Data storage guide - Kunnskapsbasen
Data storage guide
Norsk versjon - Lagringsguide
Topic page about information security | Pages labeled with information security
The tools and solutions presented in this guide are intended for active storage and processing of data in ongoing research projects.
If you are in need of archiving or publishing of data at the end of your project, see information on Research data repositories. Information about digital tools for collecting and processing personal data can be found on the Data collection wiki.
Information about storage in connection with teaching and administrative tasks can be found on the topic page about storage and collaboration.
How to choose the right storage location?
To choose an appropriate storage solution for your data, aspects you should consider include:
- The need for data protection: level of confidentiality
- Who needs access to the data
- The amount of data to be stored
We recommend that you use storage solutions that are provided by NTNU and that are presented in the table below. These solutions ensure access control and automatic backup of your data. This way you avoid unauthorized changes and data being lost or destroyed.
Using physical media such as a PCs, memory sticks or external hard drives as primary storage location is not recommended. If such use cannot be avoided, familiarize yourself with the guidelines at the bottom of this text.
Assess the data protection requirements - classification of information
Everyone handling data in research projects at NTNU is obliged to familiarize themselves with NTNU's Policy for Classification of Information Assets.
If the project involves processing of personal data, you must also familiarize yourself with the Policy for processing of personal data. Also remember that linkage keys should always be stored in a separate area, and never together with the research data.
Classification of data is a prerequisite for choosing the right storage solution and should be done by the project manager. All project participants must manage data according to the classification. NTNU's policy for information classification applies to all types of data processed at NTNU.
The policy describes classification with regards to Confidentiality, Integrity and Availability (CIA). The integrity and availability of the data will be well safeguarded if you use one of the solutions presented in the tables below. It is mainly confidentiality that each research project should considered when classifying research data.
At NTNU, the following classification level - and the following color coding - is used for confidentiality:
🟢 (green) - Open
🟡 (yellow) - Internal
🔴 (red) - Confidential
⚫ (black) - Strictly confidential
For more information on classification, see the section “Support for classification of research data” below.
Overview of storage solutions at NTNU
The table below provides an overview of various recommended solutions at NTNU for storing and processing research data. The services are available to all users at NTNU, but access must be requested for some of the solutions.
You can read more about the various services and platforms by clicking on them.
Recommended storage services
Approved classes | Best suited for | Less suited for | Storage quota | Access and collaboration | |
NTNU research storage (forskning.it.ntnu.no) | 🟢Open 🟡Internal | Large amounts of research data and for collaborations across departments and units at NTNU | External collaboration | On demand Costs may incur in the future, in particular for large quotas | Storage service available for NTNU users, for research projects and internal collaboration. Send request in NTNU Hjelp. |
NTNU Shared network directory (T:) | 🟢Open 🟡Internal | Large amounts of research data and for collaborations within each department or unit | External collaboration | On demand | The shared directory is available for all employees, students can get access if necessary. Use NTNU Hjelp for requests, |
Microsoft OneDrive | 🟢Open 🟡Internal 🔴Confidential* | Personal storage and processing of Microsoft 365-documents (Word, Excel, PPT). | Collaboration projects. Processing of confidential data, as well as larger files (> 5 GB) for example images and video. | 50 GB as standard Possible to request increased quota from NTNU IT | Personal storage service for all employees and students. Possible for each user to shade individual files or folders with others. |
Microsoft Teams (Sharepoint) | 🟢Open 🟡Internal 🔴Confidential* | Collaboration, especially with data and files in Microsoft 365-format. | Processing of confidential data, as well as larger files (> 5 GB) for example images and video. | On demand | Available for all employees and students. Storage in shared locations where users can manage sharing and access. |
NTNU NICE-1 - Storage with shielding | 🟢Open 🟡Internal 🔴Confidential ⚫Highly confidential* | Storage of data with need for protection. Collaboration internally at NTNU. | Large amounts of data (>10 GB). External collaboration Cannot be used with virtual desktop (VDI). Cannot be used by students with confidential data and private computers. | 10 GB Possible to increase quota | Available for employees and students at NTNU by request. Se information on the NICE-1 wiki. |
HUNT Cloud | 🟢Open 🟡Internal 🔴Confidential ⚫Highly confidential (X) | Storage of data with special need for protection. Processing of data within secure project areas, eg. health data. | Open and internal data that can be stored elsewhere for with cost and easier access. | By demand Costs based on use. | Available for research projects on request. See information in HUNT Cloud. External collaboration with partners outside NTNU possible. |
TSD (Services for sensitive data) - service from UiO, NTNU has a collective agreement | 🟢Open 🟡Internal 🔴Confidential ⚫Highly confidential | Storage of data with special need for protection. Processing of data within secure project areas, eg. health data. | Open and internal data that can be stored elsewhere for with cost and easier access. | 1TB is standard for each project area. NB! User payment will be introduced from 2025. | Available for research projects on request Se guidance on wiki for TSD. External collaboration with partners outside NTNU possible. |
* Data can be stored if encrypted. Read more on how to encrypt Microsoft 365 documents or other files with 7-Zip.
