Data Security Guidelines for Research
Maintaining research data securely with the appropriate level of confidentiality, integrity, and availability is critical to ensuring a low-risk threshold for the participants, the researchers, and the University. Principal investigators (PIs) and their research teams should outline the data management and security processes and procedures associated with each of their research projects regardless of whether or not the research involves the collection of personally identifiable data.
- It is important to understand the data you are working with when conducting research as well as it’s corresponding sensitivity. The Sensitive Data Defining & Classifying webpage has information about identifying sensitive data.
- To best determine the sensitivity of your data it is helpful to understand some key terms to help inform the source of your data.
- Anonymous: Data is anonymous if no one, including the researcher, can link the data to the individual that provided it. No identifying information such as name, address, identification number, or other unique individual characteristics making it possible to identify an individual from within the research subject pool are collected.
- Confidential: Data in this category can be linked to the source individual. Research team members are obligated to protect confidential data from disclosure outside of the research team. Some ways to prevent unauthorized disclosure of confidential data include:
- Storing research subject identifiers separately from the research data.
- Utilizing a unique code to refer to the research subject’s data. It is important to note that this method does not make the data anonymous.
- Storing the code key and the subject’s identifiers separately.
- De-identified: De-identified data is a data set that has removed any and all direct and indirect identifiers or codes linking the data to the research subjects.
- Information on the Storing Data by Type and Storing Data by Solution pages will assist you in finding the appropriate IT resources for use with your research data.
- The Protect University Data webpage has details on what enterprise-wide storage solution can be used for each data type, how to define and classify data, a template data management plan and a template system security plan.
- All data collection and storage devices must be password protected with a strong password.
- Devices used to collect sensitive data must adhere to the secure computer management standard to ensure safe use in the collection and storage of research data.
- If it is necessary to use portable devices for initial collection or storage of identifiers, the data files should be encrypted, and the identifiers transferred to a secure system as soon as possible after collection. The portable device(s) should be locked in a secure location when not in use.
- All sensitive research information on portable devices must be encrypted and locked in a secure location when not in use.
- All data collected on portable devices should be transferred to an approved storage location as soon as possible after collection, and deleted from the portable collection devices.
- Identifiers, data, and keys should be placed in separate; password protected/encrypted files and each file should be stored in a different secure location.
- OHIO Catmail and Calendar services may not be used to collect, store, or transmit identifiable human subjects research data or protected health information (PHI).
- If utilizing any cloud-computing services, including but not limited to “free services”, the PI must follow the OHIO Technology Review Process, Protect University Data guidelines, Information Security Standards, and applicable University policies.
- When sending emails to recruit research participants, follow Email Best Practices to prevent the messages from looking like spam or phishing.
Data Retention & Destruction
Good research data management includes designing the data management plan and research protocol in such a way that data retention and destruction, if applicable, are addressed. As such, the PI should document within the research design the retention period applicable to the research data. In accordance with the research design, established retention period, and any agreements entered into by the University and the research sponsor the PI should also securely destroy data. If there are Federal requirements for data sharing, or if the researcher has a need to retain the data for further research, at minimum the identifiers associated with the data must be securely removed from the research databases and files as early in the process as possible.