Data security and data protection: Fundamentals and measures

The connection between information security and data protection

Information security and data protection are two closely related concepts that together ensure the protection of personal data. While data protection focuses on the legal framework and compliance with laws (e.g., the General Data Protection Regulation, GDPR), information security encompasses the technical and organizational measures that ensure the protection of data against unauthorized access, loss, or manipulation.

Without information security, data protection cannot be effectively implemented: only through the use of appropriate measures can personal data be protected from misuse and data protection requirements be met. 

Further information on data security at the University of Innsbruck can be found on the ZID website.

The role of technical and organizational measures (TOMs)

Technical and organizational measures (TOMs) are at the heart of information security. They serve to minimize risks associated with the processing of personal data and to ensure compliance with data protection regulations. TOMs are therefore a central component of data protection in all areas of the university—from administration to research. 

The selection and implementation of TOMs is based on the specific risks of data processing and must be regularly reviewed and adjusted.

Examples of technical and organizational measures (TOMs)

• Access control: Access to server rooms only for authorized personnel, use of chip cards or biometrics
• Access control: Individual user accounts with strong passwords, two-factor authentication
• Access control: Authorization concepts that restrict access to data to the necessary extent
• Transfer control: Encryption of emails and data transfers, use of secure protocols (e.g., SFTP)
• Input control: Logging of changes to data so that it is possible to trace who edited which data and when
• Availability control: Regular data backups, emergency plans, and redundant systems
• Data separation: Separate storage of test and production data, pseudonymization or anonymization of data

TOMs for research projects

Research projects, especially those involving personal data, require particular care. Data protection is not only a legal obligation, but also a matter of scientific integrity and trust in research. To ensure this, TOMs must be specifically planned, implemented, and regularly reviewed.

Examples of specific TOMs that are of central importance in research:

• Data minimization: Collection and processing of only the data that is absolutely necessary for the research objective
• Pseudonymization: Separation of identification features and research data, use of pseudonyms or codes
• Encryption: Encryption of data carriers and transmission paths, especially for sensitive data
• Data management plan: Documentation of data handling, including storage locations, access authorizations, and deletion periods
• Training: Regular awareness-raising and training of project staff on data protection and data security
• External audits: Regular review of TOMs by external data protection officers or certification bodies

If you have any questions, please contact the data protection coordinator or IT security.