NOTE: Many of the answers to these questions will depend on the level of risk associated with the data you have collected. If you aren't sure about the risk level of your data, you can reach out to UWinnipeg's Research Data Management Librarian.
Generally speaking, the risk level of your data relates to the sensitivity of your data. The following data classifications have been adapted from UWinnipeg's forthcoming Information Security Policy, for the purposes of this guide.
From the policy: "...As the University is committed to safeguarding to a high degree the University, the University Community, and third parties against harm, the academic research data of University employees, post-doctoral fellows, visiting scholars, interns, and students is University Data for the purposes of this Policy."
Public: University Data that is freely disclosed to the public or would cause no harm if so disclosed. For example:
Internal: University Data that is not protected by law, agreement, or industry regulation, but may cause minor harm to the University or others if disclosed indiscriminately or beyond a need-to-know basis. For example:
Sensitive: University Data that must be protected by law, agreement, research protocol, or industry regulation; exposes non-public details of a University system; or may cause moderate harm to the University or others if disclosed to unauthorized individuals. For example:
Highly Sensitive: University Data that must receive a high degree of protection by law, agreement, research protocol, or industry regulation; exposes non-public details of a critical University system; or may cause considerable harm to the University or others if disclosed to unauthorized individuals. For example:
For questions about the Policy (not yet released), or questions about the risk level of your data, you can reach out to UWinnipeg's Research Data Management Librarian.
Collecting and storing data on a password-protected laptop is usually secure for low and medium risk data but it is NOT secure for high or extremely high risk data. If the data being collected is high or extreme risk, store the data on a password-protected and encrypted desktop (as they are less portable and more difficult to steal) in a locked office and/or on a password-protected server, etc.
For added security, encrypt your hard drive, use anti-virus software and anti-malware regularly, update your computer as soon as updates are available, and avoid common situations where your laptop may get stolen such as leaving it in a vehicle or public place unattended. Perhaps most importantly, regularly back up and secure your data.
Even for low risk data, it is best to take steps to secure your data to reduce the risk of having to redo work if your data is accidently deleted or your laptop or portable hard drive gets lost or stolen.
Windows has a free utility to encrypt your hard drive called BitLocker, though is only available for Windows Pro edition. However, Windows Home edition can still read BitLocker encrypted drives.
All Macs have drive encryption but it must be enabled.
It depends on your discipline, and the type and purpose of your data as well as the requirements of your publisher or grant, but here are some things to consider:
Encryption is a method of encoding your data so that only you, or someone you authorize, can access it. As a general rule, identifiable data obtained through research that is kept on a computer and connected to the Internet should be encrypted. There are a couple of different methods of encrypting your data and they both have benefits and disadvantages:
Encrypting Individual Files
Pros: Encrypting only select files such as those that are research related, or those that contain identifying information, keeps your data safe without any extra complications.
Cons: If someone had access to the computer where your data is stored they could break into it and view any non-encrypted files. You also have to remember to individually encrypt each new file you create.
Encrypting Your Drive
Pros: Encrypting your entire drive protects from anyone to accessing any of your data without your authorization. Encrypting your whole device is also more convenient and less prone to error as all files are encrypted automatically.
Cons: If you experience any corruption on your drive, it may be more difficult or even impossible to retrieve that data.
Methods to Try
To encrypt your whole drive, or individual files, try VeraCrypt (Windows/Linux/OS) or GNU PrivacyGuard (Windows/Linux/OS). Programs such as MC Office and Adobe also offer file-level encryption. These programs are recommended when there are few files to encrypt. To encrypt and compress files you are going to be sending over the internet try 7-Zip. UWinnipeg's Information Privacy Office provides more guidance on password protection and encryption.
NOTE: When data requires encryption is can be easy to make the mistake of encrypting some copies of your data but not others. Be sure to encrypt all copies of your data, this includes backups and data stored on mobile devices such as cell phones.
Cloud services store and share data by keeping it on remote servers accessed from the internet. Cloud services can be public or private. While any use of cloud services comes with some inherent risk, the risks for public and private servers are different. Some main differences include server location, server control, and attack surface. With public cloud storage, data is stored in servers that could be anywhere in the world, and thus subject to that country’s laws. With private cloud services your data is stored in local servers. Private companies control public cloud services and the data that is stored there. Access to data stored in private cloud services such as NextCloud is controlled by UWinnipeg. Finally, public cloud services have sprawling infrastructure with many different points where an unauthorized user could attempt to extract data, in some cases private services are less open to such attacks. Whether and what cloud services you can use will depend on the risk level of your data.
