What should I think about when working with sensitive personal data at UPPMAX?

The advice on this webpage is intended only as a well-intentioned guide for general consumption. If you experience any doubt, contact your local data security officer from the list below. 

Data security officers at selected universities

Chalmers University of Technology

Göteborg University

Karolinska Institute

KTH Royal Institute of Technology

Linköping University

Lund University

Stockholm University

Swedish University of Agricultural Sciences (SLU)

Umeå University

Uppsala University

General guidelines and tips

General

  • If you are not engaged in research under Uppsala University, you need to establish a Personal Data Assistance Agreement (PUBA) in order to work with sensitive personal data on our systems. Read more here.
  • If you are working with sensitive personal data, you must perform a Data Protection Impact Assessment (DPIA). See the Datainspektionens guide. The french CNIL authority provides a great open-source tool for carrying out a DPIA.

Moving data into or out of Bianca securely  

  • Move sensitive data from a secure place to a secure place directly, using a secure protocol (sftp, scp, https). Do not copy sensitive data onto an unprepared laptop or storage device as an in-between step.
  • Don't keep data lying on the Wharf.
  • If you need quota to be adjusted in order to work, contact support and be specific — which project, do you need backup or nobackup space, how many TB, how long, and why. 

Moving data between projects on Bianca

  • Moving data to a project grants access to that data to all members of the project. Make sure that you do not grant access to people who should not have it. 
  • Consent is usually granted for a limited set of activities/investigations for a dataset, remember not to go beyond those boundaries. 
  • Don't keep data on the Wharf. 

Handling membership in projects

  • Be restrictive. Only people with actual need to have access to data should be given access.
  • Remember to implement proper security procedures in your group (as per your Data Protection Impact Assessment [see the Datainspektionens guidance]). 
  • If you are working with people from other government agencies than your home institution, do you need a PUBA with them?

Receiving support

  • Besides system administrators, most support staff have no access to project data except through ordinary membership.
  • Don't include sensitive data in communications with support (which goes through unencrypted email).