You are here: Information Security Data protection (GDPR) General information Processing and storing personal data

Processing and storing personal data

Here, you can read about your options for the storage of data. Please note that you must follow some special rules for where you may handle and store personal data. 


Overall security requirements in connection with the processing of personal data

The rules governing the processing of personal data do not set any specific requirements concerning security. No requirement is thus made for the persons who process either sensitive or ordinary personal data to have their own office, or that personal data may only be processed electronically.

The general rule is that both the data controller and the data processor must take appropriate technical and organisational security measures on the basis of a specific risk assessment. The assessment may entail that concrete, physical or technical measures must be taken, such as locking up premises and taking other measures to ensure that sensitive data cannot be accessed by unauthorised persons.

Who may view the personal data that I process?

  • Internally within AU: The parties for whom it is necessary to view the personal data, in accordance with the purpose and legal basis.
  • Outside AU: The parties to whom the data subjects have been informed that the data will be disclosed (whether this concerns other data controllers or data processors for AU).    

Read more about the security of processing.


Network drive (U drive)

  • Use: A personal drive where employees can store files and documents. The drive cannot be shared with other parties.
    When you work with personal data, the best place to store this data is on AU’s network drive.
  • Security and security requirements:  Very secure way to save and store data, such as personal data, that no other parties may view or access.
    There are no special security requirements, since security is built into the system. If you are not logged onto AU’s network, you can only access your personal drive using VPN and two-factor authentication.
  • Back-up/back-up copies of data: Takes place automatically.
  • Ordering: All employees are automatically assigned a personal drive in conjunction with their employment.
  • Support: Contact your local IT support team

Shared drive or shared folder (O drive)

  • Use: A shared drive enables employees to store and share files and documents with each other. When a shared drive has been created, users will only be able to view and have access to the folders to which they have rights.
  • Security and security requirements:  Very secure way to save and store shared data, which only parties with viewer rights can access.
    Rights are assigned by the owner of the shared drive. The owner/user is not subject to any other special security requirements, since security is built into the system.
    If you are not logged onto AU’s network, you can only access your personal drive using VPN and two-factor authentication.  
  • Logging: You can order ‘logging’ of a shared folder, if you are required to be able to document who has accessed/edited files and documents.
  • Back-up/back-up copies of data: Takes place automatically.
  • Ordering: Find guidelines on how to order a shared drive.
  • Support: Contact your local IT support team

SharePoint

  • Use: SharePoint is a collaboration platform that can be used for knowledge sharing and document management. You can, for example, create pages and directories, and have a site for file storage, blogs, discussion forums, etc.
    When a SharePoint site has been created, users will only have access to view the document directories to which they have rights. This is a web-based solution in which files and documents are available online, which makes sharing, storage and availability very user-friendly.
    SharePoint contains a large number of templates that you can use to create sub-sites which can be used by a specific unit or project group.
  • Security and security requirements: A very secure way to store shared data, since only persons who have been granted rights will have access. 
  • The owner of a SharePoint site assigns rights to the persons who are to have access. There are no other special security requirements for the owner/user, since security is built into the system.
    Both AU employees and external collaboration partners can use SharePoint – although this requires a data processing agreement or non-disclosure agreement to be drawn up, in order to ensure compliance with the General Data Protection Regulation (GDPR).
    Two-factor authentication must be used to access SharePoint, if you are not on the AU network. 
  • Back-up/back-up copies of data: Takes place automatically. All documents/files are versioned and the last 500 versions are saved as a back-up. Deleted documents are saved automatically for 90 days.
  • Ordering: Contact your local IT support team.
  • Support: Contact your local IT support team

 

Cloud services


In connection with specific services, Aarhus University uses cloud services. Separate agreements have been entered into in this respect. Please note, however, that no agreements have been entered into with cloud services such as Google Drive and DropBox, which means that these services may not be used for the storage of personal data.

Read more about the establishment of data processing agreements. 

