What to do when being responsible for data protection in your lab, yet advice is ignored?What are the...
Using only 1s, make 29 with the minimum number of digits
Can I write a book of my D&D game?
Error in a formula field
Injecting creativity into a cookbook
Can a hotel cancel a confirmed reservation?
Would a National Army of mercenaries be a feasible idea?
How can I deliver in-universe written lore to players without it being dry exposition?
How to avoid being sexist when trying to employ someone to function in a very sexist environment?
Publishing research using outdated methods
How can I get my players to come to the game session after agreeing to a date?
Can we use the stored gravitational potential energy of a building to produce power?
how to acknowledge an embarrasing job interview, now that I work directly with the interviewer?
Why has the mole been redefined for 2019?
How can my powered armor quickly replace its ceramic plates?
Do authors have to be politically correct in article-writing?
How much mayhem could I cause as a sentient fish?
What is this metal M-shaped device for?
How would an AI self awareness kill switch work?
Roman Numerals equation 1
If I deleted a game I lost the disc for, can I reinstall it digitally?
What's a good word to describe a public place that looks like it wouldn't be rough?
Why are the books in the Game of Thrones citadel library shelved spine inwards?
What is the purpose of easy combat scenarios that don't need resource expenditure?
Caruana vs Carlsen game 10 (WCC) why not 18...Nxb6?
What to do when being responsible for data protection in your lab, yet advice is ignored?
What are the important issues to consider when using secondary data?When did it become commonplace for data set providers to ask users to cite their paper(s)?Is it unethical/unscientific to omit outlier data in a publication when they are in FAVOR of your argument?What is the best way to cite NCBI data for my paper?Where can I find hard data on students' reasons for being students?First time being in an applied math lab - what are some tips to overcome shyness?
I work in a lab where we conduct research on data acquire from human subjects. As we investigate the effects of different diseases and the related treatments, the data is highly sensitive in regards to data protection.
Most of the lab members work with Windows 10 and I am supposed to set up additional Windows 10 PCs. I have serious concerns about this as Windows 10 is known for sharing much data with Microsoft, e.g. every file which is related to a software crash may or may not be send to Microsoft and thereby unintentionally sharing sensitive health related information with Microsoft.
When mentioning these issues, they are usually waved aside with arguments like "nobody else cares about that" or "this would slow down our work". In general is there very little interest in data protection and the associated risks.
I know the risk of a data leak actually having a effect is rather small, yet I'd like to know how to back myself up in this situation. Should things for whatever reason go sour, I'd like to be on the safe side.
PS: Initially I thoughtof pasting this in "the workplace", but as academia is quite different from industry, I thought this would be a better fit.
Edit: I think I should add a little more background. I am in a PhD position actually hired for doing research. Yet due to my background in computer science, I am 'officially' responsible for everything related in our lab to electronic data processing.
data lab-management
asked 2 hours ago
VoodooCodeVoodooCode
212
New contributor
VoodooCode is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 6 more comments
I work in a lab where we conduct research on data acquire from human subjects. As we investigate the effects of different diseases and the related treatments, the data is highly sensitive in regards to data protection.
Most of the lab members work with Windows 10 and I am supposed to set up additional Windows 10 PCs. I have serious concerns about this as Windows 10 is known for sharing much data with Microsoft, e.g. every file which is related to a software crash may or may not be send to Microsoft and thereby unintentionally sharing sensitive health related information with Microsoft.
When mentioning these issues, they are usually waved aside with arguments like "nobody else cares about that" or "this would slow down our work". In general is there very little interest in data protection and the associated risks.
I know the risk of a data leak actually having a effect is rather small, yet I'd like to know how to back myself up in this situation. Should things for whatever reason go sour, I'd like to be on the safe side.
PS: Initially I thoughtof pasting this in "the workplace", but as academia is quite different from industry, I thought this would be a better fit.
Edit: I think I should add a little more background. I am in a PhD position actually hired for doing research. Yet due to my background in computer science, I am 'officially' responsible for everything related in our lab to electronic data processing.
data lab-management
asked 2 hours ago
VoodooCodeVoodooCode
212
New contributor
VoodooCode is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
Mm... I'm not sure about this, but maybe at Information Security SE are better technically equipped to answer your question.
– Massimo Ortolano
2 hours ago
Windows 10 is known for sharing...every file which is related to a software crash Do you have evidence to support this? It sounds highly unlikely that Microsoft would steal their client's data.
