Most departments within the FGB take on students for research internships or as temporary research assistants. When students work with research data, the confidentiality of the information, the privacy of the research subjects and the overall security of the data are at risk if students are not taught how to correctly manage and protect this research data. To determine the best methods for your student(s) to safely manage and work with research data, first determine the privacy risks (and where applicable the confidentiality risks) for the data asset(s) that the student(s) will have access to.

All students are expected to read and understand the Security Basics.

Nondisclosure Agreements

Students that are working with “Red”, “Orange”, “Yellow”, or “Green” data must sign a nondisclosure agreement (sometimes called a confidentiality agreement) before starting their research. For students conducting research solely under the supervision of FGB, a template agreement can be obtained from your section/department head, who will also sign it on behalf of the FGB director of business operations. If the student is working at another institution where all data collection and data storage will take place, and the role of FGB is solely supervision of the research internship, then the other institution is responsible for assessing the need for and setting up an appropriate agreement with the student.

If FGB and another institution are both responsible for the data that the student will work with (e.g. data collection and/or storage happens at both FGB and the other institution) then the student must sign agreements with both FGB and the other institution. The FGB supervisor should review the FGB template agreement in such a situation to ensure that there aren’t any issues impacting collaboration with the other institution; if there seems to be a problem, contact IXA for advice.

Providing Data

When providing research data to students, ensure that you use an appropriate method, based on the privacy and/or confidentiality risks, to either digitally transfer the data or physically provide the data (e.g. with an encrypted USB-stick).

Data Storage Considerations

Although the VU offers many data storage options, not all of these options are available to students. The following section provides guidance on data storage options for students with consideration for the privacy and confidentiality risks to the data. The focus of this section is to describe solutions for data storage while a student is processing and/or analysing data. If students will be involved in data collection, see the relevant section below.

NB: The research data used in a research project can have a variety of risk categories: the raw data may be “Red” data, but the processed data may be “Yellow” or “Green”. It is recommended whenever possible to first process the data that will be provided to a student to reduce the risks as much as possible. De-identification methods can also be used, where appropriate, to reduce the risks as much as possible before providing data to the student.

Red data
  • It is strongly recommended that students work with “Red” data on location at the VU on VU workstations under the supervision of their supervisor. The data should be stored on Research Drive. See the Secure Storage Guide for further details and make sure your student follows the guidance on how to securely access data from Research Drive.
    • NB: Research Drive can only be used for research purposes; it is not intended for student activities that are purely educational. If you are uncertain whether or not your student can use Research Drive, contact the Research Data Management Support Desk for advice.
    • NB2: It is recommended to set up 2-Factor Authentication for students using Research Drive
  • In the event that it is not possible for a student to work onsite at the VU (e.g. an international pandemic), and it is absolutely necessary for the student to have access to these data:
    • The student can be given access to Research Drive as discussed above but, in addition to the guidance in the Secure Storage Guide, particularly the details on how to securely access data, the student must ensure that the data does not sync to their computer’s hard drive, but instead to a hardware-encrypted external hard drive, protected with a strong password. Once the student no longer requires access to the data, the data must be permanently removed from the external hard drive (or the external hard drive must be destroyed).
    • If Research Drive is not used for data storage, the student should use a hardware-encrypted external hard drive, protected with a strong password for the storage of the data; the data must not be copied to the student’s local hard drive. This solution should only be used for temporary storage. The supervisor should discuss with the student how best to back-up the data; suggestions are described below. As soon as the student no longer requires access to the data, a copy of the data must be securely transferred to the supervisor and the data must be permanently removed from the external hard drive (or the external hard drive must be destroyed).
    • Whenever a student must work with “Red” data from home, they must also:
      • Ensure that the data are not viewed by others, such as roommates or family members, and they must not work in public spaces
      • Ensure that they don’t use public Wi-Fi while working with these data; even when using their own Wi-FI they should activate eduVPN
      • Activate Full-Disk Encryption
      • Activate virus and malware scanners on their computer
      • Follow the best practices for working on laptops
      • Download the appropriate encryption software to de-encrypt the provided data
  • If none of the above options are feasible, contact the Research Data Management Support Desk for advice from IT Security.
Orange data
  • The recommendations for “Red” data should be applied to “Orange” data whenever possible. There are, however, additional storage options are available for this type of data.
    • Students unfortunately cannot be added as users on SURF Drive folders. Generally, “Orange” data should not be shared via a public link, however, you may share “Orange” data with students in this manner as long as the link is sent to the student’s VU e-mail address using a strong password to protect the link and a short expiry date. The student will need to download the data from the public link directly to a hardware-encrypted external hard drive, as described above for “Red” data. Once the student has the data, the public link should be deleted.
    • If the data are stored on the Group Drive, a student cannot directly be given access, but the supervisor can request access via a functional account. The IT Servicedesk should be contacted for support in setting up access for the student as well as for setting up remote access for the student should they need to work from home.
    • If the data are stored on SciStor, a student can be provided with access. Contact IT for Research for support with setting up access, including if the student needs to work from home.
  • Whenever a student must work with “Orange” data from home, they must also:
    • Ensure that the data are only be stored on the encrypted external hard drive
      • Back-up suggestions to prevent data loss are described below
    • Ensure that the data are not viewed by others, such as roommates or family members, and they must not work in public spaces, other than the VU campus. If on campus they should avoid busy areas.
    • Ensure that they don’t use public Wi-Fi while working with these data; even when using their own Wi-FI they should activate eduVPN
    • Activate virus and malware scanners on their computer
    • Activate Full-Disk Encryption
    • Follow the best practices for working on laptops
    • Download the appropriate encryption software to de-encrypt the provided data if the data are stored on SURF Drive, the Group drive or SciStor.
  • If none of the above options are feasible, contact the Research Data Management Support Desk for advice from IT Security.
Yellow data
  • Students working with “Yellow” data may store these data directly on the hard drives of their own computers, however, they should still follow good practices when working with personal computers:
    • The data must not also be stored on WeTransfer, Google Drive, DropBox etc.
      • Back-up suggestions to prevent data loss are described below
    • They must ensure that the data are not viewed by others, such as roommates or family members, and they must not work in public spaces, other than the VU campus
    • They should avoid using public Wi-Fi while working with these data; if this cannot be avoided, eduVPN should be activated
    • They must ensure that their computer has active virus and malware scanners
    • They must activate Full-Disk Encryption
    • If using a laptop, they must also follow the best practices for working on laptops
  • If none of the above options are feasible, contact the Research Data Management Support Desk for advice from IT Security.
Green and Blue Data
  • Students working with “Green” and “Blue” data may store these data directly on the hard drives of their own computers, however, they should still follow good practices when working with personal computers:
    • The data must not also be stored on WeTransfer, Google Drive, DropBox etc.
      • Back-up suggestions to prevent data loss are described below
    • If public Wi-Fi needs to be used while working with the data, eduVPN should be activated
    • It is recommended to activate Full-Disk Encryption
    • If using a laptop, they should follow the best practices for working on laptops
  • If none of the above options are feasible, contact the Research Data Management Support Desk for advice from IT Security.

