Scientific research heavily depends on the exchange of knowledge and information. Today, researchers have several methods at their disposal for research data collection. These methods range from face-to-face interviews, paper questionnaires to more advanced ways, like digital recordings of interviews. All these mechanisms for gathering and storing data constitute particular information security risks.
Data security is critical to protecting confidential information and to respecting the privacy of research subjects. Collected data is indeed valuable to the researchers and organizations alike, but it’s more valuable to the participants. Organizations have the responsibility to keep that data in good hands. In other words, they must protect it against unlawful access or theft, and maintain and share the data in accordance with best practice, and in compliance with legislation.
In this blog post, we explain how to protect research data, and outline major issues with data privacy. We then introduce data security best practices for researchers.
Table of Contents
Data privacy is a central issue for research ethics all around the world, and it is a fundamental human right. According to the European Data Protection Supervisor (EDPS), data privacy is a vital component for a sustainable democracy.
Regardless of the type of research, the researchers have to understand as well as properly follow ethical research principles. Above all, protecting research data also means protecting human rights.
If research data is well protected, and accessible, the end result is going to be efficient findings based on reliable evidence. Researchers themselves get the advantage of good data management. They must plan it before research starts.
The problem here is that scientific researchers are not always up to date with digital communication and do not know how to protect data in research properly. Additionally, they are not well-informed about the best practices of protecting research data. There is a severe risk that data might be compromised as a result of illegal and illegitimate activities from external actors.
Oxford Learner’s Dictionaries defines “digitization” as ‘the process of transforming data into a digital form that can be easily read and processed by a machine. It is no secret that digitization has also changed research. The cost of data processing and storage decreases, processing power climbs up and connected devices escalate.
Researchers usually work in large collaborative networks and need to exchange vast volumes of data at high velocity. All these advancements in computer-based methods present massive challenges concerning the protection of human subjects’ confidentiality and privacy. Ensuring research data security, however, is not a straightforward matter because it entails not only ethical and legal but also technical issues to be handled.
Which principles do you need to know?
The universal, yet the classic definition of information security is brief and simple: Information security is the confidentiality, integrity, and availability (CIA) of information.
In the context of information security, Confidentiality pertains to personal information shared with other individuals in a relationship of trust so that it must not be disclosed to third parties without the express permission of the person. From ancient times, mankind has acknowledged that information is power, and in the current information age, access to information is much more important than ever. Unlawful access to confidential information may have disastrous results within all industries. The main examples of threats to confidentiality are social engineering, insecure networks, malware, and defectively administered systems.
Integrity refers to the trustworthiness, completeness, and correctness of information as well as the prevention of inappropriate or illegal modification of information. In addition, integrity in the information security context pertains not only to the integrity of information itself but also to the origin integrity. This basically means the integrity of the source of information.
Who really needs confidentiality as well as integrity if the authorized users of information cannot access and utilise it? It is true that availability comes last in the CIA triad. But nevertheless, it is as valuable and as crucial a component of information security just as confidentiality and integrity. If a criminal cannot compromise the first 2 components of information security they may try to implement attacks. The main attacks against availability are DoS (denial-of-service) attacks that would bring down the server.
Simply put, confidentiality refers to the prevention of unlawful disclosure of information. Integrity intends to protect that information from unauthorized or unintentional alteration or modification. Lastly, availability means that information is immediately available to authorized users.
Personal data privacy
Privacy focuses on everything that leaves an information trail, whether that trail is digital or not. It is important to understand that it is possible to have security without privacy. However, it is impossible to have privacy without security.
The terms “confidentiality” and “privacy” are often used interchangeably. From a legal viewpoint, they express distinctly different things. While confidentiality is an ethical duty to ensure information is held secretly, privacy is a right rooted in the common law. Briefly, confidentiality is a slimmer concept compared to privacy. In practice, there are several benefits of sustaining confidentiality. For example, it maintains the participant’s dignity and helps build trust between the research participant and the researcher.
With the increasing dependence on the Internet, the protection of research data is now one of the most prominent challenges in research. Given that, it is crucial for researchers to understand these concepts to protect the privacy interests of participants and to preserve the confidentiality of research data.
Consequently, there can be no privacy without security. In other words, it is possible to have security without privacy. However, it is impossible to have privacy without security.
Threats to privacy
Privacy has been a hot research topic in various technology and application domains. The increasingly invisible and pervasive processing of personal data in the middle of people’s private lives gave a rapid increase to severe privacy concerns. Threats to privacy could entail data gathering without participants’ informed consent. It is important that researchers protect research data appropriately from unauthorized access.
Researchers may follow regular precautions like ensuring participants are informed about the fact that their data is being collected and stored on password-protected computers.
Legal requirements in the EU
Collection and processing of personal data are fundamental to the work of researchers. All research should be based on sound data protection standards to build trust and meet the vital regulatory and legal requirements of the General Data Protection Regulation (GDPR).
GDPR came into force in May 2018, and it aims to ensure the free movement of data throughout the EU. Additionally, it details the lawful basis of the processing of data and describes prohibitions for processing specific categories of data, like health data. Recently, we have written about the digitization of healthcare, why it matters, the main challenges it poses to healthcare data, and finally patient data privacy.
Under the GDPR, all researchers need to assure that they understand the legal basis for gathering, using, sharing or otherwise processing personal data of data subjects in the European Union, at all phases, as an essential component of their research plan. Furthermore, the GDPR has particular provisions for scientific research that researchers must remain in compliance with towards the processing of personal data.
The GDPR maintains the equilibrium between the need to adequately protect data subjects’ rights in a digitalized world while enabling the processing of personal data, including sensitive data, for scientific research. While the GDPR embraces new specific provisions to assure adapted data protection in research, the field remains widely governed at the national level.
The security of the research data should be a continued priority for researchers. The following are the tips by Swiss Cyber Institute to maximize the protection of your research data:
- always choose strong passwords, and ensure that nobody has access to your research data;
- embrace the additional layer of security, such as multi-factor authentication;
- keep your operating system as well as software applications updated;
- if possible, encrypt your personal device, as it will reduce the risk to exposure of your research data;
- and make sure that you are making the people, who have access to confidential information, aware of its sensitivity.
While conducting research, robust security provisions must be in place to assure that research data is protected. That’s why researchers must formulate a plan that adequately and lawfully protects their research data from unintended disclosure.