– user2768
1 hour ago
First thing I did was checking out whether this is acutally the case. Subsequently I was wondering about it myself and posted at Information Security SE: security.stackexchange.com/questions/204530/…
– VoodooCode
1 hour ago
Also, you have a bigger problem: Windows 10...will reach the end of servicing on April 9, 2019 Source: support.microsoft.com/en-gb/help/4490393
– user2768
1 hour ago
2
@user2768 I think this only applies to version 1607 of Windows 10, not to newer releases which you can obtain via the regular update processes.
– nabla
1 hour ago
|
show 6 more comments
I work in a lab where we conduct research on data acquire from human subjects. As we investigate the effects of different diseases and the related treatments, the data is highly sensitive in regards to data protection.
Most of the lab members work with Windows 10 and I am supposed to set up additional Windows 10 PCs. I have serious concerns about this as Windows 10 is known for sharing much data with Microsoft, e.g. every file which is related to a software crash may or may not be send to Microsoft and thereby unintentionally sharing sensitive health related information with Microsoft.
When mentioning these issues, they are usually waved aside with arguments like "nobody else cares about that" or "this would slow down our work". In general is there very little interest in data protection and the associated risks.
I know the risk of a data leak actually having a effect is rather small, yet I'd like to know how to back myself up in this situation. Should things for whatever reason go sour, I'd like to be on the safe side.
PS: Initially I thoughtof pasting this in "the workplace", but as academia is quite different from industry, I thought this would be a better fit.
Edit: I think I should add a little more background. I am in a PhD position actually hired for doing research. Yet due to my background in computer science, I am 'officially' responsible for everything related in our lab to electronic data processing.
data lab-management
asked 2 hours ago
VoodooCodeVoodooCode
212
New contributor
VoodooCode is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I work in a lab where we conduct research on data acquire from human subjects. As we investigate the effects of different diseases and the related treatments, the data is highly sensitive in regards to data protection.
Most of the lab members work with Windows 10 and I am supposed to set up additional Windows 10 PCs. I have serious concerns about this as Windows 10 is known for sharing much data with Microsoft, e.g. every file which is related to a software crash may or may not be send to Microsoft and thereby unintentionally sharing sensitive health related information with Microsoft.
When mentioning these issues, they are usually waved aside with arguments like "nobody else cares about that" or "this would slow down our work". In general is there very little interest in data protection and the associated risks.
I know the risk of a data leak actually having a effect is rather small, yet I'd like to know how to back myself up in this situation. Should things for whatever reason go sour, I'd like to be on the safe side.
PS: Initially I thoughtof pasting this in "the workplace", but as academia is quite different from industry, I thought this would be a better fit.
Edit: I think I should add a little more background. I am in a PhD position actually hired for doing research. Yet due to my background in computer science, I am 'officially' responsible for everything related in our lab to electronic data processing.
data lab-management
data lab-management
asked 2 hours ago
VoodooCodeVoodooCode
212
New contributor
VoodooCode is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 hours ago
VoodooCodeVoodooCode
212
New contributor
VoodooCode is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 1 hour ago
VoodooCode
asked 2 hours ago
VoodooCodeVoodooCode
212
New contributor
VoodooCode is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 hours ago
VoodooCodeVoodooCode
212
asked 2 hours ago
VoodooCodeVoodooCode
212
212
New contributor
VoodooCode is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
VoodooCode is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
VoodooCode is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
Mm... I'm not sure about this, but maybe at Information Security SE are better technically equipped to answer your question.
– Massimo Ortolano
2 hours ago
Windows 10 is known for sharing...every file which is related to a software crash Do you have evidence to support this? It sounds highly unlikely that Microsoft would steal their client's data.
– user2768
1 hour ago
First thing I did was checking out whether this is acutally the case. Subsequently I was wondering about it myself and posted at Information Security SE: security.stackexchange.com/questions/204530/…
– VoodooCode
1 hour ago
Also, you have a bigger problem: Windows 10...will reach the end of servicing on April 9, 2019 Source: support.microsoft.com/en-gb/help/4490393
– user2768
1 hour ago
2
@user2768 I think this only applies to version 1607 of Windows 10, not to newer releases which you can obtain via the regular update processes.
– nabla
1 hour ago
|
show 6 more comments
2
Mm... I'm not sure about this, but maybe at Information Security SE are better technically equipped to answer your question.
– Massimo Ortolano
2 hours ago
Windows 10 is known for sharing...every file which is related to a software crash Do you have evidence to support this? It sounds highly unlikely that Microsoft would steal their client's data.
