You must ensure that only authorised people can access, copy or edit your research data. Doing so should mean that data will be safe from unauthorised use and personally identifiable information will be seen only by authorised people. Remember that you are legally responsible for protecting personally identifiable information, when present – in these cases, security becomes a requirement rather than a choice. Under the General Data Protection Regulation, from 25 May 2018, failing to protect this type of data will involve harsh fines and severe reputational damage.

When does security matter?

Data security includes a series of practical measures to protect yourself and the safety and privacy of data subjects (if any are involved) in worst case scenarios. Think, for example, of the following:

• Someone could accidentally delete your research data
• Commercially-confidential data could be leaked outside of your organisation
• Hackers could get hold of your data
• Personally identifiable information could be exposed

Many other similar scenarios exist and we are sure you wish to avoid them. In fairness, it is usually not too complex to set up security measures for a research project.

Data security in practice

We highly recommend the following practices when you manage research data:

• Digital access control: only trusted colleagues should have “write” [1] access to important files and directories. All operating systems and most software let you control access levels and permissions for each user.
• System level precautions: systems used to store and manage data need to be kept secure through a combination of regular patching and security audit. In this day and age, it is unusual for systems not to be connected to a network: these connections must be kept secure through the appropriate use of firewalls and access control technology. For particularly sensitive information, you could consider data safe havens [2], secure file transfer networks such as Safe Share [3] or even storing the data on a totally isolated machine.
• Physical access control: you should ensure that only trusted people can enter the building/area where you hold data.
• Passwords: you should have a strong password [4] controlling access to your computer and any device used in your research. Software to manage passwords may help where you have many of them. CESSDA assembled a few suggestions [5] on password security, which we encourage you to read.
• Encrypted storage and files: it is best practice to encrypt your hard drive, which can be done natively on Windows [6] and Apple [7] systems. You can also decide to encrypt single files, which we recommend when using personal data. When encrypting a file, make sure you never lose the encryption key! As an example, mainstream software such as the Microsoft Office suite allows you to encrypt files with a password when saving.
• Secure file erasing: when you dispose [8] of sensitive data, you should make sure it is fully removed from your hard drive (pressing the delete key to send it to the bin is insufficient). You can achieve this by physically destroying storage devices (often too extreme), or by using software tools. Data stored in the cloud poses another set of problems – it can be difficult to satisfy yourself that data has been completely destroyed.