Securing information
Valuable information must be protected
Storing and handling information
-
We are all responsible for ensuring that the information we work with is properly protected when we process, store, and transfer it. How information should be protected depends on its classification level. The classification may arise from laws, be derived from a risk assessment, or be agreed upon with partners.
Familiarise yourself with the organisation's guidelines for handling, storing, and transferring information belonging to the various classifications: open, internal/protected, confidential, and strictly confidential.
Information classified as open is information that can or should be available to everyone without specific access control. For example, websites publicly available on the internet or books.
Internal/protected information is information that should not be available to everyone, such as unpublished work documents and ordinary personal data (names, phone numbers, etc.).
Confidential information is information that could cause harm to your organization, individuals, society, or partners if disclosed to unauthorized persons. This also includes all forms of special categories of personal data (the Data Protection Authority), such as health information.
Strictly confidential is the same type of information as confidential, but with specific considerations requiring even greater protection of the data. This may apply, for example, to large health data registers or if a collaborative partner requires the highest level of security.
How to store different types of information
-
How information should be protected, and hereby stored, can be statutory, agreed to by cooperation partners or deduced from a risk assessment.
Different categories of information or data requires different storage. The requirements for the technical security of the data storage solutions are stricter for Red data (confidential). Green data may be stored on different types of equipment and data storage services. Some solutions will offer two-factor authentication, which makes a safer storage of data.
Institutions have different rules for storage of data. It is your responsibility as a student, researcher or employee to familiarise yourself with the specific rules applicable for you and your data at your institution. This depends on e.g. the classification of the information and your role in the institution.
This means that you cannot send "red information" unencrypted in an e-mail, or store it in random cloud services.
Sharing on social media
-
Social media gives us the opportunity to communicate with each other, share opinions, and participate in discussion forums. But who can see what you share? Even if you feel like you are posting pictures or comments as a private individual, it's important to consider that anyone can access what you share publicly.
Ask yourself:
- What role do I have? Am I representing anyone other than myself?
- Could the information I share about myself be misused by someone?
- Do I have consent to post pictures or information about others?
- Is the information confidential?
- Is there criticism or claims that could be perceived as defamation?
- Do I have permission to publish this, or is it protected by copyright?
Read more about social media (NO) on nettvett.no.
How to use encryption
-
When information is encrypted, it becomes unreadable. Encryption is used to protect information that is stored or transmitted. To make it readable again, it must be unlocked with a password or other verification. Encryption is often necessary when handling confidential information.
Below are some methods of encryption. Note: Check if your study or workplace has its own solutions and requirements for encryption and handling confidential data.
- A computer’s hard drive can be encrypted with various types of software, such as Microsoft’s BitLocker and Apple’s FileVault.
- Storage media may be encrypted in the same way as described above.
- Documents in Word, Excel, and PowerPoint can also be encrypted with a password. Go to the "File" menu. Select "Information," "Protect document/workbook/presentation," and "Encrypt with password." Be aware that an open document is accessible to unauthorized persons if your device (mobile, PC, tablet) is hacked.
- E-mail attachments can be encrypted using tools like 7-ZIP.
- Email messages in Outlook can be encrypted via S/MIME (NO).
- Email messages and attachments can be encrypted with OpenPGP.
- The internet connection between your PC and your study or workplace can be encrypted using a VPN – virtual private network.
If you use an encryption solution with a password, be aware that you will lose access to the file if you forget or lose the password.
Paper documents
-
Physical documents have the same protection requirements as digital ones. Documents with high confidentiality requirements (confidential and strictly confidential) should:
- Be securely locked in a cabinet when not in use.
- Be sent in a sealed envelope and secured according to the value of the information.
- Not be thrown in the trash but shredded or disposed of in locked boxes for secure shredding.
- Only be printed if necessary; retrieve the printout immediately.
- Delete the print job from the printer queue if there is an issue with the printer.
Archiving and deletion
-
Information of archival value must be archived. This can include diplomas, grades, master's theses, and other documents with legal, historical, or business-critical value.
- Project archives or research data must be stored for verifiability.
- You must always comply with the laws regulating the information you wish to archive or delete.
- The Personal Data Act regulates the collection, storage, and deletion of personal data.
- Information with strict confidentiality requirements must be deleted using special deletion software to ensure it cannot be recovered. Regular deletion is not sufficient. Check what is used at your study or workplace.
Confidentiality
-
Confidentiality means that you are obligated to prevent others from gaining access to or knowledge of confidential information. A breach of confidentiality may be punishable (Lovdata).
- Various types of information can be confidential due to laws or agreements, such as personal data and information of a technical, commercial, or strategic nature.
- When you sign a confidentiality agreement, you commit to understanding what it entails.
- Confidential information should not be shared with unauthorized persons, whether orally, digitally, or on paper.
- Confidentiality also applies after you have completed your studies or left your job.
- Note that you may be subject to confidentiality due to your position, even if you have not necessarily signed an agreement.