Shortcomings in higher education institutions’ management of research data requiring protection

Intelligence activities by foreign states against Swedish higher education institutions (HEIs) have intensified in recent years. This has led to a greater need for effective information security.

The Swedish National Audit Office’s audit of the 24 HEIs that conduct research in natural sciences, engineering and technology shows that they do not work effectively to identify and manage research data requiring protection*, despite the presence of requirements for this in regulations since 2008.

“Information security efforts relating to research data have been neglected at HEIs for a long time and have not been pursued effectively. The responsibility for this lies primarily with the HEIs. However, the measures taken by the Government and other agencies to follow up and strengthen HEIs’ information security efforts have been insufficient,” says Auditor General Helena Lindberg.

The vast majority of research data does not need protecting and can be accessible for everyone. However, to be able to identify which data is worth protecting, knowledge is needed about the research data managed in the organisations. Since HEIs lack knowledge about whether they handle research data worth protecting, and whether it is handled correctly, a basis for making correct risk assessments is missing. This, in turn, makes it more difficult to decide to introduce appropriate security measures.

Many researchers have insufficient knowledge and expertise in matters relating to information security. This includes knowledge of how information should be protected in practical terms and how research data should be classified in relation to current regulations and external requirements, including the Protective Security Act.

“The HEIs’ managements have not given sufficient priority to information security efforts and adopted guidelines, procedures and working methods have not been fully implemented,” says Sara Monaco, project leader for the audit.

In addition, the Government has been late in its follow-up of information security at HEIs. Not until 2019 did the Government begin to follow up these matters more systematically in agency dialogue with the HEIs and through various reporting requirements.

The various training initiatives and support that agencies such as the Swedish Civil Contingencies Agency provides have also not had sufficient impact in the higher education sector.

Recommendations in brief

The Swedish National Audit Office’s recommendations to the Government include commissioning the Swedish Civil Contingencies Agency with conducting skills enhancement initiatives for the management of HEIs.

HEIs should also be tasked with establishing a joint support function for information security. This establishment should take place in consultation with the Swedish Civil Contingencies Agency and other relevant agencies.

The recommendations to the 24 HEIs include ensuring that roles and responsibilities are clear from the management level to individual employees so that everyone knows their responsibilities for managing research data correctly.

HEIs should also ensure that there is competence in place to analyse information security risks linked to research data.

See the report for the full recommendations.