Technical and organisational security measures for protection of personal data in Fairdata Services

Last updated: September 23rd 2024

1. Purpose

This description of the protection measures for personal data (technical and organisational security measures, TOMs) is part of the agreement between the data controller and processor regarding the processing of personal data, as referred to in Article 28 of the General Data Protection Regulation (EU) 2016/679. Below are listed the protective measures implemented by CSC in the Fairdata services IDA, Qvain, Metax and Etsin. These Fairdata Services allow data to be shared for use by others. The owner of the data and the data controller ultimately bear responsibility for the processing of the data in accordance with laws and other obligations. The Digital Preservation Service for Research data and the other Digital Preservation Services have a separate description of protection measures.

The data processor has the right to unilaterally change protective measures without separate notification when the changes maintain or improve the level of protection. An individual protective measure can be replaced with another as long as it does not weaken the protection of personal data. CSC may make changes to this description if protective measures for personal data are modified.

Explanations of the terminology used in this description of protective measures can be found in the terminology of the General Terms of Use for CSC’s Services for Research and Education.

2. Technical and organisational security measures in Fairdata Services

2.1. General

  • The processing operations performed by CSC are agreed upon in writing.
  • In accordance with the Terms of Use the Fairdata IDA service, the user agrees not to store any data in the service that includes ‘special categories of personal data’ specified in Article 9 of the EU General Data Protection Regulation “Processing of special categories of personal data”.
  • CSC employs a role-based access rights management system. Access to information is restricted to individuals whose job responsibilities necessitate such access and only to the extent essential for the fulfillment of their duties. Access permissions are regularly reviewed.
  • Individuals accessing personal data are identified, unless the User Content has been publicly disclosed by the user. The user is responsible for ensuring that, when publishing any personal data, they have the full authorization to do so.
  • The maintenance of services generates logs containing user personal data.
  • Log information that contains personal data is retained for 5 years after which they are removed.
  • The data protection expertise of those handling information is continuously developed and the completion of trainings is regularly monitored.
  • CSC’s personnel adhere to the confidentiality obligation outlined in Section 35 of the Data Protection Act in their work, and they are also bound by a prohibition against exploitation.
  • CSC has an appointed Data protection officer.
  • The transfer of data over the public data network is done using encrypted or otherwise protected data transfer connections or methods.
  • Software development is carried out in accordance with best practices.
  • Changes to production environment follow an defined change management process.
  • The timeliness of critical documentation is ensured through regular reviews
  • Regular continuity and recovery exercises are conducted for services.
  • Vulnerability scans are regularly performed for services
  • System vulnerabilities are monitored, and critical patches are installed immediately upon availability.
  • There is a dedicated process for handling information security incidents
  • The integrity and availability of services are monitored through controls implemented in a separate monitoring system.
  • The service uses multilayered protection.
  • Data storage location is within the EU (Finland).

2.2. Security Measures for Data Reception

  • User Content is received only from registered users utilising encrypted data transfer.
  • Inputted metadata, along with the utilized code sets, are validated against a predefined data model.

2.3. Data Storage Security Measures

  • The user can verify their User Content (files) transferred to the service against the checksum calculated by the service.
  • Multiple parallel copies are made for all User Content that the user has marked as “frozen”, and their integrity is automatically and regularly monitored in the IDA service.
  • Each research dataset has a unique identifier.
  • The service has versioning rules for published research datasets to ensure the integrity of the data. If the files of the published research dataset are no longer available in their entirety, for example, due to file removal, the dataset is marked as deprecated.
  • The service’s configurations and databases are regularly backed up.
  • Deviations detected during regular integrity checks are promptly corrected in the User Content, particularly for frozen files.

2.4 Security Measures for Data Usage and Processing

  • Each user has personal credentials to the service and the access to the service is authenticated. An exception is the search, view, and download features available for User Content that is openly shared by users, and thus does not require authentication.
  • Every registered user accepts the terms of use which outline the responsibilities and limitations related to the service use.
  • Requests made to interfaces are logged.
  • Usage rights within the service are manageable by users in the ways described in the user manuals.
  • Actions taken to ensure the integrity of the User Content are documented, and users are informed about them.

2.5. Security Measures for Data Distribution

  • Users have the responsibility to determine the openness, method of sharing, and usage policy for the User Content they upload to the service. The owner of the User Content and the data controller are responsible for the processing of the content in accordance with applicable laws and other obligations. An exception is the research dataset metadata, which the user always publishes under the CC0 license.
  • Each file associated with user-published research data stored in the service has a checksum available during file download.

2.6. Security Measures for Data Deletion

  • Upon the termination of service use, access to User Content is restricted. Unless otherwise agreed, User Content is promptly and permanently deleted after the grace period specified in the service’s terms of use has expired. An exception is made for published research dataset metadata, for which a tombstone page is always retained with information defined by the user.
  • The user account information is deleted upon the termination of use in accordance with CSC’s centralized user account management processes.