– user2768
1 hour ago
First thing I did was checking out whether this is acutally the case. Subsequently I was wondering about it myself and posted at Information Security SE: security.stackexchange.com/questions/204530/…
– VoodooCode
1 hour ago
Also, you have a bigger problem: Windows 10...will reach the end of servicing on April 9, 2019 Source: support.microsoft.com/en-gb/help/4490393
– user2768
1 hour ago
2
@user2768 I think this only applies to version 1607 of Windows 10, not to newer releases which you can obtain via the regular update processes.
– nabla
1 hour ago
2
2
Mm... I'm not sure about this, but maybe at Information Security SE are better technically equipped to answer your question.
– Massimo Ortolano
2 hours ago
Mm... I'm not sure about this, but maybe at Information Security SE are better technically equipped to answer your question.
– Massimo Ortolano
2 hours ago
Windows 10 is known for sharing...every file which is related to a software crash Do you have evidence to support this? It sounds highly unlikely that Microsoft would steal their client's data.
– user2768
1 hour ago
Windows 10 is known for sharing...every file which is related to a software crash Do you have evidence to support this? It sounds highly unlikely that Microsoft would steal their client's data.
– user2768
1 hour ago
First thing I did was checking out whether this is acutally the case. Subsequently I was wondering about it myself and posted at Information Security SE: security.stackexchange.com/questions/204530/…
– VoodooCode
1 hour ago
First thing I did was checking out whether this is acutally the case. Subsequently I was wondering about it myself and posted at Information Security SE: security.stackexchange.com/questions/204530/…
– VoodooCode
1 hour ago
Also, you have a bigger problem: Windows 10...will reach the end of servicing on April 9, 2019 Source: support.microsoft.com/en-gb/help/4490393
– user2768
1 hour ago
Also, you have a bigger problem: Windows 10...will reach the end of servicing on April 9, 2019 Source: support.microsoft.com/en-gb/help/4490393
– user2768
1 hour ago
2
2
@user2768 I think this only applies to version 1607 of Windows 10, not to newer releases which you can obtain via the regular update processes.
– nabla
1 hour ago
@user2768 I think this only applies to version 1607 of Windows 10, not to newer releases which you can obtain via the regular update processes.
– nabla
1 hour ago
|
show 6 more comments
4 Answers
4
active
oldest
votes
The way I read your question is that you are not responsible for data protection but responsible for setting up Windows PCs. In that case I would share your concerns in an email to your group leader so that you have a (virtual) paper trail, and ask them whether they'd like you to set up the Windows PCs nevertheless or whether they'd like you to look for another solution.
Of course, if your actual responsibility is data protection and they are ignoring the very thing they've hired you for, you should probably start looking for another place to work.
answered 2 hours ago
DesignerpotDesignerpot
2,855415
add a comment |
A quick Google search on "windows 10 gdpr" retrieves a trove of documents from Microsoft with advice on GDPR compliance. SE discourages the posting of links, but the second hit on the Google search is "Windows and the GDPR: Information for IT Administrators and Decision Makers" and has a pretty thorough explanation of what data moves where. That (discouraged) link is currently https://docs.microsoft.com/en-us/windows/privacy/gdpr-it-guidance
According to the document itself, it takes 17 minutes to read. I think you'll feel better after you've done so.
There's a lot of paranoia about Microsoft, some of it possibly justified, but the hard fact is that MS cannot afford to ignore the GDPR or, in the U.S., HIPAA.
I did read the answer in Information Security SE, and did not find it helpful; the quotation from MS has to do with disclosure of data as required by law or legal process.
answered 37 mins ago
Bob BrownBob Brown
18.9k85680
1
Google search results are not universal, for example for me that's not the second hit.
– fqq
13 mins ago
add a comment |
Make sure your advice is actually based on solid facts, and consider which are the most likely ways the data could leak out. Find out exactly what Windows 10 could report to Microsoft, and whether that is a real issue in your case.
Find out the actual regulations and laws about this in your country and maybe also university rules, if they exist. Being able to point to specific regulation is useful for such arguments.
In a typical academic settings, you probably don't have the means to really lock down stuff. I would focus on the most dangerous and common ways the computers could be compromised, Microsoft is far, far at the end of those worries in my opinion. I would mostly worry about the following cases:
- people taking the data home or on their private computers
- computers being compromised by malware
- computers, hard drives or USB drives being stolen or lost
You're focusing on a very remote and unlikely threat, that makes it much easier to dismiss your arguments. Focus on realistic and plausible threats, and be prepared to still fight an uphill battle.
answered 1 hour ago
Mad ScientistMad Scientist
25639
I agree. Our school is super paranoid about eg cloud services, yet the most typical security problem is students carrying around data on USB sticks and losing many of them. Also, some might carry around data and occasionally using public computers or computers of others, accidentally leaving data files around.
