Wikier

Processing of information with private ICT-equipment

Detaljer Skriv ut

This wiki describes how to process different types of information with private ICT equipment (such as a private PC) at NTNU.

Norsk versjon - Behandle informasjon med privat IKT-utstyr

Innholdsfortegnelse [-]

  1. Terms and abbreviations
  2. Information classification
    1. About the classification of personal data
  3. Examples of data flows for research data with personal information
    1. Yellow interview data via Nettskjema Diktafon App
    2. Yellow interview data via Zoom
    3. Yellow video data
    4. Red interview data from dictaphone/external recording device
    5. Red video data
  4. Deleting information
    1. External storage media
    2. Deleting files from personal computer

NTNU’s management system for information security and GDPR oblige the organization to have an overview of information assets that are stored and kept at NTNU and to ensure that these are sufficiently secured. As a consequence, private equipment should not be used for storage of information classified as Internal, Confidential or Strictly Confidential. Furthermore, private equipment should not be used to process information in the Confidential or Strictly Confidential classes. Which category a specific type of information belongs to is determined by NTNU's guidelines for classification of information, as well as the wiki page “Classification of files and information”. A typical example of classified information is information containing personal data.

NTNU’s procedures and guidelines require the use of managed NTNU machines equipped with necessary security mechanisms to process classified information. However, situations may arise where classified information must be processed on non-managed devices. This applies particularly to students but may also apply to PhD candidates or others who for various reasons do not have access to a NTNU-managed PC.

It is not always easy to keep track of where data is stored and whether it is stored sufficiently when using various cloud solutions and storage areas. This makes it especially difficult when processing takes place using private equipment. Below you will find information on how to proceed for the most common types of personal data

Terms and abbreviations

AIP: In Office 365 (Word, PowerPoint, Excel, Outlook), it is possible to classify files and documents with labels that trigger technical measures such as encryption and access control. The system is called Azure Information Protection (AIP). Note that the “confidential” label cannot be used in the web version (but can be used with VDI).

Home directory: The home directory (M:) is located on a central server at NTNU. The area is personal and protected by your password so that no one else has access to your files. The home directory is approved for storage up to confidential information (up to strictly confidential with encryption). The disadvantage of using the home directory for storage of data material is that no one else (such as a supervisor) can access it.

Office 365: Office 365 provides students and employees at NTNU with free access to word processing, cloud storage, and collaboration services. Here you will find Teams, Outlook, OneDrive, Word, Excel, and PowerPoint, both for downloading and for use use through your web browser. If you use a private PC, you must be careful not to store any Office files on the PC (they can be stored on Teams).

OneDrive: Microsoft OneDrive is Microsoft’s cloud storage and file sharing service. OneDrive is equivalent to solutions like Dropbox and Google Drive, but automatically downloads a copy to your PC when the file is used. Therefore, OneDrive can only be used for storing personal data if you use VDI (virtual desktop) every time you open files.

Personal data is information that can directly or indirectly identify a person. Directly identifiable personal information includes, for example, name, social security number, email address, phone number, IP address, images, audio recordings, and video recordings. Transcribed interviews are also considered personal data unless all directly and indirectly identifying information has been removed. Indirectly identifiable personal information is background information that can make it possible to trace the information back to an individual, such as workplace combined with information about age, gender, occupation, nationality, etc.

Teams: Microsoft Teams is a cloud-based tool for communication and collaboration in groups but can also be used as a storage area if you cannot store on your own PC. If you create a private team, you can use it for storage with access control.

TSD: TSD is a secure cloud solution with a full set of services for collecting, storing, and analysing research data that requires a high level of security. TSD is developed and operated by USIT at UiO. With TSD, private PCs are not a problem as everything happens in the secure cloud. However, TSD can be technically challenging and is best suited for larger projects.

VDI: Virtual desktop. With VMware Horizon View (Norwegian only) you can connect to a virtual Windows PC and access the programs and files you have stored. The programs you use do not run on your machine but on NTNU servers. When you are logged into a desktop (VDI) or virtual application, no one but yourself will have access to the data you are working with.Through this link (pdf) (Norwegian only) you will get a detailed guide on how to use VMware horizon, which is an app NTNU uses for a virtual desktop. From page [2], you will find the guide for private PC.
This software has different downloads for different types of machines. Follow the instructions in the list and check that the various settings are correct. Then log in with your NTNU username and password. You will then have access to a virtual NTNU PC on your private device.

VLC: Media player that does not store copies on the machine. Can be used with virtual desktop (VDI).

