Deliverable D2.3 was rejected, and needs to be resubmitted. This document contains our (Edgeryders) understanding of who needs to to what, and how to comply with the reviewers’ instructions.
The deliverable document should include several details that are not explicitly mentioned and may create problems in terms of data storage and security. In essence, the revision has to add several details for clarity:
It is quite clear where the data is stored but there are no details about how secure this primary unit of storage is / how security is ensured.
How does data sharing take place between partners?
Data from interviews and participant observation are stored on OneDrive. How are the safety and security of the cloud ensured? What happens if OneDrive shuts down unexpectedly?
What is the strategy for back-up copies in case something goes wrong with the files stored in the primary unit? Data management plans must include such provisions, which are mentioned neither in the deliverable nor in the technical report.
The project uses social media data. Is consent from users required for that type of data?
How does the consortium deal with various data management requirements across different countries? Has the project considered the legislation in all countries involved in the project and do the DMP provisions meet those requirements?
The deliverable refers to the publication on the website of data from WP6 in September 2019. Since this did not happen, any references to it must be deleted.
Question 1 needs to be addressed by all partners. For those of you using One Drive, see below.
Question 2 needs to be addressed by partners in WP3 and WP4. For WP5, I hope that Corvinus finally selected the contractor for their survey, and then they would also need to update their part with this information. Following a suggestion by Joanna, we have added a final section to the document where we group this information by partner, rather than by WP. We are referencing this final section in the sections referring to different WPs.
All data collected will be initially stored on secure university drives of each of the partners (most universities in the consortium use OneDrive) and then transferred to the shared drive for the entire project (POPREBEL shared folder on OneDrive).
The issue here is that data are first registered in each partner’s One Drive, then moved over to the POPREBEL projects’ One Drive. You need to specify that this happens under a secure protocol: at a minimum file transfer via https. If you use Advanced Encryption with One Drive (or equivalent for storage systems other than One Drive), specify so.
Questions 3 and 4 needs to be addressed by partners in WP3 and WP4. For WP5, I hope that Corvinus finally selected the contractor for their survey, and then they would also need to update their part with this information.
The issue here is to specify the security measures taken by Microsoft for One Drive, and the backup provisions. See the resources section of this document below. Notice that backup provisions could come via third party services: according to one vendor
Yet, while Microsoft focuses on data availability, they fall short in terms of data recoverability. Simply put, Microsoft 365 isn’t a backup solution. (source)
So, here the reviewers want to know what happens if One Drive crashes. The correct answer is “we have daily (or hourly, whatever) backups, stored locally (or in the cloud)”.
Question 5 is a bit unclear. The DMP has no reference to social media. However, I would like to ask the partners in WP3 to confirm that they, indeed, plan to use social media data (section 1 mentions “online content”). If so, Jagellonian must address the question (see resources below). If not, we will clarify. If you are not working on social media data, you can ignore this question.
Question 6 needs to be addressed by partners in WP3 and WP4. For WP5, I hope that Corvinus finally selected the contractor for their survey, and then they would also need to update their part with this information.
The issue here arises because data are collected in different jurisdictions (example from WP5: “a representative survey of Hungary and/or East Central European countries”). If this happens, the Commission wants to know that you are aware of the differences between the data protection laws of different countries, and you will adopt the most restrictive ones, or all the relevant ones. Example: in Estonia we are required to enter the name of our data protection officer into a state registry.
Question 7 concerns U Tartu. The paragraph that needs to be changed is in section 2.1:
Firstly, a preliminary version of the scenarios will be prepared for discussion during academic conferences and events in Autumn 2019; a second version to be prepared by January 2020 for use in seminars with policy-makers and focus groups; and a third version to be prepared by June 2020 at the end of the consultation period.
First of all, here is a site on the EC Horizon 2020 Requirements for storing research data.
Questions 1, 2 and 3 : If data is stored primarily on One Drive, the following guidance should be helpful:
https://help.it.ox.ac.uk/nexus365/onedrive-business-usage. To summarise the main points:
- The safety and security of One Drive is ensured in part by you, the user. By default you are the only one with access to your data on OneDrive. To ensure that safety and security, you must state that you will not share the files with anyone outside of (insert here: e.g. the POPREBEL project, or whatever is appropriate). This should also help you articulate the answer to question 2 - how are you handling permissions so that other partners can securely access the data? The answer should probably be along the lines of allowing access via OneDrive permissions, as a secure channel.
As Oxford puts it: “OneDrive is certified against the internationally recognised information security standards and approved by the University for all data. However, you are responsible for using it in a safe and secure way.” This ONLY applies to the OneDrive version provided by Nexus365 – other versions of OneDrive are not approved in terms of data security, at least at Oxford.
As Microsoft writes:
- The customer maintains control of the lifecycle of customer data and user-generated content. Admins and end users can add, modify, and delete data explicitly via well-known user interfaces or admin tools. Admins can set retention policies on OneDrive/SharePoint content (on a per-user basis). Data can be removed aggressively or preserved for longer periods.
*Account data synchronized from Office 365 is used to determine, based on licenses, what experience the end user is entitled to. This data follows the lifecycle of the user. Admins can add, modify and delete user accounts, and those changes will be promptly reflected in OneDrive for Business.
- Product and service usage data follows a controlled lifecycle designed to comply with GDPR data subject requests.
- Finally, with Advanced Encryption with Customer Key, administrators can be confident that when they have offboarded their data, that Microsoft no longer has any access.
Further, Microsoft also states in terms of its own data protections:
We have designed tight controls and measures, technical and organizational, to protect customer data against accidental, unauthorized or unlawful access, disclosure, alteration, loss, or destruction. Some examples include:
- We restrict physical data center access to authorized personnel and have multiple layers of physical security, such as biometric readers, motion sensors, 24-hour secured access, video camera surveillance, and security breach alarms.
We enable encryption of data both at rest and in transit between data centers and users. End User Pseudonymous Information (EUPI) is hashed following FIPS140-2 requirements.
- We conduct internal privacy, compliance, security and legal review of all new commercial features, services, and processes.
*Finally, services are independently verified to meet the applicable compliance framework set forth in our Online Services Terms (OST). This includes FedRAMP, SOC, and ISO, and many more.
Mention any of the above as needed as what you will do to ensure data is not shared outside of the project or your institution. This ensures that no data is held beyond the date you declared you’d delete it, and that all copies and backups are in fact completely destroyed.
OneDrive and location: OneDrive allows the user to store data in your chosen geographical location. You should check what permissions you’ve allowed in OneDrive in terms of location. Restrict as needed (to EU/EEA, for example).
Question 4: Secondary backups. Researchers should always keep 2 backups. I recommend keeping one on an (encrypted, password protected) external hard drive and one in the Cloud. This answers both the “what if OneDrive shuts down unexpectedly” question and the strategy for backup copies. Regularly (e.g. end of workday) backup research data (e.g. interviews and participant observation notes) to an external hard drive as well as using an automatic OneDrive backup.
Question 5: Social media data.
Here is a policy note from the University of Sheffield on Social Media Data based upon the Association of Internet Research’s longer ethics guidelines.
You can locate each relevant section in the policy note if the answer to any of these questions is no, which should help you formulate a response and protocol. I imagine that a robust response would take each point in turn and briefly explain how you’ve done each.