FGB Security Tips: Digital Data Transfer

Before you determine which digital data transfer option to use, you should assess the privacy risk (and where applicable the confidentiality risk) for the data asset(s) you plan to transfer. This will help you to determine the most appropriate and secure method for your data.

The following guidance is applicable to most collaborative situations, however, if you are working with and sharing data with students or research interns, make sure that additional precautions are taken to protect the data.

Additionally, if data are to be shared with external users (i.e. non-VU employees), ensure that any necessary contracts or agreements, such as data sharing agreements, have been set up prior to sharing. Contact legal@vu.nl for further assistance.

Red Data

It may not be possible to transfer this kind of data digitally. However, if you are already using YODA for the storage of “red” data, the data can be shared with the recipient(s) via YODA.

• You can provide access to the data by adding the recipient to the YODA “group” you manage. Don’t forget: the person added to your YODA group has access to all of the files for that group. If the recipient only needs access to a specific set of data, you must request a separate YODA folder for this purpose. Add the recipient to this new YODA group and ensure that only the data the recipient needs to see is stored in this separate YODA folder.
  • The recipient must have multi-factor authentication (MFA) activated.
    • MFA is not available to external users (users without a VUnet ID) as of early 2023. See the section on “Red” data in the FGB YODA manual for guidance until MFA is available to external users (estimated Sept 2023).
  • The data must be encrypted. Further information on file-level encryption is found here. The recipient must ensure that they are also appropriately encrypting the data on their end, and they must always have full-disk encryption activated on their computer.
  • The recipient must follow the instructions for the appropriate use of Cyberduck for “red” data when uploading and downloading data.
  • Even if the recipient has only been given read-only access, they must agree to delete all files they download from YODA once they are no longer required (unless other agreements have been made).

If YODA is not a feasible solution, contact the RDM Support Desk for further assistance.

Orange Data

YODA

If you are using YODA for the storage of “orange” data, the data can be shared with the recipient(s) via YODA.

• You can provide access to the data by adding the recipient to the YODA “group” you manage. Don’t forget: the person added to your YODA group has access to all of the files for that group. If the recipient only needs access to a specific set of data, you must request a separate YODA folder for this purpose. Add the recipient to this new YODA group and ensure that only the data the recipient needs to see is stored in this separate YODA folder.
  • The recipient must have multi-factor authentication (MFA) activated.
    • MFA is not available to external users (users without a VUnet ID) as of early 2023. See the section on “Orange” data in the FGB YODA manual for guidance until MFA is available to external users (estimated Sept 2023).
  • The recipient must ensure that they always have full-disk encryption activated on their computer.
  • The recipient must follow the instructions for the appropriate use of Cyberduck for “orange” data when uploading and downloading data.
  • Even if the recipient has only been given read-only access, they must agree to delete all files they download from YODA once they are no longer required (unless other agreements have been made).

Research Drive

If you are using Research Drive for data storage and you need to share the data with a research collaborator or research team member, you can add the user who needs access using these instructions.

• Do not share “orange” data via a public link in Research Drive.
• Make sure the added user knows how to work safely in Research Drive.
  • The recipient must have multi-factor authentication (MFA) activated.
  • The recipient must ensure that they always have full-disk encryption activated on their computer.
• Ensure that the recipient will only have access to the files that they need to see. If you give them access to a folder, they will have access to all subfolders within that folder.
• Ensure that the recipient has appropriate access rights (i.e. whether they can only read files or also modify/upload files).
• The “orange” data will, in most cases, be encrypted in Research Drive. Make sure the new user installs whichever encryption software has been used to protect the data on their own computer in order to de-encrypt the data. Make sure to use a secure method to provide the new user with the password to de-encrypt the data (e.g. not via regular e-mail, but either through a phone call or via ZIVVER).

ZIVVER/SURFFileSender

If YODA and Research Drive are not appropriate for your purposes:

• Use ZIVVER
  • Require that the recipient must enter a code that they receive via SMS to be able to read the e-mail.
  • Put an expiry on the message so that after a certain period the e-mail is no longer available to both the recipient and yourself.
  • Further information on the use of ZIVVER is found in this guide.
• Use SURFFileSender
  • Make sure encryption is activated.
  • Make sure to use a strong de-encryption password. Always provide the recipient with the password via another method (for example, call the recipient to provide the password verbally). Do not send the password in another e-mail.
• Require that the recipient stores the received data in a secure manner and that they delete the data once it is no longer required (unless other agreements have been made).

If the above options are not feasible, contact the RDM Support Desk for further assistance.

Yellow Data

YODA

If you are using YODA for the storage of “yellow” data, the data can be shared with the recipient(s) via YODA.

• You can provide access to the data by adding the recipient to the YODA “group” you manage. Don’t forget: the person added to your YODA group has access to all of the files for that group. If the recipient only needs access to a specific set of data, you must request a separate YODA folder for this purpose. Add the recipient to this new YODA group and ensure that only the data the recipient needs to see is stored in this separate YODA folder.
  • The recipient must have multi-factor authentication (MFA) activated.
    • MFA is not available to external users (users without a VUnet ID) as of early 2023. See the section on “Yellow” data in the FGB YODA manual for guidance until MFA is available to external users (estimated Sept 2023).
  • The recipient must ensure that they always have full-disk encryption activated on their computer.
  • The recipient must follow the instructions for the appropriate use of Cyberduck for “yellow” data when uploading and downloading data.
  • Even if the recipient has only been given read-only access, they must agree to delete all files they download from YODA once they are no longer required (unless other agreements have been made).

