What should I think about when working with sensitive personal data at UPPMAX?
The advice on this webpage is intended only as a well-intentioned guide for general consumption. If you experience any doubt, contact your local data security officer from the list below.
Data security officers at selected universities
General guidelines and tips
- If you are not engaged in research under Uppsala University, you need to establish a Data Transfer Agreement (personuppgiftsbiträdesavtal, PUBA) in order to work with sensitive personal data on our systems. Read more here.
- If you are working with sensitive personal data, you must perform a Data Protection Impact Assessment (DPIA). See the Integritetsskyddsmyndigheten's guide. The french CNIL authority provides a great open-source tool for carrying out a DPIA.
- What is sensitive personal data? Personal data is any information that can be traced to a living individual person. This data is sensitive when it pertains to certain topics, e.g. health.
- What about pseudonymised or anonymised data? By definition, truly anonymised data cannot be traced to an individual and is therefore not personal data (note that some data cannot be anonymised, e.g. a person's genome). Pseudonymised data remains personal data and must be handled accordingly.
- What KRT classifications does Bianca have? Project directories have 321, and home directories have 322.
Moving data into or out of Bianca securely
- Move sensitive data from a secure place to a secure place directly, using a secure protocol (sftp, scp, https). Do not copy sensitive data onto an unprepared laptop or storage device as an in-between step.
- Don't keep data lying on the Wharf.
- If you need quota to be adjusted in order to work, contact support and be specific — which project, do you need backup or nobackup space, how many TB, how long, and why.
Moving data between projects on Bianca
- Moving data to a project grants access to that data to all members of the project. Make sure that you do not grant access to people who should not have it.
- Consent is usually granted for a limited set of activities/investigations for a dataset, remember not to go beyond those boundaries.
- Don't keep data on the Wharf.
Handling membership in projects
- Be restrictive. Only people with actual need to have access to data should be given access.
- Remember to implement proper security procedures in your group (as per your Data Protection Impact Assessment [see the Integritetsskyddsmyndigheten's guide]).
- If you are working with people from other government agencies than your home institution, do you need a PUBA with them?
- Besides system administrators, most support staff have no access to project data except through ordinary membership.
- Don't include sensitive data in communications with support (which goes through unencrypted email).