Public Cloud Services
Examples: GoogleDrive, DropBox, iCloud and Onedrive
If you must use these services, use them for only the lowest risk data.
Private UWinnipeg Endorsed Cloud Services
Examples: Microsoft 365
While these services are more secure than public cloud storage services they are by no means completely secure. Data should be de-identified before it is uploaded to any of these services and high-risk data should never be stored in the cloud.
Recommendation: To increase protection for NextCloud accounts, UWinnipeg's TSC recommends using Two-factor Authentication.
The answer to this question is different depending on whether we are talking about a portable storage device that has an internet connection, such as a cell phone, or a device that does not have an internet connection, such as a USB key.
For internet-connected portable storage devices:
Pros: Collecting data on an internet connected portable storage device such as a cell phone can be a good choice because the technology is ubiquitous, familiar, convenient, fast, accurate, portable, and requires low power at a relatively low cost to the researcher.
Cons: Data stored on or transferred from portable storage devices increases the risk of it being stolen or improperly accessed. However, encrypting the device and files reduces the risk of a data breach. Smart portable devices such as Google or Apple phones or laptops are often defaulted to backup all data to their cloud system potentially making sensitive data inadvertently available to Google, Apple or a 3rd party backup provider.
For non-connected portable storage devices:
Pros: Non-connected portable storage devices do not have the same vulnerabilities as internet-connected portable storage devices, while still providing storage and data transfer options.
Cons: Data transfer can be less convenient. Some portable storage devices are easily corruptible and not built for long-term storage, for example inexpensive flash drives. Such devices are often small and easy to lose or break.
Qualtrics is web-based, research survey software that offers many advanced, but user-friendly, features. Qualtrics enables users to do surveys, get feedback, and conduct polls using a variety of distribution means. Qualtrics is cloud-based software and has proven to be a versatile resource for our researchers. The company migrated the servers available to University of Winnipeg researchers to Canadian sites to enhance data security. Other survey services should be avoided particularly those located in the USA like SurveyMonkey.
Before you share any data collected from human participants in any way, the key is to render that data as low risk as possible, for instance, by de-identifying it. Ideally, those collecting the research would remove all identifying personal information before the data was shared with research partners at other institutions.
Use the following as general guidance, though always select a method of communicating your data that is consistent with its risk level:
Low risk data: Share data using UWinnipeg email and cloud services including free personal cloud services (Google Drive, DropBox, iCloud, Onedrive etc.)
Medium and High risk data: Share encrypted and password-protected files via UWinnipeg email and UWinnipeg approved cloud services.
Extreme risk data: Share data hand to hand on a password-protected and encrypted data storage device. Maintaining ethical high-risk data transfer between institutions may require individualized strategies. Contact UWinnipeg's Research Data Management Librarian for more information.
When it comes to connectivity, computers at UWinnipeg fall into 3 categories: computers that connect to the Internet wirelessly, computers that connect via wired networks and computers with no internet connection at all. These three different kinds of computers also represent three different levels of data security. Wireless connections are the least secure. Wired network access is more secure than wireless. Finally, using a computer that is not connected to the internet is the most secure way to store your data.
"Principle (e): Storage limitation,"Information Commissioner's Office, Accessed April 30, 2020, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/storage-limitation/.
"Research Support Fund: Accountability and Public Acknowledgement,"University of Winnipeg Research Office, Accessed April 13, 2020, https://www.uwinnipeg.ca/research/research-support-fund.html.
"Retaining personal data (Principle 5),"Information Commissioner’s Office, Accessed April 13, 2020. https://ico.org.uk/for-organisations/guide-to-data-protection/principle-5-retention/.
“Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans (TCPS 2)". Government of Canada Interagency Advisory Panel on Research Ethics. Accessed April 13. 2020, https://ethics.gc.ca/eng/documents/tcps2-2018-en-interactive-final.pdf.
Trucano, Michael. "Using mobile phones in data collection: Opportunities, issues and challenges," Edutech. April 18, 2014, Accessed April 13, 2020, https://blogs.worldbank.org/edutech/using-mobile-phones-data-collection-opportunities-issues-and-challenges.
Adapted with permission from Chandra Kavanaugh.