This stage covers physical and electronic storage at the library, in the cloud, or with a vendor. When thinking about where user data are stored, consider if multiple versions of the data are living in various places. The same data sets could be on backups, multiple desktops, email, or even a printout on someone’s desk. Libraries should also consider what data sets that are stored in the same place could be combined to identify users. This is especially pertinent when raw (unmodified) user data from different systems is combined into one place, such as a data warehouse or data analytics application.
User data should be stored in the least number of places possible. Having multiple copies spread out in various locations increases the risk the data will be exposed or breached. Think of a type of user data collected at your library and go searching for all of the locations it might be found. For each location determine if the data is stored securely. This might be a locked cabinet or password protected file.
- What user data did you find?
- Does this data need to be stored in multiple locations?
For items containing user data that are not secured consider the following:
- Store paper documents in locked desks or cabinets when not in use.
- Require individual user logins on all computers.
- Place electronic equipment in a space that has controlled entry (e.g. locked room or storage area).
- Require logins for public-facing staff computers and mobile equipment, including multifactor authentication, if possible.