Most departments within the FGB take on students for research internships or as temporary research assistants. When students work with research data, the confidentiality of the information, the privacy of the research subjects and the overall security of the data are at risk if students are not taught how to correctly manage and protect this research data. First determine the privacy risk categorization for the research data (and where applicable the confidentiality risk categorization); use this risk category alongside the following principles to determine the best methods for your students to safely manage and work with research data.

Nondisclosure Agreements

Students that are working with “Red”, “Orange”, “Yellow”, or “Green” data must sign a nondisclosure agreement (sometimes called a confidentiality agreemnt) before starting their research. For students conducting research solely under the supervision of the VU, a template agreement can be obtained from your section or department head, who will also sign it on behalf of the FGB director of operations. If the student is working at another institution where all data collection and data storage will take place, and the role of the VU is solely supervision of the research internship, then the other insitution is responsible for setting up an appropriate agreement with the student.

If the VU and another institution are both responsible for the data that the student will work with (i.e. data collection and/or storage happens at both the VU and the other institution) then the student must sign agreements with both the VU and the other institution. It is advised that the supervisor review the FGB template agreement in such a situation to ensure that there aren’t any issues impacting collaboration with the other institution; if there seems to be a problem, contact IXA for advice.

Providing Data

When providing research data to students, ensure that you use an appropriate method, based on the privacy and/or confidentiality risks, to either digitally transfer the data or physically provide the data (e.g. with an encrypted USB-stick).

Data Storage Considerations

Although the VU offers many data storage options, not all of these options are available to students. The following provides guidance on data storage options for students with consideration for the privacy and confidentiality risks to the data. The focus of this section is to describe solutions for data storage while a student is processing and/or analysing data. If students will be involved in data collection, see the relevant section below.

NB: The research data used in a research project can have a variety of risk categories: the raw data may be “Red” data, but the processed data may be “Yellow” or “Green”. It is recommended whenever possible to first process the data that will be provided to a student to reduce the risks as much as possible. De-identification methods can also be used, where appropriate, to reduce the risks in the data provided to students.

Red data

  • It is strongly recommended that students work with “Red” data on location at the VU on VU workstations under supervision of the student’s supervisor. The data should be stored on Research Drive and accessed via WebDAV or Cyberduck as discussed in the Secure Storage Guide.

  • In the event that it is not possible for a student to work onsite at the VU (for example, due to a massive pandemic), and it is absolutely necessary for the student to have access to these data, consider options that allow access, but avoid the local storage of the data on the student’s personal computer:

    • If the data are stored on Research Drive, the student can be added as a user and given appropriate access rights. Ensure that the student knows how to access the data via WebDAV or Cyberduck so that the data remain on Research Drive and are not downloaded to the student’s own computer.
    • If the above solution is absolutely not feasible, a hardware-encrypted external hard drive, protected with a strong password should be used for the storage of the data; the data must not be copied to the student’s local hard drive. This solution should only be used for temporary storage. As soon as the student no longer requires access to the data, a copy must be securely transferred to the supervisor and the data must be permanently removed from the external hard drive (or the external hard drive must be destroyed).

  • In the extreme case that a student must work from home with “Red” data:

    • The data must only be stored on the encrypted external hard drive
      • Back-up suggestions to prevent data loss are described below
    • They need ensure that the data are not viewed by others, such as roommates or family members, and they must not work in public spaces
    • They should not use public Wi-Fi while working with these data and even when working from home, they should activate eduVPN
    • They must ensure that their computer has active virus and malware scanners
    • If the student is using a laptop, they must also follow the best practices for working on laptops.
    • They will need to download the appropriate encryption software to de-encrypt the provided data (because these data must be stored on Research Drive with encryption)
Orange data
  • The recommendations for “Red” data should be applied to “Orange” data whenever possible. There are, however, additional storage options are available for this type of data.
    • Students unfortunately cannot be added as users on SURF Drive folders. Generally, “Orange” data should not be shared via a public link, however, you may share “Orange” data with students in this manner as long as the link is sent to the student’s VU e-mail address using a strong password to protect the link and a short expiry date. The student will need to download the data from the public link directly to a hardware-encrypted external hard drive, as described above for “Red” data. Once the student has the data, the public link should be deleted.
    • If the data are stored on the Group Drive, a student cannot directly be given access, but the supervisor can request access via a functional account. The IT Servicedesk should be contacted for support in setting up access for the student as well as for setting up remote access for the student should they need to work from home.
    • If the data are stored on SciStor, a student can be provided with access. Contact IT for Research for support with setting up access, including if the student needs to work from home.
  • If a student must work from home with “Orange” data:
    • The data must only be stored on the encrypted external hard drive
      • Back-up suggestions to prevent data loss are described below
    • They need ensure that the data are not viewed by others, such as roommates or family members, and they must not work in public spaces, other than the VU campus. If on campus they should avoid busy areas.
    • They should not use public Wi-Fi while working with these data and even when working from home, they should activate eduVPN
    • They must ensure that their computer has active virus and malware scanners
    • If the student is using a laptop, they must also follow the best practices for working on laptops
    • They will need to download the appropriate encryption software to de-encrypt the provided data if the data are stored on SURF Drive, the Group drive or SciStor.
Yellow data
  • Students working with “Yellow” data may store these data directly on the hard drives of their own computers, however, they should still follow good practices when working with personal computers:
    • The data must not also be stored on WeTransfer, Google Drive, DropBox etc.
      • Back-up suggestions to prevent data loss are described below
    • They need ensure that the data are not viewed by others, such as roommates or family members, and they must not work in public spaces, other than the VU campus
    • They should avoid using public Wi-Fi while working with these data; if this cannot be avoided, eduVPN should be activated
    • They must ensure that their computer has active virus and malware scanners
    • They must activate Full-Disk Encryption
    • If using a laptop, they must also follow the best practices for working on laptops
Green and Blue Data
  • Students working with “Green” and “Blue” data may store these data directly on the hard drives of their own computers, however, they should still follow good practices when working with personal computers:
    • The data must not also be stored on WeTransfer, Google Drive, DropBox etc.
      • Back-up suggestions to prevent data loss are described below
    • If public Wi-Fi needs to be used while working with the data, eduVPN should be activated
    • If using a laptop, they should follow the best practices for working on laptops

Back-ups and Returning Data

If a student cannot be given access to a VU storage option and they must, therefore, store the data on an encrypted external hard drive or on their computer’s hard drive, there will be an increased risk of data loss. The supervisor should make a back-up plan with the student in this case. The data should be securely transferred to the supervisor in a similar method to how the data was provided to the student, and the supervisor should store the data on an appropriate VU storage option. It is up to the supervisor as to how often the data need to be backed up (at a minimum, once per month); back-ups should happen more frequently for data that will be used for research publications and for data that are extremely valuable and not easily replaced.

When the student has completed working with the data, they need to return the data to their supervisor via an appropriate method and then permanently remove the data the external hard drive or the computer’s local hard drive. This applies to all data regardless of the privacy/confidentiality risk.

Data Collection Considerations

Students may also be tasked with collecting raw data for a research project and physically transporting the data to the VU for storage. These students require guidance from their supervisors on how to securely transport these data. Advice on how to securely transport data can be found in this guide; students are expected to read the relevant sections of this guide, particularly the general tips. The researchers responsible for these students should also provide the students with clear instructions specific to the research project so that they know exactly what is expected of them. If a data collection process is particularly complex and/or there are many people responsible for data collection, it is recommended to document a data collection protocol which everyone on the research team can refer to as needed.

Data Documentation

Regardless of the privacy or confidentiality risks posed by the research data, students are expected to document all of their work, particularly any code that is used to process and analyse the data. Students involved with data collections should be instructed on any relevant information that should be documented about the data collection process, for example, in logbooks.

Documentation is important for ensuring the integrity and quality of the research data, which is especially important if the data students are working with data that will be used for future research publications. At a minimum, good documentation by students will assist their supervisors in understanding and reviewing the data at the end of the internship.

Suggestions and Support

It is recommended that students read the Security Basics.

For basic IT support on setting up (remote) access to VU networks for students, contact the IT Servicedesk.

For faculty-level support, contact the Technical Support for Research (TO3) Helpdesk. They can provide equipment for short-term data collection and storage, and if given sufficient notice, they can develop solutions for more complex research projects.

If the recommendations of this guide are not feasible, contact the Research Data Management Support Desk; they will bring you into contact with the relevant specialists in IT who can develop an alternative solution.