– Greg
20 mins ago
add a comment |
Should things for whatever reason go sour, I'd like to be on the safe side.
The question is what you want to protect agains - a law suite directed at you, or being let go?
My suspicion (but I'm not a lawyer, obviously) is that there is very little danger of the former and close to no real protection against the latter.
The uncomfortable reality is that many people (in academia and outside) are not so much hiring an employee rather than buying insurance when filling roles such as for a data protection responsible (same with certain certifications in industry). They know (or at least strongly suspect) that what they do is not legal, don't want to change, and look for somebody who they can point to when things go south.
If any real legal trouble ever arises from the data protection issue, I fully suspect that it will be targeted at the university rather than individuals working there - and even if it is targeted at specific persons, it will be the managers in charge, not a lab technician with no authority to change the behavior of other employees. However, there is a very good chance that internally you will still be made the scapegoat (up to and including being let go), if for no other reason than that sh*t tends to roll downhill. In my experience with university management structures, no amount of paper trail can really protect you from this.
Of course you still should try as hard as you can to inform your lab on any relevant issues that you see, but given that you have no authority over them it will have to take the form of advise rather than strict rules. Being on good terms with the team (and having great soft skills) is probably your best bet of actually making a difference. It may also pay to be pragmatic here, and address big threats that don't require too much sacrifice from your team - the InfoSec Stack Exchange may be a very good resource to get information on what these might be (I suspect the usage of Windows is not one of these cases).
Note: there are jobs were you end up personally responsible for certain kinds of problems (functional safety in automotive is an example that comes to mind). However, these are typically characterized in that you need explicit qualifications to even be legally allowed to carry out this job. A company cannot just appoint a random engineer to now be legally responsible for safety certification. Part of the mandatory training for such jobs is also explicit information on what you end up responsible for, and what the expected course of action in case of non-compliance is.
answered 57 mins ago
xLeitixxLeitix
101k36243384
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "415"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
VoodooCode is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2facademia.stackexchange.com%2fquestions%2f125742%2fwhat-to-do-when-being-responsible-for-data-protection-in-your-lab-yet-advice-is%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
The way I read your question is that you are not responsible for data protection but responsible for setting up Windows PCs. In that case I would share your concerns in an email to your group leader so that you have a (virtual) paper trail, and ask them whether they'd like you to set up the Windows PCs nevertheless or whether they'd like you to look for another solution.
Of course, if your actual responsibility is data protection and they are ignoring the very thing they've hired you for, you should probably start looking for another place to work.
answered 2 hours ago
DesignerpotDesignerpot
2,855415
add a comment |
The way I read your question is that you are not responsible for data protection but responsible for setting up Windows PCs. In that case I would share your concerns in an email to your group leader so that you have a (virtual) paper trail, and ask them whether they'd like you to set up the Windows PCs nevertheless or whether they'd like you to look for another solution.
Of course, if your actual responsibility is data protection and they are ignoring the very thing they've hired you for, you should probably start looking for another place to work.
answered 2 hours ago
DesignerpotDesignerpot
2,855415
add a comment |
The way I read your question is that you are not responsible for data protection but responsible for setting up Windows PCs. In that case I would share your concerns in an email to your group leader so that you have a (virtual) paper trail, and ask them whether they'd like you to set up the Windows PCs nevertheless or whether they'd like you to look for another solution.
Of course, if your actual responsibility is data protection and they are ignoring the very thing they've hired you for, you should probably start looking for another place to work.
answered 2 hours ago
DesignerpotDesignerpot
2,855415
The way I read your question is that you are not responsible for data protection but responsible for setting up Windows PCs. In that case I would share your concerns in an email to your group leader so that you have a (virtual) paper trail, and ask them whether they'd like you to set up the Windows PCs nevertheless or whether they'd like you to look for another solution.
Of course, if your actual responsibility is data protection and they are ignoring the very thing they've hired you for, you should probably start looking for another place to work.
answered 2 hours ago
DesignerpotDesignerpot
2,855415
answered 2 hours ago
DesignerpotDesignerpot
2,855415
answered 2 hours ago
DesignerpotDesignerpot
2,855415
answered 2 hours ago
DesignerpotDesignerpot
2,855415
2,855415
add a comment |
add a comment |
A quick Google search on "windows 10 gdpr" retrieves a trove of documents from Microsoft with advice on GDPR compliance. SE discourages the posting of links, but the second hit on the Google search is "Windows and the GDPR: Information for IT Administrators and Decision Makers" and has a pretty thorough explanation of what data moves where. That (discouraged) link is currently https://docs.microsoft.com/en-us/windows/privacy/gdpr-it-guidance
According to the document itself, it takes 17 minutes to read. I think you'll feel better after you've done so.