Back-ups and Returning Data

If a student cannot be given access to a VU storage option and they must, therefore, store the data on an encrypted external hard drive or on their computer’s hard drive, there will be an increased risk of data loss. The supervisor should make a back-up plan with the student in this case. The data should be securely transferred to the supervisor in a similar method to how the data was provided to the student, and the supervisor should store the data on an appropriate VU storage option. It is up to the supervisor as to how often the data need to be backed up (at a minimum, once per month); back-ups should happen more frequently for data that will be used for research publications and for data that are extremely valuable and not easily replaced.

When the student has completed working with the data, they need to return the data to their supervisor via an appropriate method and then permanently remove the data from the external hard drive or the computer’s local hard drive. This applies to all data regardless of the privacy/confidentiality risk.

Data Collection Considerations

Students may also be tasked with collecting raw data for a research project and physically transporting the data to the VU for storage. These students require guidance from their supervisors on how to securely transport these data. Advice on how to securely transport data can be found in this guide; students are expected to read the relevant sections of this guide, particularly the general tips. The researchers responsible for these students should also provide the students with clear instructions specific to the research project so that they know exactly what is expected of them. If a data collection process is particularly complex and/or there are many people responsible for data collection, it is recommended to draft a data collection protocol which everyone on the research team can refer to as needed.

Data Documentation

Regardless of the privacy or confidentiality risks posed by the research data, students are expected to document all of their work, particularly any code (a.k.a. SPSS syntax, R script etc.) that is used to process and analyse the data. Students involved with data collection should be instructed on any relevant information that should be documented about the data collection process, for example in logbooks or lab journals.

Documentation is important for ensuring the integrity and quality of the research data, which is especially important if the students are working with data that will be used for future research publications. At a minimum, good documentation by students will assist their supervisors in understanding and reviewing the data at the end of their internships.

Support

For basic IT support on setting up (remote) access to VU networks for students, contact the IT Servicedesk.

For faculty-level support, contact the Technical Support for Research (TO3) Helpdesk. They can provide equipment for short-term data collection and storage, and if given sufficient notice, they can develop solutions for more complex research projects.

If the recommendations of this guide are not feasible, contact the Research Data Management Support Desk; they will bring you into contact with the relevant specialists in IT who can develop an alternative solution.