Norwegian version of this page

Data Storage Guide

An important aspect of privacy in the context of research is the duty to ensure that personal information does not come into unauthorized hands. NIH must ensure this through access management, pseudonymisation and anonymisation as well as correct storage of data.

Published Nov. 9, 2023 2:39 PM - Last modified Nov. 20, 2023 1:11 PM

Main rules for Storage of Research Data at NIH:

The data set must be secured with access control.
Physical datasets are stored locked.
Electronic registers on your own PC must be encrypted.
The most secure form of electronic storage is central data storage with extra secure access control (NIH's Secure Zone).

Storage - File Server or Secure Zone?

  1. Datasets with personal data must, as far as possible, be pseudonymised.
  2. Pseudonymised data sets can be stored on file servers. NIH's file server has access-controlled zones. Coupling keys must be kept in a locked cabinet at the institute. The institutes have their own rules about this.
  3. Insufficiantly pseudonymised data and data sets containing sensitive personal data must be created in the NIH's "Safe Zone". This also applies to data in formats that present special privacy challenges (sound, image, film and biometric or genetic data). The secure zone can also be used for sharing data with external researchers. Access is managed via Prosjektweb. 
  4. See separate rules for biological material (biobanks - Norwegian pdf)

Storage options - what can be stored where:

See classification guide for additional information categories of research data.

Storage overview
Medium/Storage Unit Black Red Yellow Green
NIH-operated Laptop - encrypted No Yes Yes Yes
Privatly Opened Laptop No No Yes Yes
Memory Stick No No No Yes
Encrypted Memory Stick No Yes Yes Yes
OneDrive No No Yes Yes
File Server No Yes Yes Yes
Safe Zone Yes Yes Yes Yes

Storage Overview Notes:

Red data can be stored on a computer with an encrypted disk, encrypted memory stick or encrypted external hard drive.

Email with red data can be sent internally at NIH between NIH users. If e-mail with red data is to be sent to external recipients, the content must be encrypted before sending. Such e-mail cannot be synchronized down to a private computer, tablet or mobile phone.

It must be ensured or ensured that red data is not downloaded or extracted to the home area, computer root encrypted disk, or other storage locations that cannot store red data.

It is generally not recommended to store documents on local disk on your workstation.

Red data can be stored in common areas or administrative systems after a separate assessment and possible arrangement.

Information to be shared with colleagues should be placed in a common area, not in your home area.

As a general rule, yellow data should not be processed on a private machine. But some use is allowed provided that one follows the guidelines for using a private machine.

All NIH-related communication must take place via NIH's e-mail system and with your NIH address as the sender.

E-mail this page