Versions Compared

Old Version 6

changes.mady.by.user Unknown User (kimmosv)

Saved on

compared with

New Version Current

changes.mady.by.user Roope Rannikko

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Info
titleData life-cycle planning and management

This guide has been moved to Metropolia’s OMA intranet page, which requires login. It is advisable to use the guide, for example, at the beginning of a project, thesis, or research. This way, the necessary risks and requirements are taken into account throughout the information lifecycle.

Different types of data have different needs, often determined by legislation or the meaning of the data. The purpose of the data life cycle model is to safeguard data at every stage of data processing. Life cycle planning is based on the definition of common rules of the data handling. How information is stored, used, shared and ultimately archived or destroyed. 

When data is being collected, for example in project activities, the data life cycle should be planned. The life cycle starts when the data is created or received and ends with its permanent preservation in the form of archiving or destruction. At the end of a project or other data collection, all surplus data should be destroyed from the participants' computers and from the memory locations used, such as network drives or external storage devices. 

  • The data life cycle covers all stages of data processing, namely data creation or receiving, storage, use, sharing and transfer, archiving or destruction.
  • The information life cycle approach is based on the systematic and risk-based handling and management of information.
  • With regard to the information life cycle, it is important to recognise that information assets may be processed in several different locations and on different information systems or hardware. In some cases, data may have its own life cycle in different locations and systems. Such as research data, which has its own life cycle, including storage location and archiving options.

With the information life cycle planning model, you take care of information security throughout the information life cycle.

Image Removed

Info
titleKey questions on managing the information lifecycle

1. Creating and receiving information:

  • Whether the basis and purpose of the processing of the data is identified and defined (when collecting and storing data, it should always be determined what the basis and purpose of the processing is. If the collection of data cannot be justified, consideration should be given to whether the processing is necessary).
  • Whether specific requirements for the data to be processed, such as those relating to personal data, have been identified (note: specific requirements for data may require resources from the IT department, be sure to inform the helpdesk of any needs in good time).

2. Storing and use:

  • Is the information stored in such a way that only those with legitimate access to the information have access to it?
  • Is there a defined retention period for the information to be kept, at the end of which it will either be archived or destroyed appropriately (also agree on responsibilities, who will archive or destroy the information, e.g. at the end of a project).

3. Use of the data:

  • Whether the access rights and authorisations to the data set are defined based on the person's job function (need-to-know principle).
  • Whether the data is processed only in the agreed and approved information systems, equipment and processing environments (the data processing policy must be defined and communicated to all participants).

4. Sharing and transfer of data

  • When sharing, transferring and releasing data, can the identity of the recipient be adequately ensured? Particularly when handling sensitive or confidential material (e.g. the "Registered letter" function of the secure mail also identifies the recipient by means of SMS authentication).
  • Whether appropriate encryption (e.g. secure mail, metroarch) is used when sharing or transmitting data.
  • Whether it has been ascertained that the disclosure of the data is in accordance with the law and that the recipient has the right and competence to process the data.

5. Archiving of data  

  • Does the archiving of the data take into account the time, place and manner of storage (and who is responsible and does archiving require resources, e.g. from the IT department?).
  • Is the usability and readability of the data ensured throughout the storage period?

6. Destruction of data

  • Is the destruction of the data at the end of the specified retention period or at the end of the use in a sufficiently reliable manner?
    • Do the procedures for reliable destruction cover all devices on which confidential data have been stored during their life cycle (network drives, external storage devices, cloud computing, workspaces, workstations, etc.)?


    Tiedon elinkaari