Transfer of personal data to the US no longer permitted
What are the consequences of the Schrems II judgment for personal data management at Uppsala University?
2020-07-16 the European Court of Justice ruled that the European Commission's decision on Privacy Shield is contrary to EU law and should therefore be annulled (the so-called Schrems II case on the legal transfer of personal data to the US). According to the court, the US legal system does not provide sufficient protection for EU citizens' personal data and there is a lack of access to effective legal remedies. In short, it is no longer possible to rely on Privacy Shield for a legal transfer of personal data to the United States.
Recommendations from the security division:
- Postpone new initiatives until further notice, if they involve the transfer of personal data to the US or are based on system solutions based on US cloud services.
- Map existing use of services that may be affected by the verdict
- Follow the development. More information will be published as soon as it is available. Contact firstname.lastname@example.org if you want to know more.
The goal of information security is to ensure that risks, disturbances and threats directed towards university information resources are identified and handled to minimize negative consequences regarding confidentiality, integrity and availability (CIA).
On this page you will find
1. Guidance and answers to information security questions
FAQ - frequently asked questions regarding information security.
Every employee has a responsibility when it comes to the information security at the workplace. There are for some also responsibilities connected to their roles and occupations. The links below show checklists relevant to various categories.
- Head of department
- Purchasers/personnel taking part in the procurement of IT-systems and IT-services
- Technical personnel (system developers / operating staff)
- Project leaders, system owners, "e-områdesansvarig"
2. Guidelines and procedures
A comprehensive guide can be found here (nanolearning)
Risk and threat scenario analyses (rev. 2018-02-13).
Risk analyses gives the opportunity for a structured analysis of factors that might cause disturbances, as well as help selecting alternative methods to reduce risks.
- Information classification support (PDF) (See also Stöd informationsklassificering (the Swedish version)), Bilaga 2 (Rev. 2018-02-08).
Information classification is the bases of all information security. To know how to protect the information one must know what information is being processed. See also our short nanolearning on information classification and analysis or the presentation from our workshop (2018-03-08)
- Current state analysis/Kravanalys (Excel). Bilaga 3 (Rev. 2018-02-20)
- Konsekvensanalys (word). Bilaga 1 (Rev. 2018-01-24)
- Riskanalys (Excel) Bilaga 4 (Rev. 2018-02-12)
- How to handle identified security gaps (word) - previously "Action plan" . Bilaga 5 (Rev. 2018-06-15)
- Template for information classification (word). Bilaga 6 (Rev. 2018-02-13)
- Flow chart for the steps in information classification and reporting (PDF). Bilaga 7 (Rev. 2018-02-12)
- Standard classification of basic information (Word) - Bilaga 6a (Rev. 2018-04-24)
Rutiner för säker informationshantering (Rev. 2018-09-17) - safe information handling, also in cloud services (Swedish only)
Rutiner för anskaffning och drift av IT-system (Rev. 2019-01-09), inklusive outsourcing / drift i leverantörs regi
3. Web based courses (nanolearning), information regarding security related courses
- Information security for travelers (online nanolearning)
- In need of a loaner device (if travelling outside the EU)? Contact email@example.com
- Check list, travel security (PDF)
- All security related courses, including web based ones
Encryption and signing - To send e-mail more securely you can sign your message and encrypt your data. Encryption can be used to communicate sensitive information. You can encrypt your e-mail (see help section about encryption of e-mail), or only encrypt the attachment where the information is available (see help section on encrypted attachments).
Myfiles for file sharing
You can also use myfiles.uu.se to share files and catalogues with others. Note that it is not suitable to use the myfiles.uu.se service as a continuous cooperation area with external parties. Areas such at those need to be handled through a proper authentification method to ensure high adherence to the regulations surrounding identification.
WHen you do share with external parties using myfiles.uu.se, remember to
- Limit the access period.
- Only share files/catalogues necessary for each instance.
- Be thorough with how you share rights.
Using OneNote and/or sharing OneNote notebook:
- Ensure that nothing is saved or stored in a cloud service. Everything needs to be stored locally on your own computer, or on a University file server. This includes the cached information. Check the setup in your OneNote installation (Alternatives, Save and copy).
- If you belong to a group that need to share the notebook: Create a notebook exclusive to the group, only accessible to authorized in a protected area on a local Unversity fileserver. Contact IT Servicedesk if you need a protected area.
4. Data storage
We cannot give an all encompassing recommendation as the demands can differ quite a lot from case to case. Secure storage of research data is a priority at the University, and work is ongoing to develop solutions. In many cases there is a need to share infoformation with a third party. How such a sharing should take place differs from case to case and needs to be discussed. Presently, the following alternatives may be used:
- The central storage solution (Data portal) Allvis
- Added service data storage (formerly known as Argos
- Added service Vesta
- Rudbeck IT offers well developed services also available to non-Rudbeck laboratory staff. See https://my.rudbeck.uu.se/guides/Storage, Hints and Guides for more information.
- SUNET Box has been classified with CIA 222, and can be used for information classified 222 or lower (221, 122 and other combinations), unless the information contains personal data. NB! Because of the current uncertainties regarding GDPR and personal data transfers outside the EU (See Schrems II above) we currently discourage the use of SUNET Box for handling of personal data. Contact the security division if you have questions regarding this.
- Intendenturer, institutioner och centrumbildningar har i många fall egna lösningar att erbjuda. Kontakta innehavaren av tjänsten för ytterligare information.
- Your campuses or Department may have their own solutions on offer. Contact them directly for more information.
Contact the Security and safety division for advice, support etc.
5. Other information
GDPR and information security
- Intro to GDPR, aimed at departments (PDF rev. 2018-05-29)
- Presentation from workshop (PDF rev. 2018-04-20)
- The university page on GDPR
IT security: Information regarding technical security, system configurations, how to protect your computer, malware, how to report IT security incidents etc.
Information - written, spoken, in electronic form, all kinds of research data, examinations etc - is an asset that, like physical properties and personnell is vital to to maintain the university activities.