Navigated to

Security awareness

As a researcher, you need to know how to safely manage information and digital tools in your work. You may need to take both technical and organisational measures to protect research data and other information. This page provides a brief guide on what you need to consider and links to in-depth information.


Technical and organisational safeguards

When you need to process personal data in your research project, you may need both technical and organisational safeguards.

  • Technical safeguards include, for example, the choice of IT systems or services, encryption, access control and pseudonymisation.
  • Organisational safeguards are, for example, procedures and working methods that increase the protection of the information. 

Always carry out an information classification before starting a project to learn more about what level of protection the information in your research project needs.

Read about information classification 

Classified data

If your research contains classified data, these must be processed in specific ways. Always contact the university security team at the Property Management Office advice at sakerhet@umu.se.

Read more about research data with high protection value

Choice of IT systems for storing and collecting research data

It is important that you ensure that the IT systems you use have the right level of protection for the information and research data you process. If possible, use IT systems and services recommended and provided by the University. These have the technical safeguards needed for the type of information for which they are intended.

You must also bear this in mind when managing research data:

  • Use IT systems and services approved for the protection level of the information to store, process and share research data. Use them only for the type of information for which the system or service is classified.
  • If you discover that research data is being stored in systems with too low a protection level, ensure that the data is moved as soon as possible to a storage solution with an adequate protection level and removed from the original system.
  • Data classified as secret and sensitive personal data can be sent using the University's encrypted file transfer service: Skyddad bilaga (UMU ID required).
  • Privacy-sensitive personal data or personal data of particular importance to protect concerning individuals can be sent by email labelled with the sensitivity label “Confidential – UMU confidential with encryption”. Learn more about sensitivity labels on Aktum (UMU ID required).

Find programs and services

Read more about storage solutions and collection tools

Information on Aktum about file storage at Umeå University: Guide for storing files (UMU ID required)

Information på Aktum on tools for collecting data recommended by Umeå University: Learn more about data collection on Aktum (UMU ID required)

Keep track of who has access to information

Determine who in the project team has access to what information through authorisation control and established and known routines and working methods. Remember to always carry out a secrecy examination before sharing research data with people who are not employed at Umeå University.

More information about secrecy examination and research data

IT systems and cloud services procurement support team

Sometimes the IT systems or services provided by the University cannot be customised for your work. If you need to purchase a software or service, please follow the University's instructions for the acquisition of systems or cloud services:

Instructions for the acquisition of systems or cloud services at Umeå University (umu.se/regelverk)

Your department can get help in the procurement process from the IT systems and cloud services procurement support team.

Contact the procurement support team via ITS Servicedesk

Pseudonymisation of personal data

Pseudonymisation is a safeguard that is often appropriate to protect personal data. It means that personal data are encoded or reprocessed in such a way that they cannot be linked to an individual without the use of additional information, for example through the use of a code. The code must be stored separately from the pseudonymised personal data. It is important to remember that pseudonymised data are still personal data.

The organisation Esam has produced a guide in Swedish to pseudonymisation of personal data:

Pseudonymisation of personal data (guidance from E-samverka.se)

Report personal data breaches immediately

A personal data breach may pose risks to the individuals concerned and may need to be reported to the Swedish Authority for Privacy Protection within 72 hours of its discovery. It is therefore important that you report personal data breaches as soon as they are detected.

More information on reporting breaches

More information on Aktum

On Aktum you will find:

  • information on basic information and cybersecurity training for staff;
  • checklist for improving IT and information security; and
  • links to relevant pages on the staff website.
Hands on a keyboard in front of a screen with an open padlock.

Security awareness (Aktum)

Find employee training and a checklist to improve IT and information security (UMU ID required).

Icon with an i to illustrate information.

Information security (Aktum)

Find out more about information security on Aktum (UMU ID required).

Latest update: 2025-06-04

Learn more about data management and security

Four bits of a circle illustrating the process of managing research data: planning, organising, making accessible and preserving.

Manage research data

Planning, organising, making accessible and preserving research data.

Illustration: hand holding an ID card in front of a screen.

Process personal data in research

When processing personal data, you need to meet the GDPR requirements.

Hand plockar ut en identifikation från en dator.

Report incidents immediately

Immediately report any incident involving IT security, personal data or security protection.