably remove them from memory. Therefore you must use appropriate secure deletion software (such as MediaWIPE, Blancco or Drive Erase) which will permanently erase files.
It is good practice to restrict software installation to just a small specific set of tried and tested data analysis software.
Anti-virus software should be installed as standard and be kept up to date. It is an area that is easy to neglect as the standalone machine is not able to access the Internet for easy updating and data users are also usually responsible for this task.
A good solution is to have a designated individual whose responsibility it is to maintain software and an explicit procedure and record keeping by which this happens.
Data handling practice
This concerns what actually happens to a data set whilst it is in your institution.
However, prior to this you should consider how you are going to be receiving the data from the data holding organisation. Although the responsibility ultimately lies with the organisation sending the data, you should not agree to any procedure that involves unsecured data transfer.
Secure data transfer means that data should always be encrypted and require a password for installation or decryption. Keys for decryption should always be transferred by a different medium. If the data you have received is not encrypted, you should do or arrange this yourself before storing it as back up.
Temporary transfer of a file from a secure ftp site to a networked machine is possible, as is for the data to be physically transferred between a member of the data holding organisation and member of the receiving institution.
Once you have received the data on some physical format, the procedure should be to immediately transfer this into your secure lab. The original media should then be placed in a locked storage unit for safe keeping.
When the project is finished then the data files and any backups on the machine should be deleted using proper file deletion software (such as MediaWIPE, Blancco or Drive Erase). It is not sufficient to just delete them in the normal manner as this will not actually remove the data just the immediate means of access them.
The original physical data file should then be destroyed.
Depending on the data and your agreement with the supplier of your data; you might also want to have some output checking process in place before output is removed from the lab. This is more complex process and usually one that would be carried out by a senior member of staff. Even if output is deemed suitable for removal from the lab it should still be handled in a cautious and safe manner with any files being permanently deleted or destroyed and paper outputs being shredded.
A final point regards the output from any analyses that you have conducted on the data. There are two considerations.
- What can be physically removed from the safe setting
- What can be published.
The same underlying principle applies to both. The outputs should be non-disclosive. Unfortunately, deciding whether output is disclosive or not is not simply a matter of consulting a check list, and this topic is an active research area.
Therefore, until there is more standardised guidance, you must apply sound judgement and common sense. Ask yourself how much information about any given data unit can I extract from this output. If your answer is the values for few crudely coded variables then it is probably safe to remove the output to a locked cabinet in your office. With actual publication of output then please apply far more careful consideration and if necessary consult a senior member at your institution, the data holding organisation or seek expert advice from the ADLS before proceeding. There are sanctions and penalties contained under various legislation for any disclosure of identifiable information (please refer to the legislation part of this document).
There must be restrictions on who can enter the secure data lab without supervision. This should be restricted to staff directly involved in the analysis of the data only. On some occasions it might be necessary for non-project staff to enter a secure data lab and such visitors should be accompanied by an authorised user at all times.
All staff should be fully trained in data handling good practice and data legislation and made aware of all policies regarding using the data laboratory.
Access Policies and procedures
Access to a secure data laboratory must be controlled. One approach would be to have a key held by a trusted administrator and a combination known only to staff using the key. The combination should be changed regularly and certainly when staff leave the institution. It is also good practice for the key holder to log usage. A slightly more relaxed but less secure approach is for regular users to also have keys.
You can now: