Data security

SECURE DEVICES AND SOFTWARE

Ensure that your devices and software are secure when collecting and processing your research data.

Interviews

MyJYU AI Transcription (personal data, special categories of personal data with restrictions)

• A new secure application for recording and transcribing interviews.
• You can use your own smartphone and the MyJYU app to record interviews.
  • Always make sure you have the latest version of the MyJYU app installed!
• You may record interview material containing special categories of personal data or other sensitive information with your own phone and the MyJYU app, provided your phone meets the following criteria:
  • Biometric authentication is enabled;
  • Operating system is Android 10 or newer / iOS 17 or newer.
• Instructions for using MyJYU AI Transcription.

University of Jyväskylä Zoom (personal data, special categories of personal data with restrictions)

If you cannot use MyJYU AI Transcription, use Zoom with your university credentials at: https://jyufi.zoom.us.
Instructions for using Zoom to record research interviews — Intranet Uno (jyu.fi).

If the interview involves special categories of personal data:

• Zoom must be used on a university device.
• Recordings must be saved to your personal university U-drive, not to your own computer.

University of Jyväskylä M365 Teams (personal data)

• If you are not processing special categories of personal data, you may also use the university’s M365 Teams application with your university Microsoft credentials.

Note: Zoom and Teams can be used not only for remote interviews but also as recorders for in-person interviews if MyJYU AI Transcription or the university’s physical recorder is not an option.

Encrypted recorder (personal data, special categories of personal data with restrictions)

• Use a portable audio recorder borrowed from the university.
• Ensure the recorder has an encryption feature for recordings.
• Delete the recording from the device immediately after transferring it for processing.
• Encryption keys must be changed when the device is assigned to a new user.
• More information: Recording and processing research interviews — Intranet Uno (jyu.fi).

Transcription

MyJYU AI Transcription and Researchvideo (personal data, special categories of personal data)

• MyJYU AI Transcription and Researchvideo are secure, university-owned tools that use AI for transcription.
• You may use them for transcribing material containing special categories of personal data.
• If you use a recorder and the material contains special categories of personal data, perform transcription in Researchvideo.

University of Jyväskylä M365 Teams and Word (personal data)

• If your material does not contain special categories of personal data or other sensitive information, you may also use the transcription features in M365 Teams and Word with your university Microsoft credentials.

Surveys

Important: Do not use commercial survey tools such as Google Forms or SurveyMonkey!

Webropol (personal data, special categories of personal data with restrictions)

• JYU’s Webropol survey tool is suitable for one-time surveys.
• If the survey includes sensitive data (such as special categories of personal data), Webropol may be used under certain conditions:
  • Send the survey link to respondents via encrypted email. Use the “Encrypt” option in your JYU email settings.
  • Avoid naming surveys in a way that reveals sensitive information, e.g., “Survey for Depressed Individuals.”
  • Select “Web link – Public link” as the response collection method.
• Detailed instructions for secure use of Webropol.

REDCap (personal data, special categories of personal data)

• JYU’s REDCap survey tool is ideal for longitudinal and repeated surveys.
• REDCap is specifically designed for collecting and processing special categories of personal data and other sensitive or confidential data.
• The tool allows building versatile online surveys and forms, and is useful for field research and structured interviews.
• Personal credentials for REDCap are requested via the HelpJYU form.
  • Select “Studying” as the purpose.
  • Access remains valid for the duration of your study rights.
• Instructions for account set-up and login.
• Important: Review REDCap’s security principles and functionalities carefully by reading the user guide (jyu.fi) when planning a survey involving sensitive data.
• REDCap is feature-rich and its interface is in English, so start familiarizing yourself with it about 3–4 weeks before sending the survey.

Other devices and software

• If you need a secure way for participants to contact you (e.g., to schedule an interview), they can send you an encrypted email from any email address.
  • Each student has a long and short email address. The short format is: username@jyu.fi. External encrypted emails should be sent to this short address.
  • Instructions are available on HelpJYU.
• If you issue an open invitation for interviews, you can collect responses using a Webropol survey.
  • Select “Web link – Public link” and add a response field to the survey where the participant can enter their contact information.
  • Name the survey in a way that does not reveal information relating to the person responding. For example, if you name the survey “Survey for Alzheimer’s Patients” and ask for the respondent’s name and contact details in the survey, health information in the title would be linked to direct identifiers in the response fields.
• If you intend to film participants, make sure that your device, such as video camera, is also secure.
• It is recommended that you ask your supervisor about the devices provided or recommended by the university.
• If you are considering the use of other software not mentioned on this page, ascertain whether the software is AI-assisted and whether JYU recommends its use.

Remember: the processing of the data must be carried out in such a way that the information to be protected is not revealed to third parties.

• For example, transcriptions of interviews should not be made in public spaces. Especially if the data contains special categories of personal data, sensitive data, or confidential information, process the data alone, for example, at home.

SECURE STORAGE LOCATIONS

According to the university’s data policy, it is the researcher’s responsibility to use the university’s secure storage solutions for preserving research data.

