Copyright. Creative Commons. Sensitive information. Security Classification ... What is it all about?



This essay focuses on Copyright, Creative Commons, Sensitive information and the role of Data Classification in determining baseline security controls for the protection of sensitive data.

"With many Data Science Applications based on Large and often Sensitive Data sets, Data Security is increasingly important".

 As science becomes more data-intensive and collaborative, AIMS (see AIMS Newsletter) continues to encourage Information-, Knowledge-, and Research Data communities to build solutions (in mind from the outset): Open - as possible, Protected -  as necessary, FAIR - whenever possible.

Copyright vs Creative Commons 

Different types of Intellectual Property are protected by different means, for example, by Patents, Trademarks or Copyrights. Copyright protects original works of authorship, including literary, dramatic, musical, artistic and certain other works, both published and unpublished. 

A Copyright exists in any original work of authorship fixed in a tangible medium. This means that Copyright protection applies automatically to any original work as soon as it is written down or put into permanent or fixed form. There does not need to be a © symbol next to the work for it to be protected by copyright.

As "A Copyright provides not just a single right, but a bundle of rights that can be exploited or licensed separately or together ... The collection and long-term preservation of digital content pose challenges to the intellectual property regime within which libraries and archives are accustomed to working". Just because the work is old, does not mean that it is not protected by Copyright.

The European Commission promotes the debate and monitors the implementation of the Recommendation on the Digitalisation and Digital Preservationby -for example- creating the legal framework conditions enabling large-scale digitisation and cross-border accessibility of out-of-commerce works.

EU Copyright Reform (read about the progress of the Commission’s Reform Package through the complex EU process of law making).

When you are going to publish your article in subscription-based journals, a Copyright Transfer Agreement - that involves legally transferring Copyright from the author to the journal - is effective from the date on which the article is accepted for publication. 

Even though a numer of publishers grant back to authors certain rights for the future use of their own work, for example self-archiving rights, a Copyright transfer restricts all forms of use of your article, and anybody who wishes to use it will have to seek permission from the journal

EIFL Handbook on Copyright and Related Issues for Libraries

While Copyright transfer is the norm for standard subscription-based publications, its benefit for open access publications have been questioned.

For online or Open Access publishing, it is more common to use Creative Commons (CC) licensesA CC license gives readers some rights, such as the right to share and use your work, of course, with attribution. In this way, your article will definitely have greater visibility. One other benefit of CC licenses is that they have a worldwide validity, while Copyright can have a territorial scope unless protected by international treaties.

Recorded EIFL Webinar: An Introduction To Creative Commons 

Many open access publishers folow CC licenses system. So you can go ahead with  them and retain Copyright with a CC license by signing the Open Access Agreement. See, for istance: License agreement of BioMedLicense agreement of SpringerOpenLicense agreement of WileyF1000Research : Publication Terms and Conditions

To know more about the types of Intellectual Property and the kinds of Licenses used by authors and publishers, check out: Rights to Intellectual Property in Scholarly Publishing.

"Keep Open Access Open: IFLA signs on to open letterThe transition towards Open Access is gaining momentum. It promises to deliver a major step forward in giving access to the results of science and research, allowing new ideas to emerge and spread more quickly than ever before..." (IFLA, September 2017).

Sensitive information

Any information that can be used to identify you or another person is sensitive information confidential data. Protection of sensitive information pertaining to the privacy or security of an individual or organization - may be also required for legal or ethical reasons. 

Sensitive data/information should be safeguarded, this means - it should be protected from unauthorized access and/or against unwarranted disclosure. 

Information sensitivity in United Nations:

"Records and information are important assets of the United Nations, and sound procedures for the protection of the information sensitivity and security are critical for the proper management of the Organization’s records. Information sensitivity relates to the level of confidentiality of the information within the United Nations.

Information security also ensures that the information is available when needed and that its integrity is maintained, i.e., that it is not altered or inappropriately disclosed.

The Information Sensitivity Toolkit - - Understanding Information Sensitivity  - - Protecting Sensitive Information  - - Protecting Records from Loss or Damage  - - Ensuring Records are Secure -- ST/SGB/2007/6 - Information Sensitivity, Classification and Handling 

Examples of sensitive data/information may include, but are not limited to:

  • Intellectual property (e.g., some types of research data such as research data that is personally identifiable or proprietary),
  • Contract negotiations,
  • Most personnel matters (personally identifiable information),
  • Protected health data.
  • Financial information,
  • Information concerning system access passwords, access control,
  • Information security records,
  • Information file encryption keys,
  • Administrative records and computer data,
  • Other data/information that is deemed to be confidential in accordance with national and international laws. 

In March 2017, the Food Agriculture Organization (FAO) of the UN launched a Toolkit and e-learning modules on Nutrition-sensitive Agriculture and Food Systems. This FAO Toolkit - is an integrated package of guidance on how to design, implement, monitor and evaluate nutrition-sensitive food and agriculture policies and programmes.

From Data Classification to Data security controls 

As the complexity of the technology environment grows and related security threats increase, there is a need for every organisation to use available tools and services to protect its sensitive data, information and resources.

"Data Classification is broadly defined as the process of organizing data by relevant categories [e.g. Restricted - Private – Public], so that it may be used and protected more efficiently. The classification process not only makes data easier to locate and retrieve – Data Classification is of particular importance when it comes to risk management, compliance, and data security", - Digital Guardian.

Different organisations have developed Guidelines and Frameworks for classifying their data based on its level of sensitivity, e.g.:

  • Sensitive Data : data classified as Restricted, according to the Data Classification Scheme (that should be defined by an appropriate Data Steward);  
  • Institutional Data and Non-public Information specific information classified as Private or Restricted... [e.g., Guidelines for Data Classification at Carnegie Mellon University].

Classification of data aids in determining baseline security controls for data protectionData Stewards may wish to assign a single classification to a collection of data that is common in purpose or function

On a periodic basis, it is important to reevaluate the classification [reclassification] of protected data to ensure the assigned classification is still appropriate based on changes to legal and contractual obligations as well as changes in the use of the data or its value to the organisation. 

Tips for creating a Data Classification Policy (TechTarget Network).

Information classification according to ISO 27001: Information security management (27001 Academy).

Further reading on Data Protection:

 

The General Data Protection Regulation (GDPR) : what is it all about? (AIMS)

Shapes Constraint Language (SHACL) - W3C Recommendation

 

 Copyright Limitations and Exceptions for Libraries & Archives (IFLA)

Interested in anonymizing your data?  (OpenAIRE)

 

The European Open Science Cloud initiative reinforces Open Science, Open Innovation and Open to the world policies. It will foster best practices of global data findability and accessibility (FAIR data), help researchers get their digital data skills recognised and rewarded (careers, altmetrics); help address issues of access and copyright (IPR: intellectual property) and data subject privacy; allow easier replicability of results and limit data wastage e.g. of clinical trial data (research integrity); contribute to clarification of the funding model for data generation and preservation, reducing rent-seeking and priming the market for innovative research services e.g. advanced Text & Data Mining (new business models).