Rules and guidelines for research data
Information security - practical advice for a higher level of data security:
- Personal equipment used for storing and managing information should be protected from unauthorized access and kept under watch.
- Software should be kept updated.
- When using a USB flash drive for storage, data should be encrypted.
- Don’t keep the password written down close to your computer.
- Save important data in at least two different locations with good security.
- Information in an e-mail is as open as information on a postcard.
Research data and good research practice
Good research practice is an approach that is to permeate the entire research process. An example of good research practice related to research data is that before collecting personal data, you carefully design your study, calculate how many individuals need to be included to answer the scholarly question to be addressed and ensure that you have the appropriate permissions. Another example is providing appropriate metadata along with data that are to be shared. With adequate metadata, data can be found, reused and referenced.
Read more about good research practice and research ethics at Uppsala University.
Limitations of data sharing
With some types of data, you may need to consider whether the data can be shared at all, whether the sharing needs to be limited or whether parts of the data need to be erased before publishing.
Such considerations should take place in the following cases:
- When the data contain material that is subject to statutory secrecy or contractual secrecy commitments. Statutory secrecy applies, for example, to national security and information that could harm a company’s competitive position if it was disclosed.
- Material containing personal data – that is, any kind of data directly or indirectly attributable to a living, natural person.
- If the data contain material that is copyrighted by someone else.
- If there is a lack of ethical permission or if consent to the sharing of data has not been obtained by the participants in the study.
Personal information in data
Research data containing sensitive personal information need to be anonymised before being published or shared. This is done by removing information that identifies the person contributing data. Nor should it be possible to identify someone by compiling different data which, individually, do not identify anyone.
If you anonymise data, all identifiable personal data are removed, making it practically impossible to connect data to individuals. The General Data Protection Regulation (GDPR) also refers to pseudonymisation, which is defined as “processing of personal data so that the personal data can no longer be attributed to a specific data subject without the use of supplementary information”. In practice this means that the personal data are encoded so that supplementary information is required to recreate the original information. The supplementary information must always be kept separate from the encoded information.
Retention and deletion of data
A lot, but not everything should be saved, so after concluding a project, it is important that researchers delete documents that are temporary and of little importance (guideline in Swedish). Uppsala University Archive has more information on deletion and retention.