There's a lot of paranoia about Microsoft, some of it possibly justified, but the hard fact is that MS cannot afford to ignore the GDPR or, in the U.S., HIPAA.
I did read the answer in Information Security SE, and did not find it helpful; the quotation from MS has to do with disclosure of data as required by law or legal process.
answered 37 mins ago
Bob BrownBob Brown
18.9k85680
1
Google search results are not universal, for example for me that's not the second hit.
– fqq
13 mins ago
add a comment |
A quick Google search on "windows 10 gdpr" retrieves a trove of documents from Microsoft with advice on GDPR compliance. SE discourages the posting of links, but the second hit on the Google search is "Windows and the GDPR: Information for IT Administrators and Decision Makers" and has a pretty thorough explanation of what data moves where. That (discouraged) link is currently https://docs.microsoft.com/en-us/windows/privacy/gdpr-it-guidance
According to the document itself, it takes 17 minutes to read. I think you'll feel better after you've done so.
There's a lot of paranoia about Microsoft, some of it possibly justified, but the hard fact is that MS cannot afford to ignore the GDPR or, in the U.S., HIPAA.
I did read the answer in Information Security SE, and did not find it helpful; the quotation from MS has to do with disclosure of data as required by law or legal process.
answered 37 mins ago
Bob BrownBob Brown
18.9k85680
1
Google search results are not universal, for example for me that's not the second hit.
– fqq
13 mins ago
add a comment |
A quick Google search on "windows 10 gdpr" retrieves a trove of documents from Microsoft with advice on GDPR compliance. SE discourages the posting of links, but the second hit on the Google search is "Windows and the GDPR: Information for IT Administrators and Decision Makers" and has a pretty thorough explanation of what data moves where. That (discouraged) link is currently https://docs.microsoft.com/en-us/windows/privacy/gdpr-it-guidance
According to the document itself, it takes 17 minutes to read. I think you'll feel better after you've done so.
There's a lot of paranoia about Microsoft, some of it possibly justified, but the hard fact is that MS cannot afford to ignore the GDPR or, in the U.S., HIPAA.
I did read the answer in Information Security SE, and did not find it helpful; the quotation from MS has to do with disclosure of data as required by law or legal process.
answered 37 mins ago
Bob BrownBob Brown
18.9k85680
A quick Google search on "windows 10 gdpr" retrieves a trove of documents from Microsoft with advice on GDPR compliance. SE discourages the posting of links, but the second hit on the Google search is "Windows and the GDPR: Information for IT Administrators and Decision Makers" and has a pretty thorough explanation of what data moves where. That (discouraged) link is currently https://docs.microsoft.com/en-us/windows/privacy/gdpr-it-guidance
According to the document itself, it takes 17 minutes to read. I think you'll feel better after you've done so.
There's a lot of paranoia about Microsoft, some of it possibly justified, but the hard fact is that MS cannot afford to ignore the GDPR or, in the U.S., HIPAA.
I did read the answer in Information Security SE, and did not find it helpful; the quotation from MS has to do with disclosure of data as required by law or legal process.
answered 37 mins ago
Bob BrownBob Brown
18.9k85680
answered 37 mins ago
Bob BrownBob Brown
18.9k85680
answered 37 mins ago
Bob BrownBob Brown
18.9k85680
answered 37 mins ago
Bob BrownBob Brown
18.9k85680
18.9k85680
1
Google search results are not universal, for example for me that's not the second hit.
– fqq
13 mins ago
add a comment |
1
Google search results are not universal, for example for me that's not the second hit.
– fqq
13 mins ago
1
1
Google search results are not universal, for example for me that's not the second hit.
– fqq
13 mins ago
Google search results are not universal, for example for me that's not the second hit.
– fqq
13 mins ago
add a comment |
Make sure your advice is actually based on solid facts, and consider which are the most likely ways the data could leak out. Find out exactly what Windows 10 could report to Microsoft, and whether that is a real issue in your case.
Find out the actual regulations and laws about this in your country and maybe also university rules, if they exist. Being able to point to specific regulation is useful for such arguments.
