Protect Your Research Data
Protecting Your Research Data and Complying with Laws, Regulations, and Grant Requirements
If you are doing any research, you will want a plan to secure your data from theft, corruption, and loss. You will also want to ensure you are meeting any data protection compliance requirements. These compliance requirements can come from University policy, state laws, federal laws, and governmental and private granting entities. You are often made aware of compliance requirements at the time you apply for a grant, as they are part of the terms and conditions of the grant. Some compliance requirements might not be stated in your grant, however, and you should always do further evaluation.
Risk Management
For any project, you should classify the data you are collecting and evaluate any compliance requirements. Check the requirements in the notice of the grant opportunity, and any documents sent to you after being awarded the grant. Washington State and the federal government may have their own compliance requirements based on data classification as well. Once you know your data's classification and your compliance requirements, you should do a risk assessment. A risk assessment typically includes:
A list of potential threats to the research data. Threats can originate with:
- People - Consider malicious or accidental behavior of insiders (e.g., people at Western) that could lead to data exposure or loss. Does someone unauthorized have an interest in your data or can the data be accidently deleted? Data can also be stolen by criminals and nation states. Someone on your team may fail to recognize a phishing email with a malicious link, with consequences of stolen credentials, workstation infections, and subsequent access to your data. If you are using consultants or vendors, evaluate the threats they may pose as well.
- Processes - Evaluate if your processes to collect and process your data are insecure. An example of a poor process would be a person takes a photo of something confidential on a personal phone then emails it to their personal email account.
- Technology - Could your hardware of software be insecure? Where was your software developed and is it from a hostile country? Is the place you are storing your data reputable and reliable?
- Data - Could your data itself be a risk to the project? For example, will poor quality data cause system instability or are you producing such large amounts of data it causes your system to crash?
- Natural or Human-Made Disasters - Could a flood or earthquake result in data loss?
The likelihood a threat will be realized. After cataloging your threats, evaluate how likely they are to occur.
The impact if a threat is realized. If the threat is realized, will it have a big impact on your project?
The Information Security Office has a risk assessment template to guide you, and we can also work with you. The University's Risk Management Office and the University's Ethics and Compliance Program can provide additional guidance if needed.
Data Management and Sharing Plans (DMSPs)
When applying for a grant, or sometimes after you receive your grant, you might be required to submit a data management and sharing plan (DMSP). The DMSP requirement is very common for federal grant programs, but other entities may also have a requirement. Funding agencies typically have specific requirements, but data management plans generally include the following:
- The types of data that will be collected and produced during the project.
- The data classification of the data.
- Policies for data access and sharing including provisions for appropriate protection of privacy, confidentiality, security, intellectual property, or other rights or requirements.
- Where you will store the data at all stages of the project.
- How you will document the data so that it remains usable.
- Who is responsible for ensuring data security.
- Required security training.
- What data you plan on sharing or preserving at the end of the project, and how you will do it.
To develop a DMSP, there is an excellent community-supported service, the DMP Tool. The service has a list of requirements by funder, and a free database of many real-world DMSPs examples contributed by researchers around the country.
If you need additional support, you can contact the University's Research and Sponsored Programs Office and the Information Security Office.
Data Security Tips for Western's Environment
The University's Information Securing Information Systems and Affording Individual Privacy Rights policies task every employee with protecting data. Even if your data is not subject to any compliance requirements, and is not considered confidential, it is important to you, and you should protect it from corruption, theft and loss.
The Information Security Office has some guidance on securely storing and sharing your data which you should review. If you need a method to store or share data other than our recommendations, the Information Security Office will work with you to review your design and ensure data security requirements are met.
If you are working with confidential data and need a data sharing agreement, the University has an approved data sharing agreement template managed by Contracts and could provide you a copy.
Your DMSP should include a section on access control. The Information Security Office offers a template to create a data access plan.
Other Resources
These other resources may provide some additional guidance on securing your data:
- Research Security at the National Science Foundation
- National Institute of Standards and Technology (NIST) publication 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
The Information Security Office in here to assist you safeguard your data and to ensure your success.