(X) Risk level is assessed individually, see more information on HUNT information pages.
Alternative solutions
The table below gives an overview of alternative solutions offered by either NTNU or others, and which might be relevant for specific cases or a smaller proportion of users.
Approved classes | Best suited for | Less suited for | Storage quota | Access and collaboration | ||
NTNU Personal home directory (M: and N:) | 🟢Open 🟡Internal 🔴Confidential | Storage of research data in individual student projects | Sharing and collaboration | 10 GB | Personal storage service for all employees and students. No possibility to share or collaborate. | |
NIRD DataPeak og DataLake | 🟢Open 🟡Internal 🔴Confidential* | Users with large data sets and/or with need of HPC for processing data | Smaller data sets that can be stored more efficiently and cheaper in other solutions. | On demand | Costs based on type of project. Availble on request/application. Contact [[https://www.sigma2.no/services-overview | Sigma2]]. |
* Additional security can be offered for storage of confidential data if required
Pilot: object storage via S3
NTNU IT is piloting S3 buckets and can offer such storage for researchers who want to test out object storage. Feel free to contact Research Data @NTNU in NTNU Help if you are curious about this type of storage.
Classification of research data
Most types of research data are usually classified as internal or confidential in the active phase of a research project.
If you are in doubt whether data is internal (yellow) or confidential (red), it should be treated as confidential data.
The class 'strictly confidential' is only used if unauthorized access could cause significant damage and is rarely used for research data.
When should data be assessed?
- Specific needs for data protection must be assessed for each individual research project, and should always be done before starting data collection.
- Note that the assessment may change during the course of the project. The assessment is therefore not static, but depends on the current risk picture at any given time.
- Researchers should reconsider the classification of the project's research data in the final phases of the project. Such assessments will be closely linked to the preparation of data for archiving and possible publication.
Who is responsible for the classification?
- The assessment should be done by the person responsible for the research project, preferably after consultation with others.
- For student projects at bachelor's and master's level, the supervisor is as a rule responsible for the assessment.
- The line manager has the overall responsibility for a classification being carried out.
Where can I get advice and help with the classification?
If you need advice and help in in regards to data classification in your research project, contact Research Data @NTNU in NTNU Hjelp.
If relevant, Research Data @NTNU can also help projects to get started with risk and vulnerability assessments (ROS) for research data.
About open data
The class open data is used for information that can be accessible to everyone without them having special access rights. Such information will not harm anyone or anything, and everyone can have read access.
Examples of open data can be own notes or compiled research data based on already published material or research data that is not exempt from the public: for example species counts, weather data, media reports etc.
About internal data
The internal data class is used for information that should only be available to researchers and staff, or students at NTNU. Internal data can be made available to external parties using controlled access rights.
This class is often used for active research data.
Examples: Unpublished work, information that is exempt from public disclosure, and also many types of personal data related to research projects.