In a typical academic settings, you probably don't have the means to really lock down stuff. I would focus on the most dangerous and common ways the computers could be compromised, Microsoft is far, far at the end of those worries in my opinion. I would mostly worry about the following cases:
- people taking the data home or on their private computers
- computers being compromised by malware
- computers, hard drives or USB drives being stolen or lost
You're focusing on a very remote and unlikely threat, that makes it much easier to dismiss your arguments. Focus on realistic and plausible threats, and be prepared to still fight an uphill battle.
answered 1 hour ago
Mad ScientistMad Scientist
25639
I agree. Our school is super paranoid about eg cloud services, yet the most typical security problem is students carrying around data on USB sticks and losing many of them. Also, some might carry around data and occasionally using public computers or computers of others, accidentally leaving data files around.
– Greg
20 mins ago
add a comment |
Make sure your advice is actually based on solid facts, and consider which are the most likely ways the data could leak out. Find out exactly what Windows 10 could report to Microsoft, and whether that is a real issue in your case.
Find out the actual regulations and laws about this in your country and maybe also university rules, if they exist. Being able to point to specific regulation is useful for such arguments.
In a typical academic settings, you probably don't have the means to really lock down stuff. I would focus on the most dangerous and common ways the computers could be compromised, Microsoft is far, far at the end of those worries in my opinion. I would mostly worry about the following cases:
- people taking the data home or on their private computers
- computers being compromised by malware
- computers, hard drives or USB drives being stolen or lost
You're focusing on a very remote and unlikely threat, that makes it much easier to dismiss your arguments. Focus on realistic and plausible threats, and be prepared to still fight an uphill battle.
answered 1 hour ago
Mad ScientistMad Scientist
25639
I agree. Our school is super paranoid about eg cloud services, yet the most typical security problem is students carrying around data on USB sticks and losing many of them. Also, some might carry around data and occasionally using public computers or computers of others, accidentally leaving data files around.
– Greg
20 mins ago
add a comment |
Make sure your advice is actually based on solid facts, and consider which are the most likely ways the data could leak out. Find out exactly what Windows 10 could report to Microsoft, and whether that is a real issue in your case.
Find out the actual regulations and laws about this in your country and maybe also university rules, if they exist. Being able to point to specific regulation is useful for such arguments.
In a typical academic settings, you probably don't have the means to really lock down stuff. I would focus on the most dangerous and common ways the computers could be compromised, Microsoft is far, far at the end of those worries in my opinion. I would mostly worry about the following cases:
- people taking the data home or on their private computers
- computers being compromised by malware
- computers, hard drives or USB drives being stolen or lost
You're focusing on a very remote and unlikely threat, that makes it much easier to dismiss your arguments. Focus on realistic and plausible threats, and be prepared to still fight an uphill battle.
answered 1 hour ago
Mad ScientistMad Scientist
25639
Make sure your advice is actually based on solid facts, and consider which are the most likely ways the data could leak out. Find out exactly what Windows 10 could report to Microsoft, and whether that is a real issue in your case.
Find out the actual regulations and laws about this in your country and maybe also university rules, if they exist. Being able to point to specific regulation is useful for such arguments.
In a typical academic settings, you probably don't have the means to really lock down stuff. I would focus on the most dangerous and common ways the computers could be compromised, Microsoft is far, far at the end of those worries in my opinion. I would mostly worry about the following cases:
- people taking the data home or on their private computers
- computers being compromised by malware
- computers, hard drives or USB drives being stolen or lost
You're focusing on a very remote and unlikely threat, that makes it much easier to dismiss your arguments. Focus on realistic and plausible threats, and be prepared to still fight an uphill battle.
answered 1 hour ago
Mad ScientistMad Scientist
25639
edited 13 mins ago
answered 1 hour ago
Mad ScientistMad Scientist
25639
answered 1 hour ago
Mad ScientistMad Scientist
25639
answered 1 hour ago
Mad ScientistMad Scientist
25639
25639
I agree. Our school is super paranoid about eg cloud services, yet the most typical security problem is students carrying around data on USB sticks and losing many of them. Also, some might carry around data and occasionally using public computers or computers of others, accidentally leaving data files around.
– Greg
20 mins ago
add a comment |
I agree. Our school is super paranoid about eg cloud services, yet the most typical security problem is students carrying around data on USB sticks and losing many of them. Also, some might carry around data and occasionally using public computers or computers of others, accidentally leaving data files around.
– Greg
20 mins ago
I agree. Our school is super paranoid about eg cloud services, yet the most typical security problem is students carrying around data on USB sticks and losing many of them. Also, some might carry around data and occasionally using public computers or computers of others, accidentally leaving data files around.