• Especially if your research data contains personal data (basic or special categories) or confidential/sensitive material, you must use the storage locations provided by the University of Jyväskylä.

If you work with a research group or existing datasets, the project or data provider may give more detailed instructions for secure data handling and storage.

If you use any other storage location, justify this in your Data Management Plan.

Are you considering your own or workplace computer for storage?

• If you choose this option, you are personally responsible for data security and automatic back-ups.
• Do not use standard USB sticks or unprotected external hard drives – they are both lacking in data security and vulnerable to physical damage.

Storage options provided by the University of Jyväskylä

University U-Drive (personal data, special categories of personal data with restrictions)

• U-Drive is a university-owned and automatically backed-up storage location.
• You can access U-Drive from your own computer via the university VPN connection. See instructions for remote access via VPN.
• U-Drive is personal, and access is blocked when your study rights end.
• Special categories of personal data must be stored in encrypted files.

University M365 OneDrive (personal data)

• OneDrive can be used as a storage only if your data does not contain special categories of personal data or other sensitive/confidential information.
• Ensure you are logged in with your university Microsoft credentials, not personal ones.

Researchvideo (personal data, special categories of personal data)

• Researchvideo is a storage location specifically for video material containing special categories of personal data.

CollabRoom (personal data, special categories of personal data with restrictions)

• CollabRoom is a secure collaboration service for university staff, with access available to students upon request.
• CollabRoom credentials can be requested via the HelpJYU portal:
  Services and guidance → Research → Resources → CollabRoom.

Nextcloud and S-Drive (personal data, special categories of personal data with restrictions)

• As part of a research group, you may have access to shared folders in Nextcloud or network drives (S-Drive).
• Access to Nextcloud can be requested using the grant researcher form.

File encryption

• In many university-provided storage locations, storing and processing special categories of personal data or sensitive/confidential information requires file encryption.
• For example, in U-Drive such files need to be encrypted.
• If absolutely necessary, you may temporarily store encrypted files also in OneDrive.

Files are encrypted using Cryptomator software.

• See instructions for Cryptomator.
• Download from Cryptomator’s official website.
• Important: Cryptomator requires creating a password. If you forget the password, it cannot be recovered, and you will lose access to your data. Choose a password you will remember and/or store it securely.

Back-ups

• Make regular back-ups of different versions of your data – especially before major processing steps.
• U-Drive automatically backs up all content, but you should also make your own back-ups.
• If your data does not contain special categories of personal data, you may use OneDrive for back-ups (or vice versa).

Note: Any key file linking identifiers to personal data must be stored in a separate secure location, such as a locked desk drawer.

If the data is sensitive, any transfers must be done over a secure network, such as a VPN connection.

Avoid transferring data via USB sticks and external hard drives.

AI, PERSONAL DATA, AND DATA PROTECTION

If you consider using AI applications to collect or process your research data, first evaluate what kind of data you intend to input into the application:

• Have you received the data or part of it from another source? Are there contractual restrictions on the use of the data?
• Is it possible for you to anonymise the data before using AI, or to minimise the personal data input into the application?
• Is the use of the application for processing personal data in line with what you have informed the data subjects when collecting their personal data?
  • For example: Is the provider of the application mentioned as a processor of personal data in your research? Or does the use of the application result in the transfer of personal data outside the EU, even though you have informed the subjects that processing will occur within the EU?

Important: Ensure that your actions are consistent with the information you have communicated to the research participants or other data subjects!

Data protection guidelines for undergraduate and doctoral students regarding the selection and use of AI applications depend on whether you are:

• The data controller yourself, i.e., responsible for processing personal data, and not employed by the University of Jyväskylä
• Employed by the University of Jyväskylä and/or the University of Jyväskylä is the data controller for the dataset.

If you are an independent data controller and not employed by the university:

• Primarily use AI applications provided by the University of Jyväskylä that are accessible with university credentials and approved for processing personal data according to the Table of processing confidential information.
  • An example of such an application is MyJYU AI Transcription.

When the software is centrally acquired by the university, university experts have investigated the application's personal data processing on your behalf, such as:

• What personal data does the application collect from its users (i.e., from you)?
• Does the application provider impose restrictions in its terms of use regarding personal data processing (can/cannot input personal data)?
• Does the application comply with the EU General Data Protection Regulation (GDPR)? Where does the processing of user data or input data occur?
• Do the personal data input into the application remain permanently with the service provider? (If they do, the application should not be used!)

If the University of Jyväskylä is the data controller and/or you are employed by the university:

• Check the Table of processing confidential information to see which (AI) applications you can use to process personal data.
• Do not input any data containing personal information into the application unless the application is specifically designed to process personal data in accordance with data protection legislation and is provided through the University of Jyväskylä and used with university credentials.
  • An example of such an application is MyJYU AI Transcription.

JYU TABLE OF PROCESSING CONFIDENTIAL INFORMATION

The table is a guide for university staff and grant researchers, but it also serves students and their thesis supervisors. The table explains where you can store and process data that is categorised as:

• Public
• Confidential - protected (e.g., personal data)
• Secret (e.g., special categories of personal data)

The table is complex, so review it with your supervisor.