Data Security Guidelines for Research
Maintaining research data securely with the appropriate level of confidentiality, integrity, and availability is critical to ensuring a low-risk threshold for the participants, the researchers, and the University. Principal investigators (PIs) and their research teams should outline the data management and security processes and procedures associated with each of their research projects regardless of whether or not the research involves the collection of personally identifiable data.
- It is important to understand the data you are working with when conducting research as well as it’s corresponding sensitivity. The Sensitive Data Defining & Classifying webpage has information about identifying sensitive data.
- To best determine the sensitivity of your data it is helpful to understand some key terms to help inform the source of your data.
- Anonymous: Data is anonymous if no one, including the researcher, can link the data to the individual that provided it. No identifying information such as name, address, identification number, or other unique individual characteristics making it possible to identify an individual from within the research subject pool are collected.
- Confidential: Data in this category can be linked to the source individual. Research team members are obligated to protect confidential data from unauthorized disclosure outside of the research team. Some ways to prevent unauthorized disclosure of confidential data include:
- Storing research subject identifiers separately from the research data.
- Utilizing a unique code to refer to the research subject’s data. It is important to note that this method does not make the data anonymous.
- Storing the code key and the subject’s identifiers separately.
- De-identified: De-identified data is a data set that has removed any and all direct and indirect identifiers or codes linking the data to the research subjects.
- Information on the Storing Data by Type and Storing Data by Solution pages will assist you in finding the appropriate IT resources for use with your research data.
- The Protect University Data webpage has details on what enterprise-wide storage solution can be used for each data type, how to define and classify data, a template data management plan and a template system security plan.
- All data collection and storage devices must be password protected with a strong password, meaning it meets a level of complexity sufficient to reduce the risk that it will be guessed or stolen by a bad actor.
- Devices used to collect sensitive data must adhere to the secure computer management standard to ensure safe use in the collection and storage of research data.
- If it is necessary to use portable devices for initial collection or storage of identifiers, the data files should be encrypted, and the identifiers transferred to a secure system as soon as possible after collection. The portable device(s) should be locked in a secure location when not in use.
- All sensitive research information on portable devices must be encrypted and locked in a secure location when not in use.
- All data collected on portable devices should be transferred to an approved storage location as soon as possible after collection, and deleted from the portable collection devices.
- Identifiers, data, and keys should be placed in separate; password protected/encrypted files and each file should be stored in a different secure location.
- OHIO Catmail and Calendar services may not be used to collect, store, or transmit identifiable human subjects research data or protected health information (PHI).
- If utilizing any cloud-computing services, including but not limited to “free services," the PI must follow the OHIO Technology Review Process, Protect University Data guidelines, Information Security Standards, and applicable University policies.
- When sending emails to recruit research participants, follow Email Best Practices to prevent the messages from looking like spam or phishing.
- Access to identifiable data should adhere to the principle of least privilege meaning that only those that need to access the data should have access to the data.
Data Retention & Destruction
- Good research data management includes designing the data management plan and research protocol in such a way that data retention and destruction, if applicable, are addressed.
- When designing the data retention and destruction requirements for the data management plan and research protocol the researcher must consider:
- Data type
- Any regulatory requirements associated with the data, and
- Any requirements set forth in agreements and contracts the university entered into with a research sponsor
- The established retention period and corresponding destruction date, if applicable, must be documented within the research protocol.
- If there are Federal requirements for data sharing, or if the researcher has a need to retain the data for further research, at minimum the identifiers associated with the data must be securely removed from the research database and files as early in the process as possible.
- If applicable, the destruction of the data must follow the guidance for securely destroying data.