About confidential data
The class confidential data is used if information could harm public interests, NTNU, individuals or partners if it becomes known to unauthorized parties. Confidential data can be made available to external parties using strictly controlled access rights.
This class is used relatively often for active research data, especially in health research projects and projects that process special categories of personal data (also called sensitive information).
Examples: Special categories of personal data, compilation of large amounts of personal data, data that falls under the Export Control Act, data that requires special protection under the Security Act (protected / sensitive data), business secrets.
About strictly confidential data
The strictly confidential class is used if it could cause significant damage to public interests, NTNU, individuals or partners if the information becomes known to unauthorized parties. There are requirements for particularly strict access control also internally within the organization.
This class is relatively rarely used for active research data, but may be relevant in some cases.
Examples: Information affecting national security, information about individuals at a secret address.
Security when processing data
You should always be conscious of data security when processing research data – this includes both the collection/creation, transfer and analysis of data. It is particularly important that the transfer of data (between people or storage devices) takes place in a secure manner and in line with the confidentiality classification of the data. See wiki page on secure transfer of files and documents.
The project manager has the overall responsibility for data security in the project, as well as the rights of the data subjects if the project processes personal data. Everyone working with data in research projects has a responsibility to have control over the data they work on, as well as any copies of research data. The project/research group should establish common routines for backups (if this does not happen automatically), as well as deletion of data - and ensure that these are followed up.
Physical storage media
As a general rule, local, physical storage media should not be used as primary storage location, as such storage entails a risk of unauthorized access, as well as loss and corruption of data. However, it may be necessary to use these to transfer data, or if you are going to travel and/or are offline for a long time.
NTNU guidelines allows only open data to be stored on private machines or private cloud services. However, you can process both open and internal information on a private PC, if you adhere to the specific guidelines. See Guidelines for processing information with private ICT equipment.
The use of encryption and/or password protection of physical storage media is a good preventive measure to limit the scope of damage in the event of a loss. Read about how you can encrypt Microsoft 365 documents or other files with 7-Zip.
You can store and process the following classes on physical storage media:
- NTNU-owned computer - self-administered: you can store and process open and internal data.
- NTNU-owned computer - managed and encrypted by NTNU IT: you can store and process open, internal and confidential data.
- Memory stick/external hard drive: you can store open and internal data, as well as confidential and strictly confidential data if the disk is encrypted.
- Private PC: only open data can be saved. Internal information can also be processed, given certain guidelines.
Please note that some cloud storage services, e.g. Microsoft services can make use of automatic synchronization (mirroring) between the cloud storage and the device from which the service is used (mobile, tablet, laptop).
Deleting files
In any research project, the project manager should have plans and routines for deleting data, as well as a plan for moving to other suitable storage areas in various project phases - and/or archiving services where relevant.
NTNU cannot access data on personal storage areas, including NTNU home area (M:) and OneDrive, on behalf of employees and students. This means that data located here is not available to others (e.g. collaboration partners), and that it will be lost when you leave NTNU or if you become indisposed for various reasons. It is therefore generally recommended not to use these areas for storing research data.
Deleting files from physical storage media
Files on local media are not necessarily deleted if they are placed in the recycle bin. This is how you proceed to ensure that information on external disks is deleted in a responsible manner:
- Windows: Connect the external storage medium to the PC, find the medium, right-click and select Format. Select NTFS file system, make sure that "Quick format" is not selected and click Start. NB: It is important to use full formatting to prevent the information from being recovered.
- MacOS: Connect to external storage media. Open Disk Utility, select device under External, click Erase and select the desired format from the menu. (Use MS-DOS (FAT) for 32GB and less, and ExFat for cards over 32GB unless you have a good reason to choose other formats.) Click Security Options and move the switch all the way to the right before clicking Erase.
For secure deletion of data on other devices (e.g. laptop), contact the Orakel Support Service.
See also
Contact
Contact Research Data @NTNU through NTNU Hjelp if you have questions regarding storage of research data input on how we can make this page better.
Orakel Support Services can help you if you have technical questions or encounter problems with the various storage solutions.