Data security

Choose secure programs and devices

Ensure secure programs and devices when conducting interviews, remote interviews, surveys, and more.

Interviews

• MyJYU AI Transcription is a secure program for recording and transcribing interviews. You can use your own smartphone and the MyJYU app to record interviews. Always ensure you have the latest version of the MyJYU app! You can also record interview material containing special categories of personal data or other sensitive information with your own phone and the MyJYU app, provided your phone meets the following criteria: 1) biometric authentication has been implemented; and 2) the operating system is Android 10 or newer / iOS 17 or newer.
  • Instructions for using MyJYU AI Transcription.
• If your phone does not support biometric authentication or the latest system updates, use the Zoom program with JYU credentials at: https://jyufi.zoom.us
  • Instructions for using Zoom for research interviews — Intranet Uno (jyu.fi)
  • If the interview involves special personal data, Zoom should be used on university devices. Consider if this is possible for you.
  • Additionally, recording should be done on the U-drive whenever possible, not on your personal computer.
• If you do not process special categories of personal data, you can also use the university's M365 Teams with JYU Microsoft credentials.
• Zoom and Teams can be used for both remote interviews and when you are in the same room.
• Or, use a tape recorder borrowed from the university.
  • The tape recorder should have a function for encrypting recordings.
  • "The recording shall be removed from the tape recorder once it has been transferred for processing. The encryption keys of the device must be changed when the device is transferred to a new user." Recording and processing of research interviews — Intranet Uno (jyu.fi) (Finnish)

Transcriptions

• Researchvideo and MyJYU AI Transcription are the university's own secure AI-powered tools for transcription. You can use them for transcribing material containing special categories of personal data. For example, if you used a recorder to record the interviews and there's special personal data, you can use Researchvideo to transcribe.
• If your material does not contain special personal data or other sensitive information, you can also use the transcription functions of M365 Teams and Word with JYU Microsoft credentials.

Surveys

• Surveys are made with JYU Webropol or JYU REDCap.
  • Google Forms, SurveyMonkey or other commercial survey platforms should not be used.
  • JYU Webropol is a practical tool for collecting one-time surveys.
• If the survey contains sensitive information, such as special categories of personal data
  • JYU Webropol can be used under certain conditions:
    • The survey link is delivered to the respondent personally via encrypted email. You can do this with the Encrypt function in the sending settings of your JYU email.
    • Avoid naming the questionnaire so that the name reveals sensitive information about the respondent, such as "questionnaire for the depressed".
    • Choose Public link to collect answers.
    • More detailed instructions for secure use of Webropol
  • Or use the University of Jyväskylä's REDCap survey software, which is intended specifically for processing sensitive data. REDCap is a secure platform that is especially suitable for longitudinal and recurring surveys.
     
• RedCap survey software
  • Order your REDCap user rights using a form in HelpJYU, see instruction for account set up. On the form, mark "Studying" as the purpose of use. REDCap rights are then valid for the duration of your study right.
  • The software makes it possible to build versatile online surveys and forms that can be used in field research (e.g. structured interview).
  • Carefully familiarize yourself with the data security principles and functionalities of REDCap and look at the guidelines when you plan to implement a survey containing sensitive information. REDCap is quite versatile in its functionality and its user interface is in English, so you should start familiarizing yourself with it about 3-4 weeks before sending the survey.

Other devices and software

• If you need a secure way for a research participant to contact you—for example, to arrange an interview time—they can send you a secure email from any personal email address.
  • Every student has both a long and a short university email address. The short format is: username@jyu.fi. Secure emails sent from outside the university must be directed to this short address.
  • Instructions are available on HelpJYU.
• If you issue an open invitation for interviews, you can collect responses using a Webropol survey.
  • Select “Web link – Public link” and add a response field to the survey where the participant can enter their contact information.
  • Name the survey in a way that does not reveal information relating to the person responding. For example, if you name the survey “Survey for Alzheimer’s Patients” and ask for the respondent’s name and contact details in the survey, health information in the title would be linked to direct identifiers in the response fields.
• If you intend to film a group of participants, etc., make sure that you also have secure devices, such as a video camera.
• It is recommended that you ask your supervisor about the devices provided or recommended by the university.
• If you are considering the use of other software not mentioned on this page, ascertain whether the software is AI-assisted and whether JYU recommends its use.

The processing of the data must be carried out in such a way that the information to be protected is not revealed to third parties. 

For example, transcriptions of interviews are not made in public spaces. Especially if the data contains special personal data or other sensitive data, it is a good idea to process the data alone, for example, at home.

Choose secure storage locations

Data cannot be stored wherever if it contains for example personal data.

