Data Security Guidelines for Research
Maintaining research data securely with the appropriate level of confidentiality, integrity, and availability is critical to ensuring a low-risk threshold for the participants, the researchers, and the University. Principal investigators (PIs) and their research teams should outline the data management and security processes and procedures associated with each of their research projects regardless of whether or not the research involves the collection of personally identifiable data.
- It is important to understand the data you are working with when conducting research as well as it’s corresponding sensitivity. The Sensitive Data Defining & Classifying webpage has information about identifying sensitive data.
- To best determine the sensitivity of your data it is helpful to understand some key terms to help inform the source of your data.
- Anonymous: Data is anonymous if no one, including the researcher, can link the data to the individual that provided it. No identifying information such as name, address, identification number, or other unique individual characteristics making it possible to identify an individual from within the research subject pool are collected.
- Confidential: Data in this category can be linked to the source individual. Research team members are obligated to protect confidential data from disclosure outside of the research team. Some ways to prevent unauthorized disclosure of confidential data include:
- Storing research subject identifiers separately from the research data.
- Utilizing a unique code to refer to the research subject’s data. It is important to note that this method does not make the data anonymous.
- Storing the code key and the subject’s identifiers separately.
- De-identified: De-identified data is a data set that has removed any and all direct and indirect identifiers or codes linking the data to the research subjects.
- Information on the Storing Data by Type and Storing Data by Solution pages will assist you in finding the appropriate IT resources for use with your research data.
- The Protect University Data webpage has details on what enterprise-wide storage solution can be used for each data type, how to define and classify data, a template data management plan and a template system security plan.
- All data collection and storage devices must be password protected with a strong password.
- Devices used to collect sensitive data must adhere to the secure computer management standard to ensure safe use in the collection and storage of research data.
- If it is necessary to use portable devices for initial collection or storage of identifiers, the data files should be encrypted, and the identifiers transferred to a secure system as soon as possible after collection. The portable device(s) should be locked in a secure location when not in use.
- All sensitive research information on portable devices must be encrypted and locked in a secure location when not in use.
- All data collected on portable devices should be transferred to an approved storage location as soon as possible after collection, and deleted from the portable collection devices.
- Identifiers, data, and keys should be placed in separate; password protected/encrypted files and each file should be stored in a different secure location.
- OHIO Catmail and Calendar services may not be used to collect, store, or transmit identifiable human subjects research data or protected health information (PHI).
- If utilizing any cloud-computing services, including but not limited to “free services”, the PI must follow the OHIO Technology Review Process, Protect University Data guidelines, Information Security Standards, and applicable University policies.
- When sending emails to recruit research participants, follow Email Best Practices to prevent the messages from looking like spam or phishing.
The PI should securely destroy data as soon as possible after collection if the research design allows, or at the conclusion of the project and in accordance with any agreements entered into by the university and the research sponsor.