Research Drive & SURFdrive

If you are using Research Drive for data storage and you need to share the data with a research collaborator or research team member, you can add the user who needs access using these instructions. SURFdrive can also be used to share “yellow” data. Any user that can log into SURFconnext can be given access to a SURFdrive file or folder.

NB: SURFdrive is generally discouraged for ongoing storage of research data (see the Secure Storage Guide for more information). If you are sharing data with research collaborators, Research Drive or YODA are the preferred options.

• If absolutely necessary, “yellow” data may be shared in Research Drive or SURFdrive via a public link, but that link must be secured with a password that is provided to the recipient via another method (i.e. via an SMS or a phone call rather than another e-mail). It is also advised to set an expiry on the link after which the recipient can no longer access the files. The link must also be deleted once the recipient no longer requires access.
• Make sure the added user knows how to work safely in Research Drive or SURFdrive.
  • The recipient must have multi-factor authentication (MFA) activated in Research Drive.
  • The recipient must ensure that they always have full-disk encryption activated on their computer.
• Ensure that the recipient will only have access to the files that they need to see. If you give them access to a folder, they will have access to all subfolders within that folder.
• Ensure that the recipient has appropriate access rights (i.e. whether they can only read files or also modify and/or upload files).

ZIVVER/SURFFileSender

If YODA, Research Drive and SURFdrive are not appropriate for your purposes:

• Use ZIVVER
  • Require that the recipient must enter a code that they receive via SMS to be able to read the e-mail.
  • Put an expiry on the message so that after a certain period the e-mail is no longer available to both the recipient and yourself.
  • Further information on the use of ZIVVER is found in this guide.
• Use SURFFileSender
  • Make sure encryption is activated.
  • Make sure to use a strong de-encryption password. Always provide the recipient with the password via another method (for example, call the recipient to provide the password verbally). Do not send the password in another e-mail.
• Require that the recipient stores the received data in a secure manner and that they delete the data once it is no longer required (unless other agreements have been made).

If the above options are not feasible, contact the RDM Support Desk for further assistance.

Green Data

YODA

If you are using YODA for the storage of “green” data, the data can be shared with the recipient(s) via YODA.

• You can provide access to the data by adding the recipient to the YODA “group” you manage. Don’t forget: the person added to your YODA group has access to all of the files for that group. If the recipient only needs access to a specific set of data, you must request a separate YODA folder for this purpose. Add the recipient to this new YODA group and ensure that only the data the recipient needs to see is stored in this separate YODA folder.
• Make sure the recipient follows the FGB security advice for working with “Green” data in YODA.

Research Drive & SURFdrive

If you are using Research Drive for data storage and you need to share the data with a research collaborator or research team member, you can add the user who needs access using these instructions. SURFdrive can also be used to share “green” data. Any user that can log into SURFconnext can be given access to a SURFdrive file or folder.

NB: SURFdrive is generally discouraged for ongoing storage of research data (see the Secure Storage Guide for more information). If you are sharing data with research collaborators, Research Drive or YODA are the preferred options.

• If you need use a public link to share the data via Research Drive/SURFdrive, rather than providing the user access to the file in the ways described above, it is still recommended to secure this link with a password that you share with the recipient via SMS or a phone call. If you opt not to do so, you should, at a minimum, set an expiry on the link after which time the recipient can no longer access the file. Delete this link when it is no longer needed.
• Make sure the added user knows how to work safely in Research Drive or SURFdrive.
  • The recipient must ensure that they always have full-disk encryption activated on their computer.
• Ensure that the recipient will only have access to the files that they need to see. If you give them access to a folder, they will have access to all subfolders within that folder.
• Ensure that the recipient has appropriate access rights (i.e. whether they can only read files or also modify and/or upload files).

ZIVVER/SURFFileSender/Internal E-mail

If YODA, Research Drive and SURFdrive are not appropriate for your purposes:

• “Green” data may be sent via internal VU e-mail without encryption
• You can use ZIVVER or SURFFileSender. It is not as crucial to use an access code with ZIVVER or encryption with SurfFileSender when sending “green” data, however it is still a good idea to do so whenever possible. At a minimum, you should always put an expiry date on e-mails sent via ZIVVER/SurfFileSender.
  • Further information on the use of ZIVVER is found in this guide.

If the above options are not feasible, contact the RDM Support Desk for further assistance.

Blue Data

Although “Blue Data” are not subject to privacy or confidentiality laws, it is still recommended to prevent their diversion to unauthorized individuals because your data are valuable and you don’t want them to end up publicly available before you are ready (you don’t want to get scooped!). It is, therefore, advised to at least follow the recommendations described under “Green Data”, as these methods help to prevent the diversion of transferred data.

If the above options are not feasible, contact the RDM Support Desk for further assistance.

---

Feedback on this page?

Contact research.data.fgb@vu.nl