Data sharing can have many benefits for organisations, businesses, and individuals. However, the sustainability and acceptance of any data sharing arrangement depends crucially on the level of trust that the involved parties have in the applied instruments, processes, and policies. Data security is a core mechanism to proliferate such trust.
The purpose of this guide is to structure these recommendations based on the specific needs and requirements that data sharing practitioners have. Its objective is to serve as a reference for practitioners, helping them to set up secure data sharing systems, policies, and procedures.
To achieve this, this guide presents a detailed view of the most important aspects (i.e. building blocks) of data sharing as well as the fundamental data security aspects and mechanisms. These two dimensions are joined together in a dedicated section that explains which security aspects fit into each building block, and which controls need to be taken into account.
The Data security overview section gives an overview on the topic of data security. It presents the basic concepts such as CIA (Confidentiality, Integrity and Availability), threats and vulnerabilities, risk assessment as well as continuity. The main content of this chapter is dedicated to the detailed presentation of the security aspects for each dimension such as architectural design, IT-security, maintenance, and security policies.
The "Secure data sharing" section introduces the notion of data sharing and its various forms depending on the type of data concerned. The bulk of the section is dedicated to the dissection of the notion of data sharing into building blocks, i.e. fundamental processes that take place in a data sharing scenario, and a detailed presentation of each one of them. It should be noted that not all those building blocks are necessary, or even desirable, in all real-world data-sharing scenarios – but they can occur depending on the specific case. It also presents a practical view on how these security aspects fit into the data sharing building blocks. It gives a concrete list of the controls that need to be considered for the adoption of state-of-the-art technologies and standards in data security in order to fulfil the relevant security requirements. Those guidelines are drawn from various sources such as standards, white papers, and regulatory information.
However, before diving deeply into these specific areas, let us briefly explore how the topics of data sharing and security belong together broadly.
Data sharing, in today’s environment of interconnected services, is a process that comes as a natural requirement for each organization, business or service provider that wants to connect with its peers and get results based on large and/or diversified sets of information. Across all sectors of the economy, organisations such as research organizations, trade and exchange companies, small and large enterprises, government departments, and highly specialized intelligence organizations see the benefits, and in most cases the need, to exchange data with other relevant peers.
Depending on the type of data, the sensitivity of data, and the technological level of the organization, there are a multitude of considerations that need to be considered before the actual sharing and exchange can take place. The data needs to be stored somewhere, and be accessible, formatted accordingly and signed if needed, protected and discoverable depending on the terms of usage and licenses.
Allowing data to be accessible by external entities is a type of exposure that warrants asking questions such as “who has access”, “for how long”, “how should this data be used”, “what personal information does this data contain”, “how much does it cost”, and “is there any liability”? In order to be able to answer these questions, the data needs to be structured accordingly.
A practical way to highlight the issues that arise with the decision to share data is to describe a typical example of the steps that need to be taken during the preparation of the data and the considerations (mainly in terms of security) that arise in each step.
Figure 1 shows an example for such a sequential consideration, containing all the usual steps like formatting the data, adding licence information, ensuring proper data protection, defining access control, and others.
Note that not all the steps are necessary or even relevant for all types of data or all data sharing scenarios. While the example describes the appropriate steps for confidential and proprietary data, in case of other types of data (like open data or public personal data) some of the steps can be ignored while others (e.g. data storage) must always be present. Chances are that in most non-trivial data sharing scenarios, most of these steps are mandatory and, given their generic nature, can be considered as building blocks for a well-designed data-sharing preparation.