Data storage at HVL

This instruction aims to ensure that all data at HVL are classified and stored in a manner that ensures information security and privacy in relation to their content.

All information and systems that process information should have an owner. The owner should classify the information based on its value and the laws and regulations in effect at any given time.

Value Assessment 

The information owner should assess the value of the information in relation to:

  • Confidentiality - how important it is that the information is not known to unauthorized individuals
  • Integrity - how important it is that the information is accurate and cannot be altered by unauthorized individuals
  • Availability - how critical it is for the information to be accessible

Legal Requirements

Many types of information, such as personal data, health data, and student information, are subject to legal requirements. It is the owner's responsibility to keep track of the laws and regulations applicable to the information. For personal identification numbers and special categories of personal data, there must also be a legal basis. The basis must always be known and present before the information is collected, processed, or stored.

By following this instruction and handling the information as specified here, in most cases, you will receive assistance in finding the right storage location and appropriate security level.

The owner is responsible for classifying all information.

Information Classification

Classification is an important tool for ensuring proper storage and handling of information. All information/data should be classified into one of the four categories: Open (green), Internal (yellow), Restricted (red), or Strictly Restricted (black), with corresponding color coding to facilitate overview.

If it could harm national security interests for the information to be known to unauthorized individuals, the information must also be classified according to the Security Act. Such information should only be stored and processed in information systems approved for this purpose.

Open (Green) Information

Available to everyone

Information that can not only, but also should be available to everyone - without restrictions.

This may be based on HVL's societal mission or mandated through laws, such as the Freedom of Information Act or regulations within the relevant field. Much of HVL's information falls under this category of open [green] information.

Even though the information is freely accessible, it is important to ensure its accuracy. Therefore, we have a responsibility for the integrity of our open information. This means that it should always be up to date and that only authorized individuals can make changes. There may also be guidelines regarding the use and copying of data that must be followed (copyright and licensing). For HVL, being a responsible public institution, it is crucial to adhere to such guidelines.

Examples of open [green] information include:

  • information about study programs and research activities
  • open publications
  • study and research materials not limited by copyright.

Where can I store such information? Storage guide.

Intern (yellow) informasjon

Accessible to those who need it for their work

Information that is relevant to or targeted at a specific group within HVL or named external collaborators who require access.

If such information goes astray, it can cause limited harm to individuals, the institution, or the collaborators.

The integrity of the information should be protected against alteration, deletion, and damage in the same way as open information. Additionally, it should be safeguarded against unauthorized access and dissemination.

Security measures should be implemented by controlling access through assigning read and write permissions to named individuals or groups. The owner should review access rights at least once a year.

Most of the information processed within HVL's administration will be internal (yellow).

Examples of internal (yellow) information include:

  • Internal documents relevant to a specific group
  • Documents that are "not publicly accessible" but not classified as "confidential" or "strictly confidential"
  • Information in research, education, financial, and administrative systems
  • Personal data, excluding social security numbers and special categories of personal data

Where can I store such information? Storage guidelines.

Confidential (red) information

Information subject to restricted access.

This refers to information where access limitations are imposed.

Confidential information refers to information that is inherently sensitive or that HVL is required to restrict access to by law, regulations, agreements, rules, or other regulatory frameworks.

"Confidential" corresponds to the classification level used in the Protection Instruction. It is used for information that, if disclosed to unauthorized individuals, would cause harm to public interests, the institution, individuals, or collaborating parties.

As a general rule, this information should only be stored in dedicated systems designed for the purpose and based on the owner's written assessment of the need, legal basis, and risks involved.

Furthermore, access to this information should be controlled by granting read and write permissions to authorized individuals or groups. Authorization for access is based on specific assigned tasks or approved research purposes.

Examples of confidential [red] information include:

  • Personal identification numbers
  • Special categories of personal data (sensitive data)
  • Information regarding health, employment, and salary data
  • Research data falling within this category - should be stored on HVL SILAF (research server)

Where can I store such information? Storage guidelines.

Highly confidential (black) information

Information that must be protected with particularly strict measures

This is the same type of information as Highly Confidential (black), but where specific requirements or considerations necessitate enhanced security.

Large amounts of information or contractual obligations may require additional protection beyond the minimum required by law. The storage and handling of highly confidential information should always be done in close collaboration with and with approval from the responsible Prorector and the IT department.

The systematic processing of special categories of personal and health data should follow the Norm for Information Security and Privacy in Health and Care Services ("the Norm").

If such data is compromised, it could cause significant harm to individuals, public interests, the institution's reputation, or business partners.

