Information classification, risk and vulnerability assessment, archiving and storage
Information classification of research data
Information classification of research data in a project is mandatory. This classification affects how data are to be stored and shared. The classification provides indications of the severity of, for example, a data breach in a storage solution. It informs on how the results can be disseminated, whether they can be directly accessible, only accessible on request or not accessible at all.
Risk and vulnerability assessment
A risk and vulnerability assessment should always be carried out in the planning phase of a research project. This assessment should cover the full duration of the research project from data acquisition to data archiving (and potential re-use). Here, different risks can be identified and met in the same document, which could be used for funding applications, future ethics applications, etc. Depending on the type of data the project intends to use, support in carrying out a risk and vulnerability assessment can be obtained from the research data advisors, information security officer, the Data Protection Officer, etc.
Here's information on how to conduct a risk and vulnerability assessment (Inforum, Swedish)
Data Protection Impact Assessment (DPIA)
If a research project involves the processing of personal data, the question that needs to be asked is whether there is a high risk of processing with regards to data protection and privacy. Other fundamental human rights – such as freedom of expression and thought, freedom of movement or prohibition of discrimination – are also to be included. If the answer to this question is ‘yes’, the General Data Protection regulation dictates that a Data Protection Impact Assessment (DPIA) has to be carried out before any data collection can start.
The purpose of a DPIA is to identify and minimise risks to the rights and freedom of individuals. Conducting an impact assessment is also a requirement from some external parties to gain access to sensitive personal data.
More information about Data Protection Impact Assessments can be found here (Inforum, Swedish).
Storage and archiving
Where research data may be stored is dictated by its information classification. Research data must be stored in a secure manner, including back-up and authorization for use. The university has a requirement to use its resources efficiently, which means, for example, that storage should not take place for longer than necessary in solutions that are particularly costly.
Each school might also have specific decisions regarding where research data should be stored. If such decisions exist, it is important that they are known, so it is made easy to understand what applies for the individual research project.
A research project also needs to plan for long-term storage and when it may be possible to delete research data. It is necessary to delete data that can be discarded to enable clarity in the remaining data and to economise the university's resources. The conditions for archiving, deletion, etc. will be different in the individual research projects and it is therefore important that this point is addressed in the planning phase.
Detailed information on how to archive research material, including research data, can be found in the guideline Arkivering av forskningshandlingar (ORU 2022/08734) and, also, on the archive’s internal web pages.
More information of where research data may be stored can be found here (Inforum, Swedish).