Computer hard drive (local C drive) or Mac hard drive (local Macintosh HD)

  • Use: A personal drive where employees can store files and documents. A local drive may not be shared with other parties.
  • Security and security requirements: The PC/Mac must be issued by AU and must thereby fulfil the conditions in relation to operating system, patching, antivirus and encryption.
    Any AU data temporarily stored locally on your PC/Mac must always be encrypted.  Find information about encryption.
    The local hard drive may not be set up to be shared on AU’s network.
  • Back-up/back-up copies of data: You are responsible for this.
  • Ordering: Does not have to be ordered, since the drive is on the PC or Mac issued to you.
  • Support: Contact your local IT support team

External hard drive

USB flash drive/memory stick

  • Use: A personal drive where employees can store files and documents.
  • Security and security requirements: This must be a USB flash drive/memory stick recommended and approved by AU.
    Any AU data stored on the device must always be encrypted. Find information about encryption.
  • Back-up/back-up copies of data: You are responsible for this.
  • Ordering: From the faculty or central administration’s IT webshop.

Research programmes

It is also possible to store personal data in dedicated research systems, such as RedCap


Storage of physical material containing personal data

The rules for secure storage of personal data are, in principle, the same for digital and physical material. This means that only persons in positions of trust with a legitimate need may have access to the personal data.

  • The physical material containing personal data must be kept under lock and key when not in use.
  • The physical material may only be accessible to persons in positions of trust.
  • The physical material must be destroyed responsibly when the purpose of storing it has lapsed.

Storage of sensitive and confidential personal data

  • You may never store or process confidential or sensitive personal data on your private computer or other private equipment. If you work with personal data, you must always use the computer issued to you as an Aarhus University employee.
  • Sensitive personal data in its final form may not be stored in AU’s e-mail and calendar program (Outlook) and because it is not intended for the storage of sensitive personal data.

Storage of personal data in final form

 

When you have finished working with personal data and the result is available in final form, please note that different rules apply. E.g. sensitive personal data in its final form may not be stored in AU’s e-mail and calendar program (Outlook) because it is not intended for the storage of sensitive personal data.

In principle, you have three options:

  1. Make the personal data anonymous, so that no restrictions apply.
  2. Erase the personal data when there is no longer a legitimate purpose for its storage.
  3. Archive the personal data, e.g. in Workzone or at the Danish Data Archive. 

Find filing instructions and filing plan. 

NOTE! Academic staff must be aware that, in accordance with the “Responsible conduct of research at Aarhus University”, primary data (and thereby sensitive personal data) data MUST be stored for minimum five years after “completion” (i.e. in practice for minimum five years after the most recent publication of new results from a given data set). In this respect, AU is also obliged to make servers, archives etc. available.

Examples of storage of personal data

Own personal data, employment contract, etc. 

As a general rule, you may do as you wish with your own personal data, and therefore it may be kept in e.g. a binder in your office. It is a good idea to mark the binder as ‘Private’.  


Project descriptions containing the names and positions of collaborative partners.

You may store personal data for as long as necessary for the purpose for which the data was collected. This means that you may store the project description for as long as you are working with it or on the subsequently approved project. After this, it must be deleted. If the project is not approved, and you wish to retain the project description for any later applications, you must make it anonymous so that it does not contain personal data. In the case of sensitive personal data, other rules apply to storage (storage for a maximum of 30 days).


Articles and reports which contain names, email addresses, job titles, tel. nos., etc. 

In the case of published articles and reports, these may be retained. If the articles and reports have not yet been published, this will depend on the purpose of storing them.  


Other employees’ travel expenses

Documents and receipts containing personal data may only be saved until the settlement has been approved. After this, the documents are stored electronically in the travel expense settlement system and must be deleted from the mailbox and from network drives, etc.   


Final contracts for research and consulting projects

You must send final contracts for research and consulting projects to tto@au.dk (Technology Transfer Office at AU Research Support and External Relations).


Accounting documents

As a general rule, accounting documents must be stored for five years. For specific projects, accounting documents may be required to be stored for longer. If the documents contain information additional to the details entered in REJSUD/Indfak, it is recommended that this information be attached. 

Once a document has been scanned and attached to e.g. a travel expense report, it may be discarded. If the scanning proves to be illegible, a solemn declaration will be valid documentation. 


Work-related lists - e.g workwear, office location, lending of work equipment 

Work-related lists may be saved to the shared drive (O drive) with a description of purpose. The lists must be kept up-to-date and must be deleted when they are no longer needed.  


Private lists - e.g. birthday lists and breakfast bread lists  

Initiatives among colleagues of this nature are voluntary and are deemed to be private. They are therefore not subject to the data protection rules.

It is recommended that the lists clearly state that participation is voluntary. The lists must be kept up-to-date and must be deleted when they are no longer needed. The lists may be saved to the shared drive (O drive) or on the personal drive (U drive). 

1443055 / i40