What should I think about when working with sensitive personal data at UPPMAX?
The advice on this webpage is intended only as a well-intentioned guide for general consumption. If you experience any doubt, contact your local data security officer from the list below.
Data security officers at selected universities
General guidelines and tips
- If you are not engaged in research under Uppsala University, you need to establish a Personal Data Assistance Agreement (PUBA) in order to work with sensitive personal data on our systems. Read more here.
- If you are working with sensitive personal data, you must perform a Data Protection Impact Assessment (DPIA). See the Datainspektionens guide. The french CNIL authority provides a great open-source tool for carrying out a DPIA.
Moving data into or out of Bianca securely
- Move sensitive data from a secure place to a secure place directly, using a secure protocol (sftp, scp, https). Do not copy sensitive data onto an unprepared laptop or storage device as an in-between step.
- Don't keep data lying on the Wharf.
- If you need quota to be adjusted in order to work, contact support and be specific — which project, do you need backup or nobackup space, how many TB, how long, and why.
Moving data between projects on Bianca
- Moving data to a project grants access to that data to all members of the project. Make sure that you do not grant access to people who should not have it.
- Consent is usually granted for a limited set of activities/investigations for a dataset, remember not to go beyond those boundaries.
- Don't keep data on the Wharf.
Handling membership in projects
- Be restrictive. Only people with actual need to have access to data should be given access.
- Remember to implement proper security procedures in your group (as per your Data Protection Impact Assessment [see the Datainspektionens guidance]).
- If you are working with people from other government agencies than your home institution, do you need a PUBA with them?
- Besides system administrators, most support staff have no access to project data except through ordinary membership.
- Don't include sensitive data in communications with support (which goes through unencrypted email).