Prevent data leaks
Aim: This page explains what data leaks are and how they can be prevented.
Target audience: Anyone working with personal data (about other people).
If you discover a potential data leak, immediately report it to email@example.com
Data leaks occur when personal data about other people come in possession of other people who have no business with them, or when such data are lost and cannot be recovered. Sensitive data typically are personal data about other people. Within the scope of Nikhef, typical examples are information about applicants, apprentices and (former) employees, including (email) addresses, phone numbers, education or past work experience, performance reviews and even pictures.
A data leak may occur in various circumstances, for example:
- a computer account gets compromised, which allows unauthorized persons to access data
- an electronic device is lost or stolen, after which an unauthorized person gets access to the data on the device
- data are accidentally shared, e.g. via a public web page or document that is distributed to people who have no need to access the personal data
When a data leak occurs, Nikhef should quickly take action to comply with the law and do whatever is possible and needed to control damage. So please immediately report the discovery of a potential data leak to firstname.lastname@example.org.
Fortunately, you can take some measures to prevent data leaks or to minimize the risk for one. Some measures are technical, other are behavioral and require awareness and a certain degree of discipline.
Preventing data leaks
The number one rule to prevent data leaks: what you don't store, you cannot leak!
Storing personal or sensitive data
Sensitive data typically are personal data about other people. Within the scope of Nikhef, typical examples are information about applicants, apprentices and (former) employees, including (email) addresses, phone numbers, education or past work experience.
- Collect and process only required information. Do not ask for data about people which is not strictly required.
- Remove data about persons when the data is not needed anymore. This is required in order to comply with the privacy laws! For example, after the end of an application procedure or when someone has left the institute.
- Periodically clean up old data. Remove files that are no longer needed or will not be used anymore. Again, it is a legal obligation. For example, clean up data about participants of a conference or workshop after the event is finished.
If you are sure you must collect or store personal and/or sensitive data, always report it to the Nikhef privacy team: email@example.com.
Also take the following into account:
- Only store sensitive data on encrypted devices (see below). That applies to your laptop and telephone, but also backups on a USB disk or NAS device at home.
- Organize sensitive data, know what you store and where you keep it, so that you can easily clean up when the data are no longer needed.
Encrypt your device! How do I do that?
Encrypting your devices is a technical defense measure to prevent a data leak when the device is lost or stolen. This applies to laptops, desktop computers, mobile telephones, external devices like a USB drive or NAS.
Of course, when you encrypt your device, you must ensure that you keep the encryption key safe and that access to your device is protected with a good password, fingerprint, pin code or pattern. Do not share your code with others, not even your family members!
>Please set up your device with disk encryption if you have not already done so!
Every modern operating system nowadays offers the possibility to do this and setting this up is very simple. See below for how to set this per operating system.
For Unix users there are various options for encrypting your hard drive.
In macOS this functionality is called 'FileVault', here is described how you can easily set this yourself: macOS Filevault If you want more information about this topic, please read about it on the Apple website.
In Windows this functionality is called 'Bitlocker', here is described how you can easily set this yourself: Windows Bitlocker If you want more information about this topic, please read about it on the Microsoft website.
Modern Android devices come with encryption by default. It does require a screen lock to be enabled. See for instance this page.
Enabling encryption on an iOS device is very simple. Chances are you've already enabled this. When you set a passcode for your iOS device, you have automatically enabled the encryption process. Once your passcode is set, your device is encrypted. It will remain encrypted until you disable your passcode. If you want more information about this topic, please read about it on the Apple website.
Accounts and passwords
- Do not use your Nikhef email address for private purposes.
- Choose strong passwords, certainly for work accounts or (private) banking accounts. Follow these guidelines for new password.
- Password that can be guessed because they are based on names, personal information or dates are not strong. The longer the password, the more resilient against automated attacks!
Tip: Use a passphrase. For example, if you used the passphrase 'If I could, I'd be in New-Zealand 365 days a year', you could make this more unrecognisable by shortening it to 'Iic,ibiN-Z365daY'. As mentioned earlier: make a sentence in which you use capital letters, punctuation and numbers interchangeably.
Extra tip: you can also use 'spaces' in your password to make it even longer!
- Use different passwords for all accounts and all registrations with web sites.
- To remember all these different passwords, use a password manager like KeePass, LastPass or Bitwarden.
- Do not store passwords in unencrypted files.
- Do not write down passwords on paper.
- Accounts and passwords are personal. Do not share them with others, also not with your colleagues or family members.
See Travel abroad for an explanation of what to think about and prepare before traveling abroad.