The following questions can be helpful in the evaluation of what security measures are required:
Examples of Measures:
For more information about security measures, see Swedish Authority for Privacy Protection.
Here you can find information about storage options that the university can offer.
The university provides catalogues in a central server in the form of personal home catalogues (H:) for employees and students, as well as shared storage spaces (L: ) for employees. Shared storage spaces are created upon an order sent to firstname.lastname@example.org. All information that is stored in these is backed up on a daily basis and is protected by IT support.
Information can also be stored locally on a computer’s hard drive (C:). Information that is stored locally on a computer is not backed up automatically. If information is stored in this way, then the user him-/herself must ensure that it is protected.
The university provides employees with mobile devices such as smart telephones, tablets, external hard discs, memory cards and USB memory sticks. Information that is stored on these is not backed up automatically. If information is stored on these, the user him-/herself must ensure that it is protected.
Cloud storage is a form of storage on the Internet: examples of cloud storage services are Dropbox, Google Drive, Microsoft OneDrive, Apple iCloud, Box, Evernote. At present, the university does not have a contract with any cloud provider and cannot take responsibility for information that is stored in a cloud. Current guidelines at the university mean that this type of service must only be used for information that is less significant and that does not include personal data.
Personal data that is sensitive in terms of personal integrity must be protected against unauthorised access when it is transferred over the Internet – for example, by email. An alternative can be encrypted transfer.
The transfer of personal data to non-EU/EEA countries (also termed Third Countries) is only permitted under certain conditions.
Decision on sufficient level of protection: If the EU Commission has determined that a third country can ensure an adequate level of protection, then personal data can be transferred there without any special permission.
Appropriate protection measures: For example, standard agreement clauses or legally binding company regulations.
Special situations and individual cases: for example, consent.
Read more about when transfer to a third country (non-EU/EEA country) is possible: Swedish Authority for Privacy Protection.