– Greg
20 mins ago
I agree. Our school is super paranoid about eg cloud services, yet the most typical security problem is students carrying around data on USB sticks and losing many of them. Also, some might carry around data and occasionally using public computers or computers of others, accidentally leaving data files around.
– Greg
20 mins ago
add a comment |
Should things for whatever reason go sour, I'd like to be on the safe side.
The question is what you want to protect agains - a law suite directed at you, or being let go?
My suspicion (but I'm not a lawyer, obviously) is that there is very little danger of the former and close to no real protection against the latter.
The uncomfortable reality is that many people (in academia and outside) are not so much hiring an employee rather than buying insurance when filling roles such as for a data protection responsible (same with certain certifications in industry). They know (or at least strongly suspect) that what they do is not legal, don't want to change, and look for somebody who they can point to when things go south.
If any real legal trouble ever arises from the data protection issue, I fully suspect that it will be targeted at the university rather than individuals working there - and even if it is targeted at specific persons, it will be the managers in charge, not a lab technician with no authority to change the behavior of other employees. However, there is a very good chance that internally you will still be made the scapegoat (up to and including being let go), if for no other reason than that sh*t tends to roll downhill. In my experience with university management structures, no amount of paper trail can really protect you from this.
Of course you still should try as hard as you can to inform your lab on any relevant issues that you see, but given that you have no authority over them it will have to take the form of advise rather than strict rules. Being on good terms with the team (and having great soft skills) is probably your best bet of actually making a difference. It may also pay to be pragmatic here, and address big threats that don't require too much sacrifice from your team - the InfoSec Stack Exchange may be a very good resource to get information on what these might be (I suspect the usage of Windows is not one of these cases).
Note: there are jobs were you end up personally responsible for certain kinds of problems (functional safety in automotive is an example that comes to mind). However, these are typically characterized in that you need explicit qualifications to even be legally allowed to carry out this job. A company cannot just appoint a random engineer to now be legally responsible for safety certification. Part of the mandatory training for such jobs is also explicit information on what you end up responsible for, and what the expected course of action in case of non-compliance is.
answered 57 mins ago
xLeitixxLeitix
101k36243384
add a comment |
Should things for whatever reason go sour, I'd like to be on the safe side.
The question is what you want to protect agains - a law suite directed at you, or being let go?
My suspicion (but I'm not a lawyer, obviously) is that there is very little danger of the former and close to no real protection against the latter.
The uncomfortable reality is that many people (in academia and outside) are not so much hiring an employee rather than buying insurance when filling roles such as for a data protection responsible (same with certain certifications in industry). They know (or at least strongly suspect) that what they do is not legal, don't want to change, and look for somebody who they can point to when things go south.
If any real legal trouble ever arises from the data protection issue, I fully suspect that it will be targeted at the university rather than individuals working there - and even if it is targeted at specific persons, it will be the managers in charge, not a lab technician with no authority to change the behavior of other employees. However, there is a very good chance that internally you will still be made the scapegoat (up to and including being let go), if for no other reason than that sh*t tends to roll downhill. In my experience with university management structures, no amount of paper trail can really protect you from this.
Of course you still should try as hard as you can to inform your lab on any relevant issues that you see, but given that you have no authority over them it will have to take the form of advise rather than strict rules. Being on good terms with the team (and having great soft skills) is probably your best bet of actually making a difference. It may also pay to be pragmatic here, and address big threats that don't require too much sacrifice from your team - the InfoSec Stack Exchange may be a very good resource to get information on what these might be (I suspect the usage of Windows is not one of these cases).
Note: there are jobs were you end up personally responsible for certain kinds of problems (functional safety in automotive is an example that comes to mind). However, these are typically characterized in that you need explicit qualifications to even be legally allowed to carry out this job. A company cannot just appoint a random engineer to now be legally responsible for safety certification. Part of the mandatory training for such jobs is also explicit information on what you end up responsible for, and what the expected course of action in case of non-compliance is.
answered 57 mins ago
xLeitixxLeitix
101k36243384
add a comment |
Should things for whatever reason go sour, I'd like to be on the safe side.
The question is what you want to protect agains - a law suite directed at you, or being let go?
My suspicion (but I'm not a lawyer, obviously) is that there is very little danger of the former and close to no real protection against the latter.
The uncomfortable reality is that many people (in academia and outside) are not so much hiring an employee rather than buying insurance when filling roles such as for a data protection responsible (same with certain certifications in industry). They know (or at least strongly suspect) that what they do is not legal, don't want to change, and look for somebody who they can point to when things go south.
