When external institutions process data in Educloud, they are responsible for evaluating which data they can handle in Educloud. However,
- UiO never allows directly identifiable data of a special category in Educloud.
- We recommend institutions outside of UiO to conduct thorough evaluations if red/sensitive data needs to be handled in Educloud and follow similar guidelines.
- Institutions outside of UiO must always have a service level agreement and data processing agreement when using Educloud.
UiO's data classification can be found here
For all processing of personal data, a clear purpose and legal basis must be established, and research projects must be reported to the appropriate channels and should not be initiated until necessary approvals or evaluations are obtained.
The principle of data minimization always applies in Educloud, which means that personal data should not be processed in a more identifying or extensive way than necessary to perform the requested work. In Educloud you can store following type of data:
- Open or freely available (Green)
- Restricted (Yellow)
- In confidence (Red): To keep your sensitive information safe, it's important to follow guidelines when working with data classified as "red". Generally, you should avoid storing data that is "redder" on Educloud than on UiO-managed laptops or desktops. Educloud is not suited for working with red personal data that include any special categories of personal data according to GDPR:
- Race or ethnic background
- Political, philosophical, or religious beliefs
- Health information
- Sexual orientation or behavior
- Membership in trade unions
- Genetic and biometric information intended to identify a physical person
Storage of the Link Key
The link key can be stored within the same project provided that:
- The link key must be encrypted while it is stored ("at rest").
- It must be kept in a dedicated and access-controlled area, ensuring that only authorized users have access.
- For data classified as sensitive ("red data"), the IT department has the option to manage the storage of the password for the encrypted link key, to allow necessary access under controlled conditions.
In all cases, a Data Protection Impact Assessment (DPIA) must be conducted. In research projects at UiO where the risk to people's rights and freedom is considered high, Sikt will assist with a DPIA.
- The DPIA involves assessing the consequences of the planned processing on privacy, including the impact on the rights and freedoms of those being researched, and identifying measures to reduce the above risks.
For red data that includes at least one special category of personal data according to GDPR mentioned above, a more comprehensive DPIA must be conducted. This must include an assessment of whether the data is:
A. Directly identifiable: In such case data must not be stored in Educloud. This typically includes audio, images, video, names, personal identification numbers, or other data (genetic data itself) that identifies individuals and includes at least one of the above categories.
B. Relatively easy to re-identify: In such case data must not be stored in Educloud, and "Relatively" must be assessed by those with the appropriate expertise, typically the researcher.
C. Pseudonymized data (i.e., there is a key to link the data with an individual). If the researcher(s) have access to the key, it must never be stored in Educloud, and a separate risk assessment must be made regarding the fact that the researcher(s) have access to the key, and data can still be considered difficult to re-identify. If the researcher does not have access to the key, it must be assessed whether the data is impossible or difficult to re-identify. This assessment is in many ways the same as the assessment in B. One must carefully evaluate whether red data can be stored in Educloud!
If one gets an uncertain result from one or more of the evaluations in A, B, or C, regarding whether the data can or should be in Educloud, one should not use Educloud.
Black data must never be stored in Educloud.
In all cases, one must have a conscious approach to the risks associated with using Educloud, especially for red data. The researcher and the researcher's institution are responsible for data processing, and one must always follow the terms of use for Educloud.
Educloud is much more like a normal laptop/desktop/workstation at a university in Norway than TSD. With this comes a significantly greater risk of unintentional movement, transfer, and sharing of data. Educloud has the following default settings that require users to make their own assessments before taking action, unlike TSD, where the room for action is much more closed, as Educloud is connected to the open internet:
- Users can send emails out of the system with attachments, which can, for example, be done via the use of www.uio.no or www.gmail.com.
- Users can send data out of the system through various uncontrolled mechanisms, such as ssh, scp, sftp, https, among others.
- Since a user is given access to all storage areas from all projects the user is a participant in, it is easy to unintentionally move data between projects.
- Since access to internet is available, one can easily "Google" text strings containing red data.
With these risk factors (which are similar to a normal laptop/desktop at UiO), it is essential that research projects led by the project leader have a conscious approach to whether Educloud can be used.