Definition

Data security encompasses all preventive physical and technical measures that protect both digital and analog data. The goal of data security is to ensure data availability, maintain confidentiality, and guarantee data integrity.

Introduction

Forgotten USB sticks in copy shops, printouts left in printers, hacked email accounts, lost passwords – who hasn't experienced these situations? The importance of securing and safeguarding data is growing rapidly, especially in the age of cyberattacks, spyware, and ongoing debates about artificial intelligence and deepfakes.
Personal data in general, and research data in particular, are valuable and should be stored securely to prevent loss and unauthorized access. Safe storage and protection of research data are essential components of research data management and fundamental to sound scientific practice.
Effective data security includes not only physical security measures but also the protection of computer systems, secure data deletion, and safe online communication and collaboration. Generally, data security aims to achieve the following objectives:

• Confidentiality – Data access must be restricted to authorized individuals.
• Integrity – Data must remain free from unauthorized alterations or damage.
• Availability – Authorized users should have access to data at all times.

Motivation

Data generated in research projects is often unique and must be securely protected. This includes safeguarding intellectual propertyThe German Copyright Act (UrhG) protects certain intellectual creations (works) and services. Works include literary works, photographic, film and musical works, as well as scientific or technical representations such as drawings, plans, maps, sketches, tables and plastic representations (§ 2 UrhG). The artistic, scientific achievements of persons or the investment made, on the other hand, are considered to be services worthy of protection (ancillary copyright).The author is entitled to publish and utilize the work. Read More, sensitive personal dataWithin the category of personal data, there is a subset known as special categories of personal data. Their definition originates from Article 9(1) of the EU GDPR (2016), which states that these include information about the data subject’s: Read More, contractually protected research findings (such as results from commissioned research), and trade secrets. Moreover, unpublished scientific insights also require protection (Biernacka, 2021, p. 116).

Fields such as social and cultural anthropology frequently work with sensitive participant data that contains confidential, personal, and legally protected information, potentially raising serious data protection concerns.

"For ethically responsible research, it is therefore essential to develop and implement a strategy to protect the identity of study participants."

(Trixa & Ebel, 2015, p. 12)¹ Translated by Saskia Köbschall.

Ideally, researchers should consider data security as early as possible – preferably during the planning phase of their project. Additionally, some research funding agencies, such as the German Research Foundation (DFG), now require information on how data security will be ensured as part of funding applications (DFG, 2022). This requirement may become more widespread, as universities are increasingly targeted by cyberattacks in which hackers have stolen and leaked personal data on the dark web. Recent incidents at the University of Duisburg-Essen (Reule, 2023), the Technical University of Berlin (TU Berlin, 2023), and Heinrich Heine University Düsseldorf (HUU, 2023) illustrate the growing risks. Beyond external threats, researchers also have a personal interest in protecting their extensive research efforts and results. Data security measures should therefore be regularly reviewed and optimized throughout the research project to ensure their effectiveness.

Methods

In addition to creating backupThe term backup means data protection or data recovery and refers to the copying of data as a precaution in the event that data is lost, e.g. due to hard drive damage or accidental deletion. The data can be restored with a backup. For this purpose, the data record is additionally saved on another data carrier (backup copy) and stored offline or online. Read More copies through regular backups to safeguard data in case of emergencies, the following measures can protect (research) data from unauthorized third-party access:

1. Physical Security Measures in Shared Spaces

• Lock windows and doors when leaving a room.
• Protect desktop computers from unauthorized access by using screen locks.
• Do not leave portable storage media (e.g., external hard drives, USB sticks) unattended; store them securely whenever possible.

2. Computer System Security and Secure Online Work and Communication

2.1 Password Protection (Devices, Folders/Files, Accounts)

Despite increasing data breaches and cyberattacks on public institutions, many German internet users still rely on weak passwords such as 123456, password, or qwertz, which top the list of the most commonly used passwords (HPI, 2021).

"It is crucial to understand that passwords are the gateway to our digital lives. As we spend more time online, improving our cybersecurity practices becomes increasingly important."

(Gronau, 2021)²Translated by Saskia Köbschall.

