Looking at the risks associated with working from home from a researcher’s point of view.
Most of us have been displaced from our normal work environment for a while now. After a few teething problems, we’ve got the home office set up, the caffeine on tap, communications apps installed and the broadband connection purring (if not running red hot). And although the days tend to merge into each other, we’re starting to feel we’ve got it sussed.
We can do this! We can continue our research from home! No problem!
Well, actually, it’s not quite that simple.
There are a few things to consider in order to keep your data protected and funder compliant.
1. Access and copyright rules
It is worth checking if working on your research away from the normal workplace is allowed.
In the face of government advice that we should all work at home if we can, it may sound like a silly question, but some institutional policies explicitly prohibit it, especially where sensitive information is concerned.
At the very least, check the policies before transporting that enormous data file containing millions of sets of personal and identifying information off site. I would even go so far as to suggest that, unless the policy explicitly allows for working at home, seek guidance and permission first.
2. Computer security
Next, let’s look at the home computing environment. Some researchers will be using a computer supplied by their employer, while others will be using their own equipment.
Whatever equipment is in use, security must be a top priority to protect data from unauthorised viewing, theft and accidental loss.
Start by making sure the operating system and application software security patches are installed, along with up to date anti-virus and anti-malware from a trusted source. Your IT department should be able to advise on installation and use.
Avoid mixing research documents and data with personal data. If possible, use a separate computer that isn’t used by other members of the family. At the very least, don’t share logins and keep your account safe with a strong password and multifactor authentication. It’s worth checking if your operating system encrypts data too.
Try to remain vigilant for phishing emails and suspect links and don’t hesitate to raise the alarm if you think you’ve made a mistake and fallen for a scam.
It may still be possible to work on data held at your institution even if you’re elsewhere. If you don’t already have the facility to connect to your institution and utilise a remote desktop, ask the IT department for help. As a general rule, storing or working with personally identifiable information (PII) on a personal computer is a no, no.
If you must move data (and are allowed to) using encryption is essential. This can take many forms, including running a virtual private network, which encrypts data passing through an internet connection. You can also encrypt individual files or collections using widely available tools like Zip, 7Z and Veracrypt. A word of warning though: make sure you back up the encryption key!
3. Back up plans
Create a backup on a regular basis.
Ask yourself: when was the last time you backed up your home machine? Have you got multiple copies of data in multiple locations? When was the last time you tested that you could retrieve information from the back-up? How far back can you go?
4. How about cloud and data sharing rules?
They’re surely useful for researchers? Well yes and no.
You need to ask yourself "where is my data located and who can access it?" This is where the general data protection regulation general data protection regulation (GDPR) and other data protection issues come to the fore. Many grant conditions and, indeed, some institutional policies, will have rules about where data is kept, who has access and so on.
Typically, research data must be kept within Europe and, in some cases, regulations may also stipulate that it’s encrypted at rest too. If your institution has a cloud solution, such as OneDrive, Google Drive, Dropbox etc. you’re probably covered as your institution will almost certainly stipulated that the data storage follows these rules (but check). And when you publish, a reasonable repository (such as Jisc's open research hub) will also help keep things safe and secure.
Be careful not to break the rules by sharing data with people through other channels—such as sending information to a contact in the US via a personal Gmail account.
5. Video meetings
Some video conferencing technologies are more secure than others.
Jisc has shared a blog on this (or check out the National Cyber Security Centre’s (NCSC) advice on how to do it safely).
To sum up, it’s all about balancing risk (reputational and financial) with the ability to keep on keeping on. I’m not suggesting that everyone undertakes a full-blown data impact analysis for every adjustment, but at least pause to consider the risks.
I could go on. For instance, I haven’t even touched on the question of whether your computer is up to all that number crunching?
But I won’t.
Stay safe, keep your data safe.