Before you determine which digital data transfer option to use, you should assess the privacy risk (and where applicable the confidentiality risk) for the data asset(s) you plan to transfer. This will help you to determine the most appropriate and secure method for your data.

The following guidance is applicable to most collaborative situations, however, if you are working with and sharing data with students or research interns, make sure that additional precautions are taken to protect the data.


Red Data

  • If a research partner or team member needs access to the data, add the user who needs access via Research Drive. Make sure the added user knows how to work safely in Research Drive and ensure that they only have access to the files that they need to see. Also ensure that they have appropriate access rights. Finally, the new user will need to install whichever encryption software has been used to protect the data on their own computer in order to de-encrypt the data. Make sure to securely provide the new user with the password to de-encrypt the data (i.e. not via e-mail).
    • Do not share red data via a public link in Research Drive.
  • If data must be digitally transferred and Research Drive isn’t appropriate for your purposes, use ZIVVER or SURFFileSender (with encryption activated) to encrypt the data during transfer. Make sure to use a strong password to protect the encrypted file. Always provide the recipient with the password via another method (e.g. call the recipient to provide the password). Don’t send the password in another e-mail.
    • This guide provides information on using ZIVVER to obtain informed consent digitally, but it also explains how to set up and use ZIVVER for other situations where digital data transfer is necessary.
    • The recipient of the data must ensure that they will store the received data in a sufficiently secure manner.
  • If the above options are not feasible, contact the Research Data Management Support Desk for additional support from IT Security.

Orange Data

  • If data are stored in Research Drive and a research partner or team member needs access to the data, this user can be granted access via Research Drive. See “Red Data” for details.

    • Do not share orange data via a public link in Research Drive.
  • If data are stored in SURF Drive and a research partner or team member needs access to the data, they can be provided access via SURF Drive. Any user that can log into SURFconnext can be given access to a SURF drive file. Make sure the added user knows how to work safely in SURF drive and ensure that they only have access to the files that they need to see. Also ensure that they have appropriate access rights (i.e. whether they can only read files or also modify and/or upload files). Finally, the new user will need to install whichever encryption software has been used to protect the data on their own computer in order to de-encrypt the data. Make sure to securely provide the new user with the password to de-encrypt the data (i.e. not via e-mail).

    • Do not share orange data via a public link in SURF Drive.
  • If data need to be transferred to a third party, you can use ZIVVER or SURFFileSender with encryption activated. See “Red Data” for details.

  • If the above options are not feasible, contact the Research Data Management Support Desk for additional support from IT Security.

Yellow Data

  • If data are stored in SURF Drive or Research Drive and a research partner or team member needs access to the data, they can be provided access via SURF Drive/Research Drive. Any user that can log into SURFconnext can be given access to a SURF drive file; for Research Drive, this guide explains how to add users, including those without SURFconnext login capabilities. Make sure the added user knows how to work safely in SURF drive/Research Drive and ensure that they only have access to the files that they need to see. Also ensure that they have appropriate access rights (i.e. whether they can only read files or also modify and/or upload files).

    • If absolutely necessary, yellow data may be shared in Research Drive or SURF drive via a public link, but that link must be secured with a password that is provided to the recipient via another method (i.e. not via e-mail). It is also advised to set an expiry on the link after which the recipient can no longer access the files. The link should be deleted once the recipient no longer requires access.
  • If data need to be transferred to a third party, you can use ZIVVER or SURFFileSender with encryption activated. See “Red Data” for details.

  • If the above options are not feasible, contact the Research Data Management Support Desk for additional support from IT Security.

Green Data

  • If data are stored in SURF Drive or Research Drive and a research partner or team member needs access to the data, they can be provided access via SURF Drive/Research Drive. See “Yellow Data” for details.

    • If you use a public link, it’s still a good idea to secure it with a password. At a minimum, make sure to set an expiry on the link after which the recipient can no longer access the file
  • Data may also be sent via internal VU e-mail without encryption. If data need to be sent to a recipient without a VU e-mail address, it is advised to use SURFFileSender, preferably with encryption, although this isn’t as crucial as for higher risk data. Note that even without encryption, SURFFileSender allows for more management of the transfer: you can put an expiry date on the transfer after which the tranfer link is no longer valid and if you accidentally send the transfer to the incorrect recipient, you can removed the transferred file via SURFFileSender before the recipient downloads the file.

  • If the above options are not feasible, contact the Research Data Management Support Desk for additional support from IT Security.

Blue Data

  • Although “Blue Data” are not subject to privacy or confidentiality laws, it is still recommended to prevent their diversion to unauthorized individuals because your data are valuable and you don’t want them to end up publicly available before you are ready (you don’t want to get scooped!). It is, therefore, advised to at least follow the recommendations described under “Green Data”, as these methods help to prevent the diversion of transferred data and allow you to delete links and files should data be transferred to the incorrect individuals.
    • With “Blue Data”, it is up to you whether you require passwords for your transfer methods; there’s no harm in using passwords here, but it is also not as imperative as for higher risk data
  • If the above options are not feasible, contact the Research Data Management Support Desk for additional support from IT Security.