Examples of highly confidential [black] information include:

  • Large amounts of specific personal data
  • Large amounts of health information
  • Research data and datasets of significant economic value

Where can I store such information? Storage guide.

Sensitive information

Information that can harm national security interests

As soon as you become aware that you will be handling or storing protective information in your work at HVL, which means information related to national security interests, you must immediately consult with:

  • The Document Center
  • Information Security Advisor
  • Advisor for Societal Security and Emergency Preparedness

If necessary, the Rector can authorize HVL employees to work with unclassified or limited protective information.

Under no circumstances can HVL handle or store information that could harm national security interests:

  • Confidential (CONFIDENTIAL)
  • Serious harm (SECRET)
  • Critical harm (TOP SECRET)

UNCLASSIFIED

In addition to the classification of information mentioned above, information that could potentially harm national security interests must be protected in such a way that:

  • It is only accessible to those who require it for their duties and have been authorized by the Rector.
  • It is not known to unauthorized individuals, even internally at HVL.
  • It is not lost or subject to unauthorized alterations.

If the risk assessment deems it necessary, unclassified protective information (according to the Agency Regulations Section 13) must be protected against advanced attack methods.

LIMITED

If the protective information is classified as LIMITED, the requirements for a secure level of security are even stricter.

This information must be protected in such a way that it is not known to unauthorized individuals, including other employees within the same unit or at the same level at HVL.

The information must be labeled as LIMITED (as shown below) and can only be stored in approved locations and information systems specifically designed for this purpose. HVL has such systems that are isolated from other information systems.

Overview of services and storage units

PCs and storage units

Service:

Open

-Green

Internal

-Yellow

Confidential

-Red

Strictly Confidential

-Black

Conditions:

HVL PC (local hard drive)

Yes

Yes, with conditions(1)

Yes, with conditions(2)

No
  1. Employees are advised not to store data locally on the PC but rather use HVL OneDrive or Teams/Sharepoint with multi-factor authentication.
  2. Yellow data can be temporarily stored in HVL cloud services that store data within the EEA area and are designed for this purpose.

Private PC

Yes

No

No

No

  

HVL USB drive / external hard drive with encryption

Yes

Yes

No

No

  

Private USB drive / external hard drive / voice recorder

Yes

No

No

No

  

HVL voice recorder

Yes

Yes

No

No

  

Cloud and storage services

Service:

Open

-Green

Internal

-Yellow

Confidential

-Red

Strictly Confidential

-Black

Conditions:

HVL OneDrive

Yes

Yes

No

No

  

HVL-controlled file system or approved domain-specific system

Yes

Yes

Yes, with conditions(3)

Yes, with conditions(3)
  1. Red data must be secured with multi-factor authentication. The data owner must assess the needs, legal basis, and risks. The assessment should be conducted annually.

SILAF - Secure Storage of Research Data

(Research Server)

No

Yes

Yes

Yes

  

SurveyExact

Yes

Yes, with conditions(6)

No

No
  1. Two-factor authentication must be used for accessing the specific project in SurveyXact.

Private cloud services (Dropbox, Google Drive, or similar)

No

No

No

No

  

HVL Dictaphone

Yes

Yes

No

No

  

Communication Services and Email

Service:

Open

-Green

Internal

-Yellow

Confidential

-Red

Strictly Confidential

-Black

Conditions:

HVL email without encryption

Yes

Yes, with conditions(4)

No

No

  

HVL email with encryption

Yes

Yes

Yes

No

  

Private email (Gmail, Hotmail, or similar)

No, with conditions(4)

No

No

No

  

HVL Zoom

Yes

Yes

Yes

No

  

HVL Teams meeting/messaging service

Yes

Yes

No

No

  

HVL

Private meeting/messaging service (Teams, Slack, IRC, Fb, or similar)

No, with conditions(4)

No

No

No
  1. Private email should not be used.

HVL employees can communicate with students or collaboration partners using their private email.

Filesender (Sikt)

Yes

Yes, with conditions(5)

No

No
  1. Yellow data can be temporarily stored in services that are suitable for that purpose and store data within the EEA. Only HVL services should be used.

Mattermost with encryption (Sikt)

Yes

Yes

Yes

No

  

Canvas

 Yes Yes No No  

Websites and Social Media

Service:

Open

-Green

Internal

-Yellow

Confidential

-Red

Strictly Confidential

-Black

Conditions:

hvl.no

Ja

Nei

Nei

Nei

  

hvl.no/vestibylen

Ja

Nei

Nei

Nei

  

HVL-managed websites

Ja

Nei

Nei

Nei

  

HVL-managed social media

Ja

Nei

Nei

Nei

  

Private websites and social media

Nei

Nei

Nei

Nei