Before you determine how best to physically transport your data, you should assess the privacy risk (and where applicable the confidentiality risk) for the data asset(s) you will be transporting. This will help you determine what extra protections you should apply to protect your data while it’s being physically transported.
FGB researchers can borrow portable devices from the TO3 lending service for short-term use. Some equipment available for borrowing are:
If you borrow devices from the TO3 lending service, you are expected to follow the guidance of this document.
Portable devices are easily transported and are regularly used to collect and store data remotely. They include laptops, USB sticks, external hard drives, tablets, smartphones, DVDs, CDs and cameras. Because these devices are portable, they are easily stolen or lost and it is therefore essential that extra care be taken when using these devices. Data should only be stored on these devices temporarily (or with regards to laptops, data should be removed from the hard drive when it is no longer required); this advice is applicable regardless of the privacy/confidentiality risk category.
Best practices for working with laptops are described in the Security Basics guide. These practices should be applied regardless of the privacy/confidentiality risk for your data. If you are borrowing a laptop from TO3, please note that:
NB: Always use dedicated USB sticks/external drives. Either borrow from Technical Support (TO3) or purchase a stick/drive specifically for your research project. Do not use personal USB sticks/external drives.
Regardless of the privacy/confidentiality risk, all data temporarily stored on these portable drives should have some level of protection; your data are valuable and you don’t want them to be publicly available before you’re ready! This can be done by either encrypting the files on a regular USB-stick or external hard drive, or by storing the data on an encrypted device.
If you use an encrypted device, your options are hardware-encrypted or software-encrypted devices. If your data are “Red” or “Orange”, use hardware-encrypted drives because they may be slightly more secure. Otherwise the choice is up to you as to which option you pick. Hardware-encrypted drives can be used on any operating system and they don’t tax your computer resources during encryption and decryption; however, they are more expensive and if the hardware fails, it is much more difficult to recover the stored data. If the loss of your data would be an absolute disaster for your research, a software-encrypted drive may be a better choice, however, if you choose a software-encrypted drive and your data are “Red” or “Orange” it may be a good idea to add additional file-level encryption to the data files stored on the device.
Software-encrypted drives are a reasonable option for “Yellow”, “Green” and “Blue” data. They are cheaper and have options available to recover the encrypted data, but they can tax your computers resources during encryption and decryption, and their use may be limited to only certain operating systems (i.e. some only run on Windows). Be aware: software-encrypted drives are only as secure as your computer is. If your computer is infected with malware or viruses, a hacker can easily access and crack the encryption on a software-encrypted drive through brute force. Therefore, make sure to have virus and malware scanners active on your computer (which you should do anyways).
Data storage on DVDs/CDs should be avoided; if this is your only option, storage on this medium must only be temporary. It is recommended that file-level encryption be used to protect the data stored on DVDs/CDs, regardless of the privacy/confidentiality risk level; such encryption must always be used for “Red”, “Orange” and “Yellow” data. Once data have been transferred to a secure storage option, the DVD/CD must be destroyed.
NB: Always use a dedicated tablet. Either borrow from Technical Support (TO3) or purchase a device specifically for your research project. Do not use personal tablets or smartphones.
Apple products produced from 2013 onwards are encrypted when they are locked by the user. All Android products running 5.0 and up can also be encrypted when locked, but the user needs to activate this encryption. Although encryption is activated when these devices are locked, anyone can unlock them unless the user activates a PIN code or biometric scan (finger print or iris scan) for locking and unlocking the device. It is therefore recommended to activate a PIN code or biometric scan whenever you are storing data on these devices. If you are borrowing an iPad or iPod from TO3, please note that:
NB: Always use a dedicated camera. Either borrow from Technical Support (TO3) or purchase a camera specifically for your research project. Do not use personal cameras.
There is no method for encrypting digital cameras. Although SD cards can be encrypted, they cannot be used in a camera if encryption has been activated and there is no way to de-encrypt the data using a camera. The safest and most convenient option when physically transferring data recorded on a camera is to store the camera in a locked safe (see Analog Data for further details).
Researchers who need to make video recordings can use either iPads or cameras. In general, iPads should be used because a PIN code can be activated to lock and encrypt the device, whereas this is not feasible for camera SD cards. Cameras are only superior to iPads with regards to zooming options and light capture in dark environments. If these features are not important, researchers making video recordings should use iPads with a PIN code. If zooming and light capture are essential to the research project, a safe must be used for storing cameras during transport.
If you borrowed a portable device from VU IT or the TO3 lending service, it is important to permanently remove all of your files from the device as per the instructions from TO3. Any files that are important for research, particularly for archiving, should be stored on an appropriate VU storage option prior to the removal of the data from the portable device. Also make sure to turn off the PIN code or biometric access on Tablets/Smartphones/iPads/iPods prior to returning them.
Not all data are stored digitally. Analog data (paper notes, bodily materials with identifying labels, cassette recordings, photographs etc) may also be sensitive and these data should still be transported securely and with care. The safest option for storing these materials is in a locked briefcase or a portable locked safe. If these measures are absolutely not possible, it is strongly recommended not to use public transportation for travelling to and from the data collection site, particularly if the data are “Red”, “Orange” or “Yellow” data. Obviously public transportation is often the only option for many researchers and research assistants, therefore, if public transportation must be used, make sure to review the tips below on physically transporting data in a safe manner.
Whether data are physically locked away or locked with encryption, both methods only function to slow hackers and thieves down. Locked and encrypted data are never 100% safe therefore it’s important to stay alert to not lose the data that you are physically transporting.
If the advice described in this document is not feasible for your research, contact the TO3 technicians as soon as possible to discuss possible alternatives. If they cannot assist you, you can get support from VU IT Security via the Research Data Management Support Desk.