Logotype The Swedish NAO, link to startpage.

Shortcomings in higher education institutions’ management of research data requiring protection

Swedish higher education institutions do not have effective information security to manage research data requiring protection, according to the Swedish National Audit Office’s audit. Higher education institutions often lack knowledge both about which data needs protecting and how it should be protected.

Two people are sitting at each computer. The screens show green text.

Photo: Maskot

Intelligence activities by foreign states against Swedish higher education institutions (HEIs) have intensified in recent years. This has led to a greater need for effective information security.

The Swedish National Audit Office’s audit of the 24 HEIs that conduct research in natural sciences, engineering and technology shows that they do not work effectively to identify and manage research data requiring protection*, despite the presence of requirements for this in regulations since 2008.

“Information security efforts relating to research data have been neglected at HEIs for a long time and have not been pursued effectively. The responsibility for this lies primarily with the HEIs. However, the measures taken by the Government and other agencies to follow up and strengthen HEIs’ information security efforts have been insufficient,” says Auditor General Helena Lindberg.

The vast majority of research data does not need protecting and can be accessible for everyone. However, to be able to identify which data is worth protecting, knowledge is needed about the research data managed in the organisations. Since HEIs lack knowledge about whether they handle research data worth protecting, and whether it is handled correctly, a basis for making correct risk assessments is missing. This, in turn, makes it more difficult to decide to introduce appropriate security measures.

Many researchers have insufficient knowledge and expertise in matters relating to information security. This includes knowledge of how information should be protected in practical terms and how research data should be classified in relation to current regulations and external requirements, including the Protective Security Act.

“The HEIs’ managements have not given sufficient priority to information security efforts and adopted guidelines, procedures and working methods have not been fully implemented,” says Sara Monaco, project leader for the audit.

In addition, the Government has been late in its follow-up of information security at HEIs. Not until 2019 did the Government begin to follow up these matters more systematically in agency dialogue with the HEIs and through various reporting requirements.

The various training initiatives and support that agencies such as the Swedish Civil Contingencies Agency provides have also not had sufficient impact in the higher education sector.

Recommendations in brief

The Swedish National Audit Office’s recommendations to the Government include commissioning the Swedish Civil Contingencies Agency with conducting skills enhancement initiatives for the management of HEIs.

HEIs should also be tasked with establishing a joint support function for information security. This establishment should take place in consultation with the Swedish Civil Contingencies Agency and other relevant agencies.

The recommendations to the 24 HEIs include ensuring that roles and responsibilities are clear from the management level to individual employees so that everyone knows their responsibilities for managing research data correctly.

HEIs should also ensure that there is competence in place to analyse information security risks linked to research data.

See the report for the full recommendations.

*In this audit, research data requiring protection refers to data that needs to be protected primarily pursuant to secrecy, data protection regulations or other special regulations. It may, for example, concern large amounts or sensitive personal data, trade secrets or security-sensitive activities.

Press contact: Olle Castelius, phone: +46 8-5171 40 04.

Presskontakt: , telefon: 08-5171 42 06.

Updated: 13 December 2023

Contact form

Send your questions or comments via the form below and we will make sure that they reach the right member of staff. Please state if your question concerns the information on this particular page.

What is your question about?
What is your question about?