Data security

Things to know

When handling personal data or sensitive business data (e.g. financial data, contracts, school management documents), the law stipulates special protection.

Personal data

Business data

Business data is subject to the regulations of storing business documents (Art. 81, Financial Regulations of the ETH Zurich (RSETHZ 245), Directive on the Archving and Destruction of Business Documents, RSETHZ 245.5)

Loss of such data can significantly hamper meeting legal provisions of ETH Zurich. Such data shall accordingly be protected from a technical point of view in particular (Art. 14-15, ETH Zurich Acceptable Use Policy for Information and Communications Technology (“BOT”) and Appendix).

Research data

Handling research data also is subject to legal provisions: Guidelines for Research Integrity and Good Scientific Practice at the ETH Zurich

Third party requirements

Research funding institutions (SNF, CTI, EU, etc.) also lay down requirements for data management. This may concern, for example, Open Access or data management plans.

Secrecy

For the exchange of certain data, the parties may agree that they are to be kept confidential. For this purpose, a confidentiality agreement (NDA) is concluded - already in the run-up to the cooperation. It is recommended that research NDAs be submitted to ETH Transfer for review before signing. General questions about NDAs can be answered by the Legal Office.

  • When using personal data in research, the affected persons must be informed of the use of their data and they have to agree to the use (informed consent). This also applies to the collection of biological material.
  • Collecting personal data on the basis of a pyramid scheme is on principle not permitted. This means it is not allowed to inquire one person about other persons' data.
  • Research data have to be stored according to Guidelines for Research Integrity and Good Scientific Practice at the ETH Zurich to ensure the scientific verifiability of the research results.
  • Anyone who stores health-related personal data or biological material for research purposes must protect this data by taking appropriate operational and organisational measures. These include, for example, the restrained granting of access to the data (only where necessary), encryption, or anonymisation (Art. 5 HFV; Art. 18 KlinV). Information can be obtained from the Ethics Commission.
  • If there are no special deletion periods, personal data (e.g. research data under the external pageHuman Research Act) must be permanently archived or deleted when they are no longer required for their purpose.

Property of ETH Zurich

In principle, primary data produced by research projects at ETH Zurich remain the property of ETH Zurich. ETH Zurich researchers are not obliged to make the data accessible outside the project team until they have processed, evaluated or published it themselves.

If you are no longer part of the project team

In each research project, a professor, in consultation with the respective project leader, will determine and record in writing which participants are to retain access to the primary data after leaving the project team and for what purposes they may use this data and materials.

Making primary data accessible

After completion of the project and publication of the results, the research results and the corresponding source data should be made publicy available (as long as no confidentiality interests or contractual obligations conflict with this): Open Access Policy of ETH Zurich

Research Data Management and Digital Curation

Secure storage of research data for a predefined period of time and publication of research data including the provision of a Digital Object Identifier.

Scientific IT Services (SIS)

Supporting departments and research groups in scientific computing and handling of research data. SIS offers consulting, technical solutions and services for the management of active research data.

ETH Zurich University Archives

The ETH Zurich University Archives offer advice on records management, archiving of business documents and is contact point for professors facing retirement.

Legal Office

The Legal Office can help with questions on data protection, among other things.

Data management

At the beginning of each project, consider the structure in which data is to be stored and used.

Planning and Structure

Define clear data handling rules within your research or project group and document them in a data management plan. The Data Management Checklist provides important information on this topic.

  • Data (incl. primary data) should be filed with metadata.
  • Classify the data in terms of confidentiality, integrity and availability.
  • Define access rights, give each role (researcher, administrator, supervisor, etc) only the rights that are really necessary.
  • If necessary, define an encryption procedure.
  • Define a version control system.
  • Define a naming scheme.
  • Storage
    • Use DOIs for permanent storage and identification of data.
      DOI = Digital Object Identifier is a serial code for objects such as electronic documents.
    • Serious re-use of foreign research data is only possible if the data is fully documented with its context. Therefore, make sure that such context information is stored together with your data and not scattered in different places.
    • Avoid storing data on offline media (CDs, DVDs, USB sticks, tape), which can be lost, broken or forgotten.
    • Programs and file formats change over time, so it may not always be possible to read old file formats. The Research Data Management and Digital Curation Unit makes recommendations on the suitability of file formats for archiving.

Implementation

  • Stick to the data management plan.
  • Document how data has been prepared or what it contains and for what purpose it can be used.
  • Keep a laboratory journal. Write ReadMes.
  • Document copyrights and intellectual property to verify who holds the intellectual property rights to the data.
  • Control and manage access rights to data and systems. Keep them up-to-date.

Clean up after project end

After completion of the project ensure that data and materials are stored for the period relevant to the subject area and that they are properly destroyed in due time.

Respect data classification

Note the classifications of the datasets (in terms of confidentiality, availability and integrity) with which you work. If the data was provided by third parties, you must also take into account their classifications.

Lock documents away

Keep sensitive physical documents and data media under lock and key.

Encrypt sensitive data and documents

Store sensitive data in encrypted form if you want to ensure that only persons in possession of the key can access it.

Careful handling

Be careful when storing data (physical or cloud-based), deleting data, or uploading data to websites. This will help prevent data you create or use from being inadvertently distributed or published.

Transmit sensitive data only if encrypted

Sensitive personal data, confidential data and other sensitive data may only be transmitted in encrypted form.

Please make sure   

  • that data transmission to the target system is encrypted (https://)
    or
  • encrypt the data, e.g. with WinZip
    or
  • send the data with an encrypted email.

Process sensitive data only on trustworthy computers

If you cannot be sure whether the latest security patches are installed on a system, whether an up-to-date virus scanner is running, whether only trusted persons had access, then you should not work with the system, especially not if you want to process sensitive data.

Use storage services

Use a professionally managed storage service (from IT Services or provided by your IT Support Group). This is the best and most reliable way to store your data.

Self-managed storage

If you need (or want) to manage your storage yourself, use network-attached-storage (NAS) that uses RAID hard drives. Make sure to always install the latest security updates and keep the NAS in a locked and secure place.

External hard drives

Only use external hard drives if you have separate backup copies. When storing data on an external hard drive, you risk losing data as it may be physically removed or lost.

Private cloud storage

Only use a private cloud storage systems hosted by ETH (e.g. polybox).

External cloud services

If no other solution is available, external cloud services can be used for non-sensitive data, provided all superordinated compliance requirements are met. It is strongly recommended that the ETH Zurich Legal Office be consulted.

Support

Your IT support can help you with data storage.

Performing backups

Make sure that backups are performed and inform yourself about the retention periods.

Check recovery

Check sporadically whether you can restore and use the data from the backup.

Using the backup service

  • Use a professionally managed backup service (from IT Services or your IT Support Group). This is the best and most reliable way to back up your data.
  • Approximately 150 terabytes of data are backed up at ETH Zurich every day. The trend is rising. If you expect large amounts of data, contact the IT Support Group in charge so that necessary resources can be planned.

Self-managed backups

If you decide to manage your backups yourself, please keep the following in mind:

  • Backup frequency
  • Retention periods
  • Spatial separation between the respective copies of the data
  • Store backup media in a safe place

Superiors, decision-makers

Define a procedure for how data is transferred in an orderly manner when employees leave the company or change internally.

Leaving persons

Before changing your job or project, hand over all business-relevant data and research information to your successor or to your superior.

Encrypted data must either be transferred with the corresponding private key or decrypted and re-encrypted with the key Private Key of the successor.

JavaScript has been disabled in your browser