Skip to Main Content

Research Data Management: Security, Privacy, and other Legal Considerations

Data management basics and tools provided by the UC-system.

Data Security

Different funders will have varying requirements on including data security information in a DMP. NIH's general DMS Policy states they are foregoing a specific prompt in the DMS Plan, and instead believe technical provisions are more appropriately addressed by institutions and repositories. But, just because it's not required to be stated in the plan submitted with a proposal doesn't mean it should be ignored. Many NIH institutes, such as NIAID have individual requirements. UCR ITS will assist in creating a data security plan, which will reduce inadvertent disclosure, release, or lose of sensitive data and/or information.

Understanding Your Data

This section will attempt to address best practices when working with sensitive data.  Answering these questions in relation to your grant will also help develop a UCR data security plan and/or answer any prompts in DMPs

What type of data do you have?

  • Data obtained from an external source, not openly available.
  • Genomic?
    • Human
    • Other
  • Personally Identifiable Information (PII)?
    • DHS PII training: What is Personally Identifiable Information? | Homeland Security (dhs.gov)
    • Also refer to PII definition box
  • Sensitive Information
  • Confidential Information
  • Will you be using this data to invent something or apply for a patent?

If your research projects involves any of the above types of data, 

  • Do you intend to collect, store, process, or transmit any of the above types of data?
    • Describe which data and the persons involved. “Who” can be research study participants, researchers and other employees or students on the project, the funding agency, etc.
  • Who needs access to the data? 
  • Do they need access to all of it or just some of it?
  • Who is responsible for deidentifying human-related information?
  • Do you need to transfer any of the data to anyone (person or organization) outside of the research group?
    • If so, who? What data? How often?
  • Are there specific funding guidelines for securing data. (e.g. NIAID Data Security SOP, etc)

Working with Ethnographic and Human Related Data

Data Security in a Nutshell

  • Do not put personally identifiable, sensitive, or confidential information about NIH-supported research or participants on portable electronic devices such as laptops, CDs, or flash drives. If you must use such devices, encrypt your data.
  • Limit access to personally identifiable information through password protection and other means.
  • Transmit research data only when you know the recipient's systems are secure.
  • Talk to the ITS Research Computing and the Library to determine what other security policies apply to your research.
     

PII (Personally Identifiable Information)

From NIH RaDaR:

"Personally identifiable information (PII) refers to information that can be used to distinguish or trace an individual’s identity, either alone (direct) or when combined with other personal or identifying information that is linked or linkable to a specific individual (indirect). Some information that is considered to be PII is available in public sources such as telephone books, public websites, and university listings. This type of information is considered to be Public PII and includes, for example, first and last name, address, work telephone number, email address, home telephone number, and general educational credentials. Examples of PII that may in combination allow a person to be identified include gender, race, birth date, geographic location, and disease diagnosis. PII can be more difficult to protect in the rare disease community due to the small number of people diagnosed with a specific rare disease.

The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. Non-PII can become PII whenever additional information is made publicly available, in any medium and from any source, that, when combined with other available information, could be used to identify an individual."