TRE-PORTAL

Agreement for responsible use

UNIVERSITY OF GOTHENBURG

Version 2024-05-14

Trusted Research Environment (TRE) terms of use:

TRE is a service that ensures a controlled and protected IT environment, provided by the IT unit at the University of Gothenburg. This service is intended for university employees, to be able to store and process research data according to security requirements for security class 3 information.

The service is structured so that an administrator who is employed at the University of Gothenburg is responsible for a defined and dedicated digital area, called a vault, which he or she can administer and assign permissions within. Within this vault, also superusers and users can perform work.

When you work in TRE, you may come across information that is subject to confidentiality and which means that you are subject to a duty of confidentiality according to the Publicity and Secrecy Act (2009:400), OSL. The duty of confidentiality means a prohibition to disclose or use information that is subject to confidentiality, whether it is done orally or in some other way. Violation of the duty of confidentiality is penalized according to ch. 20. Section 3 of the Criminal Code (1962:700).

As an employee, you are responsible for ensuring that both you and the people you assign authorization to are well informed about the policies, guidelines and rules that GU has drawn up, in line with the university's overall responsibility. This includes specific documents related to information and IT security, such as Policy for information security at the University of Gothenburg (dnr GU 2024/15) and Rules for IT security at the University of Gothenburg (dnr V2013/414) and the liability for use of Gothenburg University's IT resources (dnr V2013/414) all employees approve before using an IT resource. Regarding licensed software provided within the environment, it may only be used by certain groups of users, typically employees and students at the University of Gothenburg, see the Computers, software and licenses for more information on governing documents and rules. Failure to comply with and/or violations of rules may result in liability under labor law in accordance with these regulations.

The university is responsible for complying with the regulations on information security from the Swedish Civil Contingencies Agency (MSB). TRE and its organization, operation, management and incident management are conducted according to MSB's requirements in regulations MSBFS 2020:7–8. This means that personal data about you as a user and what actions you take in the environment will be logged. You can read more about how your personal data is processed in the university's integrity policy.

Basic requirements - everyone working in TRE must ensure:

That you always act in accordance with Gothenburg University's policies, guidelines and rules.
That information (data) contained in TRE is not disseminated to unauthorized persons.
That suspicions of possible or established data leaks are reported as soon as possible to the security function at the University of Gothenburg incident.response@gu.se
That devices (IT equipment such as computer, telephone or similar) that provide access to TRE are stored in a safe manner. Loss of devices must be reported directly to support@gu.se or extension 2020.
That devices that provide access to TRE are not lent or changed and that passwords (codes) to the devices are not shared with anyone else.
That strong passwords or codes are used for the devices that provide access to TRE in accordance with Gothenburg University's instructions.
That all information (data) contained in the vault is handled correctly in accordance with Gothenburg University's current governing document for information management.
That the instructions that may otherwise be issued are complied with.

Special demands

Within TRE, five distinct roles are specified, each with unique responsibilities and requirements:

Administrator (vault owner): This role involves responsibility for managing permissions within an assigned (his) vault. The administrator can add superusers and users, manage applications and access group memberships. The administrator is also authorized to assign the roles importer and exporter.

Superuser: As a superuser, one has the ability to install programs or tools (create new resources) within the vault and use these resources for work. This provides extended functionality compared to the user role.

User: This role is limited to working with (using the resources) and managing information (data) available in the vault. Users do not have rights to install new programs or manage access for other users.

Importer: This role is limited to being able to approve imports and import data into the vault.

Exporter: This role is limited to being able to export data from the vault.

The diverse spectrum of requirements of the roles underscores the importance of carefully understanding and adhering to the specific authorities and limitations that come with each position to ensure effective and safe management of the TRE environment.

Below are the special prerequisites/requirements that apply to each role, in addition to following the basic requirements for Everyone who works in TRE (see above).

User

In order to be a user, it is assumed that you are employed at the University of Gothenburg, affiliated with the University of Gothenburg or operate under a cooperation agreement between the University of Gothenburg and the home organization.

Super user

In order to be a super user, it is assumed that you are employed at the University of Gothenburg, affiliated with the University of Gothenburg or operate under a cooperation agreement between the University of Gothenburg and the home organization.

The super user has an additional responsibility to ensure that:

When making available and installing software in the vault, be responsible for ensuring that license rights are complied with according to Gothenburg University's governing document for licensing activities and according to the applicable license conditions for the respective software.
The programs/tools (new resources) that are installed do not create security flaws or gaps in the vault that are not previously identified and assessed.

Administrator (vault owner)

As an administrator, a position that requires employment at the University of Gothenburg, the role involves a responsibility to:

Administration of permissions to the vault takes place in accordance with Rules for IT security at the University of Gothenburg (section 4.2), dnr V2013/414.
Authorizations must be revised at least every 6 months.
Persons assigned authorization in the vault have been informed about terms of use for TRE and also other necessary information for the implementation of the project.

Importer

To be an importer, it is assumed that you are employed at the University of Gothenburg, affiliated with the University of Gothenburg or operate under a cooperation agreement between the University of Gothenburg and the home organization.

Exporter

As an exporter, a position that requires employment at the University of Gothenburg, the role involves a responsibility to:

Do not export or allow export of sensitive information (data) to unauthorized persons.
Do not export or allow the export of sensitive information (data) in order to then process or store the information on other storage locations, devices or other surfaces that do not correspond to the security level applicable in TRE.