Information classification, risk and vulnerability assessment, archiving and storage
Information classification of research data
Information classification of research data in a project is mandatory. This classification affects how data may be stored, shared and can provide indications of the severity of, for example, a data breach in a storage solution. It can also inform on how the final results can be disseminated, whether they can be directly accessible, only accessible on request or not accessible at all.
Risk and vulnerability assessment
A risk and vulnerability assessment should always be carried out in the planning phase of a research project, including the data expected to be produced/used. Here, different risks can be identified and met in the same document, which could be used for funding applications, future ethics applications, etc. Depending on the data the project intends to use, support in carrying it out can be obtained from, for example, the research data advisors, information security officer, the Data Protection Officer, etc.
Here's information on how to conduct a risk and vulnerability assessment (Inforum, Swedish)
Data Protection Impact Assessment (DPIA)
If a research project involves the processing of personal data, the question that needs to be asked is whether there is a high risk of processing in regards to data protection and privacy, but also on the basis of other fundamental human rights such as freedom of expression and thought, freedom of movement or prohibition of discrimination. If the answer to this question is ‘yes’, the General Data Protection regulation dictates that a Data Protection Impact Assessment (DPIA) has to be carried out before any data collection can start.
The purpose of a DPIA is to identify and minimise risks to the rights and freedoms of individuals. Conducting an impact assessment can sometimes also be a requirement from external parties to gain access to sensitive personal data.
More information about Data Protection Impact Assessments can be found here (Inforum, Swedish).
Storage and archiving
Where research data may be stored is dictated by its information classification. Research data must be stored in a secure manner, including back-up and authorization. The university has a requirement to use its resources efficiently, which means, for example, that storage should not take place for longer than necessary in areas that are particularly costly.
Each school might also have specific decisions regarding where research data should be stored. If such decisions exist, it is important that they are known as to make it easy to understand what applies for the individual research project.
A research project also needs to plan for long-term storage and when it may be possible to delete research data. It is necessary to delete data that can be discarded to enable clarity in the remaining data and also to economise the university's resources. The conditions for archiving, deletion, etc. will be different in the individual research projects and it is therefore important that this point is addressed in the planning phase.
Detailed information on how to archive research material, including research data, can be found in the guidline Arkivering av forskningshandlingar (ORU 2022/08734) and, also, on the archive’s internal web pages.
More information of where research data may be stored can be found here (Inforum, Swedish).