Planning management of data

Even before you start collecting or producing data, it’s good to plan how it will be handled throughout the life cycle of the project’s research data. Aspects to be considered include:

assess what ethical and legal aspects are relevant to data management
ensure that relevant permits and agreements are in place
assess whether intellectual property rights need to be dealt with
classify information, estimate data volumes and plan for appropriate storage solution
estimate possible need for high-performance computing resources
expected costs for a project's data management are budgeted
a plan for long-term data retention.

Data Management Plan (DMP)

Quality assured and accurate data management is often facilitated by a well-thought-out data management plan (DMP). Many research funders and other parties require a DMP, sometimes in a shorter version already when applying for research funding. A data management plan that is regularly monitored and updated becomes a support in the implementation of a project.

Permits and agreements

Various permits and agreements relating to and regulating data management may need to be drawn up before a project starts. Agreements with external funders may include requirements for making available documentation and data from projects that they finance.

Projects that deal with sensitive personal data and plan to deposit data in repositories with controlled disclosure procedures should include that information in the application for ethical review.

Permissions and agreements shall be kept on a diary and archived in accordance with the university's document management plan, and shall be able to derive to the research undertaken.

Contract review is usually carried out by the university's legal affairs division.

Cooperation and comission agreements

If you are participating in a project that involves collaboration with organizations outside your own university, there are a number of areas, including research data, that you may need to agree on. These can be projects involving researchers from several universities or collaborations with private companies, other authorities or the healthcare sector. Before you initiate a project with parties outside the University, you should consult the University's legal department.

Note that there may be differences between countries in the laws and regulations governing the management of research data. In cooperation with researchers in other countries, the legal conditions may therefore differ.

Important issues that should be clarified in, for example, cooperation and comission agreements are how research data from the project should be handled and used. It should be clear who will have access to the data material, how the material may be transferred and used and any time limits on its use. Aspects that may also need clarification include whether any party owns or copyrights data and any restrictions on how data may be shared with others or made openly available.

Requests for confidentiality may occur from external partners, but they must be handled in accordance with the principle of public access to information and the legal framework governing the disclosure of public records.

See also: To collaborate with Uppsala University (leaflet)

Data security and information classification

Research data can be difficult to recreate and sometimes contain confidential information. Planning how data will be stored and protected is therefore important. The choice of working methods and technical solutions should ensure that data is not lost, that the management and storage solutions meet the requirements of information security and that data subject to confidentiality is not disclosed.

In order to find the right type of solutions for data storage and other management, it is important to know what legal and other requirements the type of data you are dealing with poses. Information classification of the project data should therefore be done before a project start, as the outcome affects the time and resources needed to establish procedures and access sufficiently secure systems. High demands usually involve higher costs for technical solutions.

Information classification is made by assessing needs and data in relation to three factors: Confidentiality, Integrity and Availability (CIA), with guidelines from the Swedish Civil Contingensies Agency (MSB).

Confidentiality refers to whether data contains information that should not be made available or disclosed to unauthorized persons, systems or processes.
Integrity means that the information must not be altered or destroyed, either by unauthorized persons, by mistake or due to malfunction.
Availability means that the information should be accessible and usable in the expected way and within the desired time.

The classification is made one with a scale of 0–3 for each factor and the result is usually referred to as the CIA value (KRT in Swedish). You can make a classification of your data yourself using the instructions in Uppsala University’s Information Classification Instruction – see Procedures for for Risk Management – Appendix 2 Information Security.

Read more about the university's recommendations for information security and take part in the University's course on basic information security. Contact the Security Department for advice: security@uu.se

Confidential information in research data

Some data processed in research contains information that, for ethical, legal, commercial or other reasons, should be protected from unauthorized access. It is often a matter of information which, under the Public Access to Information and Secrecy Act (2009:400), is subject to confidentiality. It can be information:

which may be directly or indirectly linked to individuals
who are protected by copyright or intellectual property rights by some party
relating to national security or dual-use products (i.e. both civilian and military uses)
about protected species or biologically sensitive locations
that are the basis for patentable inventions

In order to prevent unauthorised access to this type of information, it is important to classify information (see above) and to choose technical and administrative solutions that ensure an adequate level of security. See also Storing data and collaborating.

If data with confidential information will be handled by external parties, agreements on liability as well as security measures and procedures shall be ensured by contracts. Keep in mind that in cooperation with, for example, private companies, staff in that activity are not subject to confidentiality in the same way as employees in public activities. – See Permits and agreements above.

Routines for information security

Before initiating a project, the technical and administrative procedures required to maintain an adequate level of security in the handling and storage of data throughout its life cycle should be planned and documented.

All employees in a project, both internal and external parties, should be informed about which data is confidential, as well as what solutions and procedures to follow to ensure that only authorized persons have access to the material. See also Routines for secure information management.

Project managers are responsible for data management within a project, but especially in the case of larger projects it is recommended that other persons in the project has the responsibility for monitoring how data is managed.

Keep in mind to:

keep software up to date on the devices that generate, transmit or have access to data with confidential data
not send sensitive data via email and avoid handling confidential information in public places or over public networks
when necessary ensure that project employees also have a secure IT environment at home
make sure that project members are aware of information security guidelines

Control of data access

Document which colleagues that have access to data and what level of permission they should have - edit and/or read permissions. Provide access at the lowest appropriate level and ensure that only authorized persons have access to the devices and systems where data is generated, stored or processed. It is often a better solution to provide file or folder-level access to a storage space than sending confidential data as attachments to emails. If email is used to send data then encryption should be applied.

No chain is safer than its weakest link. It is therefore important that all systems where data is handled or transmitted have an adequate level of security – from own computer and email management to platforms used for analysis and solutions for storing data after completion of a project. Avoid unnecessary transfer of data sets with confidential information and encrypt data moving between different systems if necessary. Ensure that data is deleted if it is no longer used for further analysis on a platform.

Data containing personal data is confidential information which, according to the Data Protection Regulation (GDPR), may only be processed if technical and organizational measures ensure protection against unauthorised access and loss of data. When handling sensitive personal data, higher security requirements are imposed and the chosen storage solution should, if possible, support two-factor authentication. Data containing personal data can also be encrypted or encoded to increase the level of security. See also Storing data and collaborating.

Open science and confidential information

The transition to open science and the demands for transparency and reproducibility in research are increasing expectations that research data should be made openly available. However, if the data contains information that is confidential for some reason, the possibilities to publish this data may be very limited.

Data that cannot be shared openly can still be described, for example in a data repository. There you can specify contact details and the conditions for others to access the data. However, for data with high confidentiality and high protection value, in some cases it may also be justified to refrain from describing the data publicly, as knowing that certain information exists increases the risk of attempted data breaches.

Data containing personal data is usually confidential and can in most cases only be published in anonymous form. See Sharing and publishing personal data.

Confidentiality and long-term preservation

The need to protect certain information from unauthorised access is often long-term and persists even after a research project is completed. Therefore, be sure to choose storage solutions and protective measures that offer a sufficiently high level of security, even in the long term. Also strive to ensure that information about the confidentiality of data does not become personally dependent, because responsible researchers can leave the university. Confidentiality of data and other research documents must therefore be documented in order to ensure that a future confidentiality review can give an accurate picture of the potential protection value of the material.