Search term

During the Research Project: Data Storage & Pseudonymization & Encryption

Safe Data Storage

Internal PhD Candidates & SHE Researchers

  • Request a Folder on the P-drive (P:). Every internal PhD requests a folder on the P-drive via lo-educ@maastrichtuniversity.nl. The P: drive is judged as a safe place by the UM security officer to store personal information and can therefore be used to store raw research data. Members of the PhD research team have access to this folder, unless the DMP indicates why some member cannot have access. On the P: drive you can not only store research data but also your other research documents, such as notes, logbooks, presentations, manuscripts and so on. NB: Do not use any other UM network drive (I:) or local drive (C:, D:) to store data containing personal information. If you absolutely need to use a local drive, make sure that good encryption of the data is provided.
  • Surfdrive can be used for:
    - Periodic backups of your research data. Do not use the Surfdrive synchronisation-option for this. Create a zip-archive from your actual data, mark it with a date and upload this to Surfdrive using the web-browser. Depending on the activity in your project, you can do this weekly or daily.
    - Exchange information with team members outside the UM. To this end, the PhD student can share a folder with others that have a Surfdrive account.

External PhD Candidates

External PhDs must take care of safe storage of their research data on their local computer systems. They should also follow local legislation on privacy and data protection. However, since the VSNU code of conduct states that PhD supervisors are responsible for research data, you need to ensure that a copy of the data is available at the UM as soon as possible. You can use Surfdrive as a safe means of transportation and also as a safe storage medium.

There are three strategies to transport data safely to Surfdrive:

  1. The daily supervisor requests a Surfdrive Group folder (250 Gb extra storage) and adds the PhD student to this group – preferred
  2. The daily supervisor shares one of the own folders on Surfdrive with the PhD student account – Also ok, but storage space of the daily supervisor is used.
  3. The daily supervisor creates a public link to a folder and shares the password with the PhD student – Use this option only if the PhD student cannot request a Surfdrive account. And use it only for a short period of time to transport the data. Close the link directly after completion.

The daily supervisor also must request a folder on the P-drive for this PhD project and take care of making regular copies of the data from Surfdrive to this folder.

Virtual Research Environment

When the project funding allows this, a VRE (Virtual research environment) can be requested at the UM library. This is a Microsoft Sharepoint environment that is managed by the UM library. The research team can use the VRE to share data and documents, to plan activities and to co-operate on documents in online sessions. It is possible to provide access to non-UM or non-SHE research team members. It is allowed by the UM authorities to store data containing personal information on a VRE. However, data should also be stored on an appropriate folder on the P: drive. A VRE can be requested through the UM Library here (ask after current fees).

Encryption

You can use 7-zip to easily make an encrypted zip-file. If these are stored on the P: drive or on Surfdrive, this is an acceptable level of security for data sets with personal information. Preferably create standard .zip files, not .7z files.

Pseudonymization

The raw data must be pseudonymized as soon as possible after the data collection. Further analysis is only done on pseudonymized data.

Pseudonymization means that you transform your data in such way that it cannot be traced back to individuals, but at the same time creating a separate key file that allows identification of the data of individuals in the pseudonymized data set. A common way to pseudonymize is to create a random number (the key number) for every participant and replace all identifiable information in the dataset by this key. The key and the identifiable information are the stored in the key file.

The raw data sets must remain on the P: drive. You need to decide in your research team whether it is necessary to encrypt the raw data sets on the P: drive. Copies of the raw data sets and the pseudonymized data sets can be stored on Surfdrive for backup. The Pseudonymization key file must be kept since in the GDPR the participants are allowed to revoke their consent and to have their data removed from the raw and the pseudonymized data sets. The key file can be stored on the P: drive, but must preferably be encrypted. 

Qualitative Data

Since pseudonymization of qualitative research data is often very complicated, SHE researcher can only use parties that are preferred by UM or their home institute and have Data Processing Agreements. In case of image, sound or video data, pseudonymizations means the removal or masking of all identifying information – if feasible. If this is not feasible, only transcripts or observation reports should preferably be used in further analysis.