I’ve been collecting survey data from students for my research. In some surveys I ask for the students’ names or e-mail addresses. In order to protect the students’ privacy and assure information security, this personal information cannot be saved together with the rest of the collected data.
I therefore created an ID-number for each student, and made a “scrambling key” connecting this ID-number to their personal information. I replaced the students’ personal information with these new ID-numbers in the survey data.
I ended up with two documents – an anonymized data file, and a key with students’ personal data and ID-numbers. These two documents cannot be saved together, because if a hacker finds them, they’ll be able to connect the two and find out how a particular student answered survey questions.
The instructions from the Norwegian Centre for Research Data (NSD) do not specifically state how to hold the documents separate, and neither do UiT’s webpages on information security. Is it sufficient to save one file in Teams/Sharepoint (cloud-based team collaboration software, where files can be stored and shared), and another in OneDrive (the online cloud storage service used by UiT for sharing and editing files)? Both of these systems have the same username and password.
I posed this question to IT support at UiT and received an answer several days later, after they discussed the issue. Since the two cloud storage systems, Teams/Sharepoint and OneDrive, have the same login, they’re not considered separate entities. Someone with my password could compromise these storage locations and gain access to both documents.
IT support’s recommendation was to save the survey data in one of the cloud storage systems (accessible on my PC), and the scrambling key on a memory stick (and only on the memory stick). This should be locked in a cabinet, physically removed from the rest of the data.
So that’s exactly what I did, and what I recommend to others in similar situations. Better safe than sorry!