Skip to Main Content

Research Data Management

Why You Should Care About Security

The security of your data is its protection from unauthorised access. Legal, ethical, and institutional requirements are usually placed on research projects in addition to your own desire for data security.

Legal aspects

The European General Data Protection Regulation (GDPR) protects personal data by defining which aspects are especially sensitive and how researchers and other people can collect or manage such data. While it is European in nature, it applies for foreign researchers working with European data. The Swiss Federal Act on Data Protection (FADP) also applies to researchers based in Switzerland and Swiss subjects abroad.

Contractual aspects

Your research data management and storage solutions must also respect your contractual requirements. Projects funded by the Swiss National Science Foundation (SNSF) or the European Research Council (ERC) must follow their guidelines. If you use data from a third party, your contract may also include an NDA or additional conditions requiring specific security measures regarding data storage and access.

Ethical aspects

Additional requirements are set by different ethical codes that may apply to your research field. The Research Ethics page created by the Research Office will help you understand them. Beyond human subjects, ethical issues can also make you wary regarding data such as geolocated information on the last specimens of an endangered species that may be targeted by poachers.

What You Can Do With...

Case 1: No personal or sensitive data

Great! Do as you want! No storage solution is excluded for security reasons.

Case 2: Personal data that is not sensitive

If you plan on using cloud services, note that major players are GDPR-compliant, but this still requires you to get informed consent about the storage solution from your subjects. Outside cloud services, you should be fine as long as you do not publish personal information.

Case 3: Sensitive data

Data about religious, political, sexual, medical, or other sensitive issues requires special care:

  • The data should be anonymised as early as possible.
  • The use of cloud services is excluded unless the data is first anonymised or encrypted.
  • The institutional drives of IHEID are validated by the European Research Council (ERC) to hold sensitive data.
  • If using your personal hard drive, it should be encrypted.
  • E-mailing such data is completely unacceptable unless it is anonymised or encrypted.
  • The requirement for informed consent now also includes information about the security of the collected data.
  • Check with a Data Protection Officer (DPO) or the Research office for precise recommendations regarding your data.

Other Guides You Should Consult

The Institute's Data Protection Officer (DPO) Céline Vilmen has written a guide (in French) about the legal aspects of data protection.

We also have a guide on the many different aspects of digital security and privacy, which also discusses issues of secure data storage.