While there is no 100% protection against cyberattacks, strong passwords make unauthorized access significantly more difficult, as they require substantial time and computational power to crack. Password protection is essential for securing:

• Hardware (PCs, external storage devices)
• Online accounts (email, social media, cloud storage, streaming services)
• Compressed (zipped) files and folders

Tips for Creating Secure Passwords:

• Use long passwords (at least 8 characters)
• Include uppercase and lowercase letters, numbers, and special characters
• Avoid dictionary words
• Do not reuse the same or similar passwords
• Modify words by replacing characters with visually similar alternatives (BESEN → I3€5EN)
• Use passphrases (e.g., IchHabeEinNeuesPasswort → IchHabe1nPa$$Wort.)
• Store passwords securely (consider password management software such as KeePass)
• Enable two-factor authentication (2FA)Two-factor authentication (2FA) supplements password protection by requiring a one-time code, delivered via SMS, smartphone app, or hardware token. This method significantly enhances security, as access to the smartphone or similar device is also necessary in order to gain access to the protected data. Read More whenever possible

The following video (approx. 4:30 min) explains how passwords can be cracked and how to create secure passwords:

2.2 Encryption

Encryption is a method of securing data by making it unreadable to unauthorized users. The data is converted using algorithms so that only authorized individuals with the correct “key” can decrypt and access it.

a) Encryption of Software and Hardware

The following video (approx. 2 min) explains the concept of encryption and decryption:

Various free software programs can encrypt files, folders, drives, operating systems, or even emails:

7-Zip: https://7-zip.org/
Compresses and encrypts files for secure transmission. It also allows password protection and filename encryption.

Gpg4Win: https://www.gpg4win.de/
A Windows-based encryption tool for emails, files, and folders, commissioned by the Federal Office for Information Security (BSI) (BSI, 2023c).

VeraCrypt: https://www.veracrypt.fr/en/Home.html
Encrypts entire or partial hard drives and external storage devices on Windows, macOS, and Linux.

b) Encrypted Online Communication

The following video (approx. 2 min) explains encrypted communication:

One of the most secure ways to encrypt messages is end-to-end encryption, which is now a standard feature in many email and messaging services. This ensures that only the intended recipient, with the correct decryption key, can read the messages, preventing third-party interception.

2.3 Additional Security Measures

• Use firewalls and antivirus software
• Regularly update software (operating systems, applications) and install security patches
• Avoid using open, unsecured Wi-Fi networks
• Use a USB data blocker when charging smartphones in public spaces³(A USB data blocker prevents unauthorized data transfers - also known as "juice jacking"- while allowing only power to pass through.)

3. Secure Data Deletion in Digital Systems

Deleting files by moving them to the recycle bin and emptying it does not permanently erase them - only the references to the files are removed, leaving the data recoverable with specialized software. To ensure that sensitive dataWithin the category of personal data, there is a subset known as special categories of personal data. Their definition originates from Article 9(1) of the EU GDPR (2016), which states that these include information about the data subject’s: Read More is permanently destroyed, researchers should use secure deletion tools or physically destroy storage devices.

• Secure Data Deletion on Hard Drives with free programs that overwrite files multiple times to make them irretrievable:
  • File Shredder (Windows and macOS)
  • CCleaner (Overwrites free space or entire hard drives)
  • Eraser (Overwrites data upon Windows startup)

• Secure Data Deletion on Mobile Devices (Before Selling or Recycling)
  • Encrypt the data, then…
  • Delete and overwrite data and user information, finally…
  • Reset the device to factory settings (See BSI security tips, 2023b)

• Secure Data Deletion on Flash Storage (e.g., USB drives, SSDs)
  • Overwrite free space after deletion using tools like CCleaner
  • Overwrite free space by filling it with a large, meaningless file (e.g., a video) (Schieb, 2022)

For up-to-date guidance on securely deleting data from different devices, consult the Federal Office for Information Security (BSI, 2023b).

Practical Examples

The following real-world example illustrates measures for securely handling research data in the field, particularly when working with vulnerable research participants.

Tools

• Password Management Software
  • Keepass (Open-source and free): https://keepass.info/
  • Federal Office for Information Security (BSI) guide on password managers (2023a): https://www.bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/Accountschutz/Sichere-Passwoerter-erstellen/Passwort-Manager/passwort-manager_node.html
• Encryption Software (Recommended by the BSI, 2023c) Gpg4.org:
  • Download Software: https://www.gpg4win.de/
  • Documentation: http://www.gpg4win.de/documentation-de.html
• Additional Security Tools
  • Check if your email address has been leaked in data breaches: English https://haveibeenpwned.com/ German https://sec.hpi.de/ilc/search
  • Estimate how long it would take to crack a password: https://www.passwortcheck.ch