Use the storage locations provided by the university:

• JYU Office 365 OneDrive is ok if the data does not contain special personal data or other sensitive information.
• A more protected place for your data is the U-drive. Use it if your data has special personal data or is otherwise sensitive.
  • It is a storage location owned and backed up by the university. The U-drive can be accessed from your own computer with the university's VPN connection. See the instructions for digital services for remote access to the U drive with a VPN connection.
  • The problem with the U-drive is that it is personal and when you leave the university, access to it is blocked.
• Researchvideo is a secure place to store video data with special personal data
• The secure services used by university staff can often also be used as a student. For example, CollabRoom is a service intended for sharing confidential data within a research group, for which students can also get credentials if necessary. CollabRoom credentials can be applied for in the HelpJYU portal (https://help.jyu.fi), Services and guidance > Research > Resources > CollabRoom.

If you are working with a research group or with finished data, the project may provide more detailed instructions on the secure processing and storage of the data.

• As part of a research group, you may have the opportunity to access the research group's folder in the Nextcloud service or on network drives (S drive). You can apply for access to Nextcloud using the grant researcher form.

Do you process special categories of personal data? According to the university's instructions, data is encrypted using the Cryptomator program.

• See instructions
• The program can be downloaded from the Cryptomator website.
• Note the risk: A password is created for Cryptomator. If you forget your password, it cannot be recovered and you would lose access to your data. Choose a password that you are sure to remember and/or write it down in a safe place.
• When encrypted, O365 OneDrive could also be used to store special personal data if, for example, the progress of work requires it.

The university's table of processing confidential information explains in more detail what information can be stored where. As a clarification to the table, a network drive means, for example, the U drive.
 

The university's data policy states that it is the researcher's responsibility to use the university's secure storage solutions in storing data. If you use something else, justify it in your data management plan.

• Are you considering your own or your workplace's computer as a storage location for the data? In this case, you are responsible for data security. Also, you may not have automatic backup enabled on your own computer, which is one of the criteria for a good storage location.
• Do not use standard USB drives or unprotected external hard drives.

Backup

• The U-drive is automatically backed up, but still make your own backups – especially before major data processing operations. You can make your own backups to the U drive.
• If there is no special personal data in the data, you can also use the university's O365 OneDrive for backup (or vice versa).
• Please note that the code key related to personal data must be located in a separate security location, such as a locked desk drawer.

If the data is sensitive, any transfers must be made over a secure network, such as a VPN connection. Transferring with a flash drive should be avoided.

AI, PERSONAL DATA, AND DATA PROTECTION

If you consider using AI applications to collect or process your research data, first evaluate what kind of data you intend to input into the application:

• Have you received the data or part of it from another source? Are there contractual restrictions on the use of the data?
• Is it possible for you to anonymize the data before using AI, or to minimize the personal data input into the application?
• Is the use of the application for processing personal data in line with what you have informed the data subjects when collecting their personal data?
  • For example: Is the provider of the application mentioned as a processor of personal data in your research? Or does the use of the application result in the transfer of personal data outside the EU, even though you have informed the subjects that processing will occur within the EU?

Important: Ensure that your actions are consistent with the information you have communicated to the research participants or other data subjects!

Data protection guidelines for undergraduate and doctoral students regarding the selection and use of AI applications depend on whether you are:

• The data controller yourself, i.e., responsible for processing personal data, and not employed by the University of Jyväskylä
• Employed by the University of Jyväskylä and/or the University of Jyväskylä is the data controller for the dataset.

If you are an independent data controller and not employed by the university:

• Primarily use AI applications provided by the University of Jyväskylä that are accessible with university credentials and approved for processing personal data according to the Table of processing confidential information.
  • An example of such an application is MyJYU AI Transcription.

When the software is centrally acquired by the university, university experts have investigated the application's personal data processing on your behalf, such as:

• What personal data does the application collect from its users (i.e., from you)?
• Does the application provider impose restrictions in its terms of use regarding personal data processing (can/cannot input personal data)?
• Does the application comply with the EU General Data Protection Regulation (GDPR)? Where does the processing of user data or input data occur?
• Do the personal data input into the application remain permanently with the service provider? (If they do, the application should not be used!)

If the University of Jyväskylä is the data controller and/or you are employed by the university:

• Check the Table of processing confidential information to see which (AI) applications you can use to process personal data.
• Do not input any data containing personal information into the application unless the application is specifically designed to process personal data in accordance with data protection legislation and is provided through the University of Jyväskylä and used with university credentials.
  • An example of such an application is MyJYU AI Transcription.