How to handle sensitive data

Owned by Berend Dijk, van
30/03/2023
3 min read

Research Drive cannot contain data of category V=3 or V=4 without additional measures to protect the data. Below, some measures are described to protect the data.

We emphasize that the Data Processing Impact Assessment (DPIA) is always the authoritative document that describes what measures are required.

Measures that can be taken in Research Drive are described below:

  1. Encryption

  2. File passwords

General rule: If possible, avoid having to use encryption, because passwords can be lost and encryption software can deprecate. Files are much more durable if they can instead be anonymized or pseudonymized or protected by passwords. If possible, upload only anonymized/pseudonymized data in Research Drive.

Encryption

The data at rest in Research Drive is always encrypted on the server. 

Make sure you have a good understanding of what data must always be encrypted before uploading to Research Drive. Examples are:

  1. Participant databases with contact information - using a password on Microsoft Office documents is sufficient

  2. Files containing information about health, past surgeries, etc  - using a password on Microsoft Office documents is sufficient

  3. Files containing demographic data, race information, political views, religion, sexual life, criminal past and other potential health information. This type of file can be stored on Research Drive without encryption only when they are pseudonymized / not directly traceable to individuals.

  4. Raw images 

How to encrypt data?

  1. Keep it local: don't upload them to Research Drive. If this means you may lose data, don't do this

  2. Passwords: put a password on a Microsoft Office document (e.g., Excel, Word) and keep the password at a separate and safe location. If you lose the password, the data is not accessible any more

  3. Use encryption software to encrypt files, e.g., Cryptomator

Using Cryptomator to encrypt data

Use Cryptomator when you want to encrypt folders containing multiple sensitive files before uploading that folder to Research Drive:

  1. Download and install the most recent version of Cryptomator

  2. Create an encrypted folder (vault). Be sure to create both a password and a recovery key that can be used in case the password gets lost. Save both at a safe location! If you lose them, you cannot access the data any more.

  3. Open (decrypt) the vault. In Cryptomator, select a Vault and click "Open vault". Select the Cryptomator master key file. You will be prompted to fill out the password and afterwards, the folder will open. Note that you need the Cryptomator software to see the files in a normal way. In your file explorer, you will probably only see nonsense files in a folder called 'd'.

  4. Work with vault contents: after opening a vault, the decrypted files will appear in a separate path on your computer (e.g., "Z://"). You can simply copy the path to tools (Matlab, R) or open files from here to work with them. After usage, remember to lock the vault again.

  5. Uploading encrypted folders with rclone works the same way as uploading regular folders!

Using Cyberduck to encrypt data

Cyberduck has in-built functionality to encrypt files using Cryptomator:

  1. In Cyberduck, select the folder in which you want to create the encrypted folder

  2. Right-click and select “New locked vault” (Nieuwe versleutelde safe)

  3. Give the vault a name (remember to put the Project name in there, e.g., “Brainlinks_Neural_data_raw”) and a password. Store the password somewhere safe immediately.

  4. You can now upload folders into this encrypted folder as with normal folders. In the background, Cyberduck will decrypt your encrypted folders automatically (because it knows the password), which is why it looks no different from a normal folder in the Cyberduck environment.

Passwords

Often, using a password on Microsoft Office documents is sufficient to protect the data.

A few options to save and share passwords are:

  • Always use a password manager!

    • E.g., Lastpass stores your passwords in a vault in the cloud (behind 1 master password). It can also store secure notes (such as Cryptomator recovery keys) and allows sharing passwords with others (premium version: Network center > Share item).

  • Shared storage at the university (Teams, J-drive): make sure that the folder is secured, backed up and only accessible to those who are allowed to decrypt the data

  • You can share passwords via SURFfilesender: per password and recovery key, create a .txt file. Send the .txt file via SURFfilesender and make sure a password is required to download the file(s). Send the password to download the files to the receiver(s) via another way (e.g., mail or text message).

Do not store passwords locally on your PC: when your PC is hacked, hackers may have access to the passwords. When your PC / drive crashes, or you lose your PC, the passwords may be lost.