If any real legal trouble ever arises from the data protection issue, I fully suspect that it will be targeted at the university rather than individuals working there - and even if it is targeted at specific persons, it will be the managers in charge, not a lab technician with no authority to change the behavior of other employees. However, there is a very good chance that internally you will still be made the scapegoat (up to and including being let go), if for no other reason than that sh*t tends to roll downhill. In my experience with university management structures, no amount of paper trail can really protect you from this.
Of course you still should try as hard as you can to inform your lab on any relevant issues that you see, but given that you have no authority over them it will have to take the form of advise rather than strict rules. Being on good terms with the team (and having great soft skills) is probably your best bet of actually making a difference. It may also pay to be pragmatic here, and address big threats that don't require too much sacrifice from your team - the InfoSec Stack Exchange may be a very good resource to get information on what these might be (I suspect the usage of Windows is not one of these cases).
Note: there are jobs were you end up personally responsible for certain kinds of problems (functional safety in automotive is an example that comes to mind). However, these are typically characterized in that you need explicit qualifications to even be legally allowed to carry out this job. A company cannot just appoint a random engineer to now be legally responsible for safety certification. Part of the mandatory training for such jobs is also explicit information on what you end up responsible for, and what the expected course of action in case of non-compliance is.
answered 57 mins ago
xLeitixxLeitix
101k36243384
Should things for whatever reason go sour, I'd like to be on the safe side.
The question is what you want to protect agains - a law suite directed at you, or being let go?
My suspicion (but I'm not a lawyer, obviously) is that there is very little danger of the former and close to no real protection against the latter.
The uncomfortable reality is that many people (in academia and outside) are not so much hiring an employee rather than buying insurance when filling roles such as for a data protection responsible (same with certain certifications in industry). They know (or at least strongly suspect) that what they do is not legal, don't want to change, and look for somebody who they can point to when things go south.
If any real legal trouble ever arises from the data protection issue, I fully suspect that it will be targeted at the university rather than individuals working there - and even if it is targeted at specific persons, it will be the managers in charge, not a lab technician with no authority to change the behavior of other employees. However, there is a very good chance that internally you will still be made the scapegoat (up to and including being let go), if for no other reason than that sh*t tends to roll downhill. In my experience with university management structures, no amount of paper trail can really protect you from this.
Of course you still should try as hard as you can to inform your lab on any relevant issues that you see, but given that you have no authority over them it will have to take the form of advise rather than strict rules. Being on good terms with the team (and having great soft skills) is probably your best bet of actually making a difference. It may also pay to be pragmatic here, and address big threats that don't require too much sacrifice from your team - the InfoSec Stack Exchange may be a very good resource to get information on what these might be (I suspect the usage of Windows is not one of these cases).
Note: there are jobs were you end up personally responsible for certain kinds of problems (functional safety in automotive is an example that comes to mind). However, these are typically characterized in that you need explicit qualifications to even be legally allowed to carry out this job. A company cannot just appoint a random engineer to now be legally responsible for safety certification. Part of the mandatory training for such jobs is also explicit information on what you end up responsible for, and what the expected course of action in case of non-compliance is.
answered 57 mins ago
xLeitixxLeitix
101k36243384
answered 57 mins ago
xLeitixxLeitix
101k36243384
answered 57 mins ago
xLeitixxLeitix
101k36243384
answered 57 mins ago
xLeitixxLeitix
101k36243384
101k36243384
add a comment |
add a comment |
VoodooCode is a new contributor. Be nice, and check out our Code of Conduct.
VoodooCode is a new contributor. Be nice, and check out our Code of Conduct.
VoodooCode is a new contributor. Be nice, and check out our Code of Conduct.
VoodooCode is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Academia Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2facademia.stackexchange.com%2fquestions%2f125742%2fwhat-to-do-when-being-responsible-for-data-protection-in-your-lab-yet-advice-is%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
Mm... I'm not sure about this, but maybe at Information Security SE are better technically equipped to answer your question.
– Massimo Ortolano
2 hours ago
Windows 10 is known for sharing...every file which is related to a software crash Do you have evidence to support this? It sounds highly unlikely that Microsoft would steal their client's data.
– user2768
1 hour ago
First thing I did was checking out whether this is acutally the case. Subsequently I was wondering about it myself and posted at Information Security SE: security.stackexchange.com/questions/204530/…
– VoodooCode
1 hour ago
Also, you have a bigger problem: Windows 10...will reach the end of servicing on April 9, 2019 Source: support.microsoft.com/en-gb/help/4490393
– user2768
1 hour ago
2
@user2768 I think this only applies to version 1607 of Windows 10, not to newer releases which you can obtain via the regular update processes.
– nabla
1 hour ago