Typical information:

• AAU website, www.aau.dk, etc.
• Study programme descriptions
• News articles
• Books and journals
• Research data (open data)
• Research reports

General personal data, including:

• Employee master data
  
  • Employee name
  • Job title
  • Telephone number
• Institutional affiliation

General personal data, including:

• Master Data
  
  • Name, surname
  • AAU username
  • Date of birth
• Information about education, testimonials, course certificates and work assignments
• Information on salary, tax, pension and salary account number
• Driving licence number and type
• Nationality
• System user information
• Illness and absence information
  
  • Only the absence - not the treatment, diagnosis or reason for absence
• Participation in classes, courses, groups and subject levels

Typical information:

• Schedule
• System configuration
• Department budget
• Purchase agreements
• Educational material
• Research data
• Meeting minutes and agendas

Information must be labelled so that it is not published by mistake.

Documents are labelled at least on the front page.

Where labelling is not possible, classification must be indicated by file or folder name.

Electronic access:

Access to information must be protected by password, PIN or similar (e.g. fingerprint, facial recognition) on the device and is conditional on a work-related need.

System access to the device is locked after 5 minutes of inactivity.

Physical access:

Physically, internal information must be stored behind a lock.

Electronically:

On AAU-approved solutions and hardware, such as network drives etc. or authorised via an AAU-approved data processing agreement, AAU Non-disclosure agreement or equivalent.

See the data storage model with approved systems here.

Physical:

Stored so that unauthorised persons do not have access to view or retrieve the content. For example, in a locked office, locked cabinet, box or similar.

Electronically:

It is recommended that internal data is sent encrypted. In addition, the sender must ensure that the recipient is aware of the rules for processing the information sent.

Here's how to encrypt data.

Physical:

May be sent internally in a circulation envelope or regular letter post (closed shipment).

Remember to ensure that the recipient is familiar with the rules for processing and disposal of AAU information.

• Inventions and research that can be commercially utilised with a value of more than DKK 1,000,000
• Research data with potential damaging effects

Personal data, including:

• CPR no.
• Employee's:
  
  • Private address
  • Private email
  • Private phone number
  • Other private information
• Driving licence photo
• Personality test
• Divorce
• Adoption circumstances
• Alcohol and drug test
• Exam cheating registration
• Grades, grading, etc.
• Significant social and family issues

Information must be labelled so that it is not published by mistake.

Electronically:

Information that cannot be labelled should only be stored in systems where the system makes the classification clear.

As much as possible, electronic labelling should be done at the metadata level.

Physical:

Physical documents must be labelled on each page/viewport and must have a cover sheet without confidential information.

Electronic access requires authentication with AAU account credentials and must be contingent on a work-related need.

System access is locked after 5 minutes of inactivity.

Access to the system and export of data out of the system must be logged.

Electronically:

Storage may only take place on AAU-approved hardware (e.g. your AAU-installed PC or MAC) or at partners with whom an AAU-approved data processing agreement has been concluded for the storage of confidential data.

If the device on which the confidential data is stored is publicly accessible, e.g. on portable devices, the data must be encrypted with strong encryption.

If you have recorded confidential data, e.g. with a dictaphone or video camera, the recordings must be transferred to encrypted devices as soon as possible - and within 7 working days at the latest.

Approved forms of encryption are determined by the CISO.

Where the storage device is physically protected in e.g. server rooms, administrator access and access to server rooms must be logged.

Physical:

Confidential information must be stored so that unauthorised persons cannot see or access the contents, e.g. in a locked office, locked cabinet, locked vault or similar.

All materials that are disposed of must be shredded.

Use 'Follow-You' printing when printing documents.

 

Electronically:

Information may only be sent/disclosed to business partners when there is a legal basis for transfer (data processing agreement, disclosure, etc.).

Information may be sent unencrypted on AAU networks.

Information can be sent via an encrypted channel where encryption can be guaranteed end-to-end, outside AAU's network.

When travelling with portable media, data must be encrypted.

The CISO maintains a list of authorised forms of communication and sets encryption requirements.

Physical:

May be sent internally in a sealed envelope with attention person or delivered in person, but may not be carried on public transport such as buses and trains.

 

• Inventions and research that can be commercially utilised with a value of more than DKK 5,000,000
• Research documentation with sensitive data

Sensitive personal data:

• Racial or ethnic origin
• Political, religious or philosophical beliefs
• Health information
• Sexual relationships or orientation
• Union

Information must be labelled to protect it from unintentional disclosure.

Physical documents must be labelled on every page or line of sight and must have a cover sheet without sensitive information.

Information that cannot be labelled may only be stored in systems where the system clearly shows the classification.

Access to information must be checked every six months. Audit reports must be archived in the ISMS system.

Processing requires that the user is specially trusted and trained to process the information.

Electronically:

Electronic access requires authentication with AAU account information and 2-factor validation outside the AAU network.

System access is locked after 5 minutes of inactivity.

Account must be protected against brute force and password guessing attacks by locking the account after 10 failed login attempts within 10 minutes.

Access to the system must be logged (including administrator access). Access (viewing) to information must be logged at the field level. Changes to data must be logged.

Data may only be exported to systems with an explicit integration and a defined purpose for the export, approved by the CISO.

Information must not be visible to anyone other than the practitioner, who must be aware of the physical environment, including the ability of others to see the screen(s).

Physical:

Access (viewing) to information must be logged at the field level. Changes to data must be logged.

Export of data may only be made to systems with an explicit integration and a defined purpose for the export, approved by the CISO.

Information must not be visible to anyone other than the processor, who must be aware of the physical environment, including the ability of others to view the documents.

Electronically:

Storage may only take place on AAU-approved hardware or at partners with whom an AAU-approved data processing agreement has been entered into for the storage of confidential data.

Sensitive information may not be stored on stationary media (e.g. physical servers) that are publicly accessible. Access to the storage medium must be physically restricted to authorised personnel. Access to the area must be logged, e.g. currently for server rooms.

When storing on portable media (e.g. PC, USB stick and SD card), data must be encrypted with strong encryption. For workflows with, for example, recording devices, data must be transferred to encrypted devices as soon as possible and within 7 working days at the latest. Approved encryption methods are determined by the CISO.

Information may only be stored in specialised systems specifically designed for handling sensitive information.

Here you will find an overview of approved systems for data storage.

The system must be updated with the latest security updates - no later than 14 days after the security update is available.

The system must be supported by the manufacturer or supplier.

Administrator access to the system is subject to the same logging requirements as access.

When discarding media, electronic wipe and shredding must be performed so that information cannot be recreated.

Physical:

Sensitive information must be stored in a physical container labelled with the classification level.

It must be stored so that unauthorised persons cannot see or access the contents in locked security cabinets and boxes or similar at AAU locations.

All materials that are disposed of must be securely shredded. Disposal must be logged.

Use 'Follow-You' printing when printing documents.

Electronically:

Information may only be sent or disclosed to business partners when there is a legal basis for transfer (data processing agreement, disclosure, etc.).

Data transfer must take place via encrypted channels where confidentiality is guaranteed by AAU or the recipient.

Data transmission via open channels or channels owned by third parties requires encryption of the information.

When transported on portable media (e.g. PC, USB stick or SD card), data must be encrypted.

Approved forms of encryption are determined by the CISO.

Physical:

Information may only be sent or disclosed to business partners when there is a legal basis for transfer (data processing agreement, disclosure, etc.).

Sensitive documents are sent as sealed shipments, either registered or by courier. Receipt and dispatch must be logged.