When external institutions process data in Educloud, they are responsible for evaluating which data they can handle in Educloud. However,
- UiO never allows directly identifiable data of a special category in Educloud.
- We recommend institutions outside of UiO to conduct thorough evaluations if red/sensitive data needs to be handled in Educloud and follow similar guidelines.
- Institutions outside of UiO must always have a service level agreement and data processing agreement when using Educloud.
UiO's data classification can be found here
For all processing of personal data, a clear purpose and legal basis must be established, and research projects must be reported to the appropriate channels and should not be initiated until necessary approvals or evaluations are obtained.
The principle of data minimization always applies in Educloud, which means that personal data should not be processed in a more identifying or extensive way than necessary to perform the requested work. In Educloud you can store following type of data:
- Open or freely available (Green)
- Restricted (Yellow)
- In confidence (Red): To keep your sensitive information safe, it's important to follow guidelines when working with data classified as "red". Generally, you should avoid storing data that is "redder" on Educloud than on UiO-managed laptops or desktops. Educloud is not suited for working with red personal data that include any special categories of personal data according to GDPR:
- Race or ethnic background
- Political, philosophical, or religious beliefs
- Health information
- Sexual orientation or behavior
- Membership in trade unions
- Genetic and biometric information intended to identify a physical person
Storage of the Link Key
The link key can be stored within the same project provided that:
- The link key must be encrypted while it is stored ("at rest").
- It must be kept in a dedicated and access-controlled area, ensuring that only authorized users have access.
- For data classified as sensitive ("red data"), the IT department has the option to manage the storage of the password for the encrypted link key, to allow necessary access under controlled conditions.
In all cases, a Data Protection Impact Assessment (DPIA) must be conducted. In research projects at UiO where the risk to people's rights and freedom is considered high, Sikt will assist with a DPIA.
- The DPIA involves assessing the consequences of the planned processing on privacy, including the impact on the rights and freedoms of those being researched, and identifying measures to reduce the above risks.
For red data that includes at least one special category of personal data according to GDPR mentioned above, a more comprehensive DPIA must be conducted. This must include an assessment of whether the data is:
A. Directly identifiable: In such case data must not be stored in Educloud. This typically includes audio, images, video, names, personal identification numbers, or other data (genetic data itself) that identifies individuals and includes at least one of the above categories.
B. Relatively easy to re-identify: In such case data must not be stored in Educloud, and "Relatively" must be assessed by those with the appropriate expertise, typically the researcher.
C. Pseudonymized data (i.e., there is a key to link the data with an individual). If the researcher(s) have access to the key, it must never be stored in Educloud, an