Some general data safety principles
We can distinguish four types of research data sets:
- Data sets with personal information (raw data sets)
- Pseudonymized data sets
- Anonymized data sets
- Data sets with no personal information
The two first types are subject to the GDPR, the last two are not. Anonymized data sets and sets that do not contain any information based on individuals can be transported and stored a bit more freely.
Data safety however not only concerns preventing that data is accessed by unauthorized persons. It also involves:
- Availability of the data – we do not want your data to be destroyed or become inaccessible -, and
- Integrity: data should be correct and there should occur no unintended changes in the data, for instance mixing up participant’s responses in interviews. This is true for all 4 types of research data.
In general, it holds that you should not store research data at unsafe places, or transport this data using unsafe channels. A good backup strategy is also part of ensuring data safety.
- Unsafe storage is: an unsecured hard drive, a laptop with no password or encryption, an unprotected USB stick or disks, Dropbox, iCloud, Google drive or any not approved web-storage system.
- Unsafe transport is: email (other than internal email between Maastricht university and MUMC accounts), USB sticks, memory cards or CD/DVD disks per surface mail, using Skype to send data files, Whatsapp, and so on.
- Safe storage is: UM network drives, well-protected laptops with encrypted disks, Surfdrive, UM VRE (see explanations below and at the end of the document)
- Safe transport is: UM internal mail, Surffilesender, Surfdrive
NB: Paper based data (such as signed informed consent letters) is in principle and should be kept as short as possible. Scan the papers as soon as possible, store the scans at a safe place and destroy the papers in a safe way.