Sensitive Data services for research
Introduction to the user guide
In this user guide, you can find:
an overview and key features of each service;
step-by-step instructions on accessing and setting up the services; technical knowledge or expertise are not required to use the services. Specific paragraphs are marked as advanced if technical and coding skills are necessary;
quick technical suggestions in the troubleshooting table;
video tutorials helpful to get started.
You can also learn more from example cases for:
Introduction to the services
Sensitive Data services for research consist of five components:
Sensitive Data Connect (service description): a user interface for importing and storing sensitive data to CSC's cloud storage solution (Allas). SD Connect also facilitates sharing or transferring encrypted sensitive data during the active phases of research projects.
Sensitive Data Desktop (service description): a user interface that provides access to a secure virtual computer (or virtual Desktop). It enables secure computation and analysis of sensitive data. In addition, a restricted version of SD Desktop is provided for processing registry data (secondary use of health and social data). The limitations are described in a separate user guide (see: SD Desktop for secondary use).
Sensitive Data Submit and Federated EGA (service description) (pilot phase): allow publishing of sensitive and biomedical data under controlled access.
Sensitive Data Apply (pilot phase): promotes data reuse allowing data owners to manage access to published datasets via a simple user interface.
The General Data Protection Regulation and Finnish national laws regulate sensitive personal data processing. To comply with these regulations, specific data processing and framework agreements between the Data Controllers (academic organization) and CSC (as the Data Processor) must be in place.
For further information, see also:
- CSC Data Processing Agreement;
- Definition of sensitive data;
- Technical and organizational security measures for the protection of sensitive data in CSC Sensitive Data service.
Moreover, when creating a CSC project using the MyCSC portal, you are guided to the "Description of processing activities" form, where you describe the type of data you are processing.
You can then download these documents and share them with the legal services in your organisation or the Data Controller's representative. If you have any questions or additional legal agreements are needed between your organisation and CSC, contact us at email@example.com (email subject: Sensitive Data).
Allas: a cloud storage service of CSC. SD Connect is an interface that facilitates sensitive data encryption and storage in Allas. Users can also access Allas programmatically with interfaces for non-sensitive data.
Billing units: billing units are used to monitor the resource (when CSC services are free-of-charge or when the user pays to use the services).
Bucket/Container: these two terms refer to the main folder (technically called root folder) where data are stored in SD Connect/Allas. The bucket/container name is visible on the internet. You can have multiple buckets in the same project (up to 1000), but each bucket must have a unique name throughout the whole storage system (including other projects). By default, the data in a bucket is accessible just to the project members. However, you can share and grant access to other CSC projects or users with SD Connect.
CSC Project: using CSC services is based on projects: all your data in CSC belong inside a project. You can be a project member in one or multiple projects. Each project has a primary user, the CSC project manager, who can add members and services to the project. A project manager is responsible for the activities of the project. They, for example, need to describe which type of sensitive data the project is processing.
Disk quota: this is a limited set to control the storage space available to CSC services users. SD Connect has a default quota of 10 TB. You can apply for more writing at firstname.lastname@example.org.
Multi-factor Authentication: When you log in to the SD Desktop service, you must undergo an extra verification step to authenticate by providing a username and password. In this way, your account is more secure. The extra verification step is called:"Two-Step Verification" or "Multifactor Authentication", because you are proving your identity via a different method. In this case, you need to type in a one-time code (6-digits) obtained by opening a mobile app on your phone. The code is unique and valid for a limited amount of time.
Object: technical name for a file stored in a cloud object storage like Allas (or uploaded to CSC via SD Connect). This definition underlines that files stored in SD Connect / Allas can not be directly modified unless transferred or copied into a computing environment. Still, they can be accessed in read-only mode from a cloud computing environment (e.g. SD Desktop).
Project Identifier: a synonym of CSC Project ID when using the command-line tool. In the SD Connect user interface is displayed under User Information> Project usage and displayed as a series of 32 numbers and letters: e.g. AUTH_3a66dbf90b2940dc9c651362af595b23.
Virtual machine (VM): a virtual computing environment (or virtual computer) that works as an actual physical computer. It has a processor, memory, and operating system, but it exists only as a code or a partition of the host computer in CSC’s data center. The VMs used for the Sensitive Data services are entirely isolated from the internet for security reasons.
Virtual machine flavor (VM flavor): a flavor defines the resources and configurations of a cloud computing environment. It specifies the compute, memory, and storage capacity that can be assigned to the virtual machine.
Applying for SD services access
Sensitive Data Services are available for all CSC customers. To access CSC's services for sensitive data using MyCSC portal:
Create a user account.
Create or join a CSC project and add project members.
Fill in the Description of processing activities form and accepct CSC's Data processing agreement.
Each project member needs to add service access to Allas and SD Desktop.
Activate the additional security verification (or Multi-factor Authentication) on your account by scanning the QR code with an application (e.g. Google Authenticator).
Apply for billing units or disk quota.
For video tutorials and guidance regarding these steps, check the Accounts paragraph at the beginning of this user guide.
Applying access to the SD Desktop environment for secondary use differs from the abovementioned process. See instructions in the specific user guide SD Desktop for secondary use.
Once you have completed these steps, you can log in to SD services with identity federation systems (Haka, Virtu, CSC Login, or LSLogin) at:
with any modern web-browser.
LSLogin (LifeScience login, previously known as ELIXIR login) is available only after linking your CSC account to your LifeScience account (under your profile in MyCSC).