Information classification

All information you process and share has different needs for security and protection. At NTNU, we use four categories to classify confidentiality level: Open, Internal, Confidential, and Strictly Confidential. Colour coding is often used for describing the different levels. For more information on classification, see Policy for Classification of Information Assets or the wiki Classification of files and documents.

About the classification of personal data

Ordinary personal data (non-sensitive) is usually classified as internal (yellow). This is information that can be related to a person but do not contain so-called special categories of personal data (also called sensitive). Special categories include information about racial or ethnic origin, political opinion, religion, belief or trade union membership, processing of genetic information and biometric information for the purpose of uniquely identifying a physical person, health information or information about a physical person’s sexual relationship or sexual orientation. This information requires a higher level protection and is usually classified as confidential. Other examples of confidential data are information about criminal convictions and offenses or information about people from vulnerable groups or in vulnerable situations.

There are examples of Strictly Confidential (black) personal information in research. Strictly confidential is used if it could cause significant harm to public interests, the institution, an individual or a partner if the information becomes known to unauthorized persons. An example of such information may be information about persons who require special protection (code 7).

For more information, see Guidelines for the processing of personal data.

Examples of data flows for research data with personal information

Yellow interview data via Nettskjema Diktafon App

1. Log in to Nettskjema and create a new form using the template "Nettskjema-diktafon - storage in Nettskjema".
2. Download the Nettskjema Dictaphone app to your mobile and use the app to record interview (follow instructions from UiO).
3. Listen to the files in Nettskjema via Browser. (NB: Nettskjema automatically transcribes the recordings, but the quality varies.)
4. Copy the transcriptions to a Word file on Teams or your home directory (do not download to your own PC).
5. Save the transcribed texts on Teams or your home directory (M:). Make sure to not save anything on your own PC.

Yellow interview data via Zoom

1. Set up recording in Zoom with storage on home directory (M:-disk)
2. Play the files with VLC player (downloaded from NTNU)
3. Work with text files in Word (Office 365),
4. Save Word files on Teams.

Yellow video data

1. You can use a digital video camera to make recordings, but this requires that you are careful to delete the information from the recorder afterwards (see procedures for deletion below).
2. Transfer video files directly to your home directory (M:). For more information on how to connect your home directory as a folder on your PC, see wiki about Home Directory.
3. Play the files with VLC player (downloaded from NTNU)
4. Work with text files in Word (Office 365).
5. Save Word files on Teams.

Red interview data from dictaphone/external recording device

1. You can use an external dictaphone/audio recorder to record confidential interviews, but this requires that you are careful to delete the information from the recorder afterwards (see procedures for deleting).
2. Transfer video files directly to your home directory (M:). For more information on how to connect your home directory as a folder on your PC, see wiki about Home Directory.
3. Connect to a virtual desktop with VMware Horizon View (VDI) and listen to the files with VLC player from the available programs.
4. Use Word through VDI to transcribe.
5. Mark text files as confidential with AIP and save them on your home directory or OneDrive.
6. Use VDI every time you open and work with the files.

Red video data

1. You can use a digital video camera to make confidential recordings, but this requires that you are careful to delete the information from the camera afterwards (see procedures for deleting).
2. Transfer video files directly to your home directory (M:). For more information on how to connect your home directory as a folder on your PC, see wiki about Home Directory.
3. Connect to a virtual desktop with VMware Horizon View (VDI) and play the files with VLC player from the available programs.
4. Use Word through VDI for text work.
5. Mark text files as confidential with AIP and save them on your home directory or OneDrive.
6. Use VDI every time you open and work with the files.

Deleting information

External storage media

  • Windows: Connect external storage media to your PC, find the media, right-click and select Format. Select NTFS file system, make sure “Quick format” is not checked, and click Start. NB: It is important to use full formatting to prevent information from being recoverable.

  • MacOS: Connect external storage media to your Mac. Open Disk Utility, select the device under External, click Erase, and select the desired format from the menu. (Use MS-DOS (FAT) for 32GB and smaller, and ExFat over 32GB unless you have a good reason to choose other formats.) Click Security Options and move the switch all the way to the right before clicking Erase.

Deleting files from personal computer

Delete the file from the relevant storage areas, then delete the file from the trash.

543 Visninger
IT-info: digital sikkerhet Målgruppe: Medarbeidere Studenter Tema: Informasjonssikkerhet
Tagger
personal data digital security information security research data gdpr data management forskningsdatahjelpen
Vedlegg
PNG
formatering MacOS - en.png
PNG
formatering Windows - en.png
PNG
Gule data m diktafon -en.png
PNG
gule data Zoom - en.png
PNG
gule videodata.png
PNG
røde intervjudata - en.png
PNG
røde videodata - en.png
JPG
sikkerhetsklassifisering_eng.jpg