When storing sensitive data, the first concern is to find a good security strategy for your type of data.
Sensitive data can still meet the requirements of the FAIR Data Principles (findability, accessibility, interoperability, and reusability) and be processed in a way that the needed protection is guaranteed also in the future.
Anonymization
Pseudonymization
Pseudonymization substitutes the identity of the data subject in such a way that additional information is required to re-identify the data subject. The pseudonym allows tracking back of data to its origins, which distinguishes pseudonymization from anonymization, where all person-related data that could allow backtracking has been purged. Pseudonymised data are still legally considered as sensitive data because the data can be linked back to a person, but it's considered as a secure approach since personal identifiers are stored somewhere else.
Encryption
Encryption is a very generic term and there are many ways to encrypt data. The key to a good encryption strategy is using strong encryption and proper key management. Encrypt sensitive data before it is shared. Encryption will make your data totally unintelligible to those who may try to access it which might reduce re-usability.
In case none of these options are available for your dataset, data should not be made open and be archived under a closed license in a Trustworthy Repository. You can however publish a description (i.e.public metadata) of your data without making the data itself openly accessible, which enables you to place conditions around access to the data.
-
Information professional: is someone who collects, records, organises, stores, preserves, retrieves, and disseminates printed or digital information.
-
Data access committees: A committee that reviews and authorizes applications for data access and use.
-
Safe havens: provide access to data and services to enable research while protecting the confidentiality of the data.
- Institutional data archives/vault: safe, private, store of data that is only accessible by the data creator or their representative.