黑料视频

Maintaining research data securely with the appropriate level of confidentiality, integrity, and availability is critical to ensuring a low-risk threshold for the participants, the researchers, and the University. When designing your research project Information Security is an important component. Therefore, principal investigators (PIs) and their research teams should document a data management plan that includes the security processes and procedures associated with each of their research projects, regardless of whether the research involves the collection of personally identifiable data. 

Developing your Data Management Plan

An effective management plan is a living document that evolves with the research project and consists of the following elements: 

• Standards
• Data Classification
• Software and Storage
• Access Management
• Collaboration
• Data Retention & Destruction

Standards

黑料视频 has an Information Security Policy (91.005) which establishes OHIO鈥檚 Information Security Program. This program grants the authority for OHIO鈥檚 Information Security Office, in collaboration with the IT Security Governance Committee, to develop standards for the protection of University data and systems. The standards set the minimum necessary controls, but do not relieve the University or its employees, partners, consultants, or vendors of further obligations that may be imposed by law, regulation, or contract.

All OHIO faculty, staff, and researchers have the responsibility to adhere to OHIO鈥檚 Information Security Standards and should reference these standards for guidance when designing their data management plans.

For those that feel that they cannot meet the obligations set forth in a given 黑料视频 Information Security Standard, they must complete the Information Security Exception Request Form. Requests for an exception from an Information Security Standard are reviewed by the Information Security Office. The risks of not meeting a given standard are communicated to the requestor and the authorized individuals within the institution who can accept the risk on its behalf. This is in accordance with 黑料视频鈥檚 Information Security Risk Management Policy (91.006). 

Data Classification

The first step in developing a security strategy for your research is to know how your data is classified. Data classification, the process of categorizing data according to sensitivity or risk level, empowers you to select the right tools and services to protect your research. The Sensitive Data Defining & Classifying webpage has information about identifying sensitive data. Additionally, participant confidentiality within the research data is crucial.

To best determine the sensitivity of your data, it is helpful to understand some key terms to help inform the source of your data.

• Anonymous: Data is anonymous if no one, including the researcher, can link the data to the individual that provided it. No identifying information such as name, address, identification number, or other unique individual characteristics making it possible to identify an individual from within the research subject pool are collected.
• Confidential: Data in this category can be linked to the source individual. Research team members are obligated to protect confidential data from unauthorized disclosure outside of the research team. Some ways to prevent unauthorized disclosure of confidential data include:
  • Storing research subject identifiers separately from the research data.
  • Utilizing a unique code to refer to the research subject鈥檚 data. It is important to note that this method does not make the data anonymous.
  • Storing the code key and the subject鈥檚 identifiers separately.
• De-identified: De-identified data is a data set that has removed any and all direct and indirect identifiers or codes linking the data to the research subjects.

Software and Data Storage

Enterprise-wide storage solutions

• The Protect University Data webpage has details on what enterprise-wide storage solutions can be used for each data type.
• Information on the Storing Data by Type and Storing Data by Solution pages will assist you in finding the appropriate IT resources for use with your research data.
• - Popular software packages offered to OHIO faculty, staff, and/or students including Adobe products, Bitlocker, SPSS, and many more.

Devices

• All data collection and storage devices must be password protected with a strong password, meaning it meets a level of complexity sufficient to reduce the risk that it will be guessed or stolen by a bad actor.
• Devices used to collect sensitive data must adhere to the secure computer management standard to ensure safe use in the collection and storage of research data.
• All sensitive research information on portable devices must be encrypted and locked in a secure location when not in use.
  • If it is necessary to use portable devices for initial collection or storage of identifiers, the data files should be encrypted, and the identifiers transferred to a secure system as soon as possible after collection. The portable device(s) should be locked in a secure location when not in use.  
• All data collected on portable devices should be transferred to an approved storage location as soon as possible after collection and deleted from the portable collection devices.
• Identifiers, data, and keys should be placed in separate password protected/encrypted files, and each file should be stored in a different secure location.

Email

• OHIO Catmail and Calendar services may not be used to collect, store, or transmit identifiable human subjects research data or protected health information (PHI).  
• When sending emails to recruit research participants, follow Email Best Practices to prevent the messages from looking like spam or phishing.

Third-Party Vendor Solutions

• If utilizing any cloud-computing services, including but not limited to 鈥渇ree services," the PI must follow the .
  • The technology review process consists of reviews for security, digital accessibility, and privacy.

Use of AI Tools with Research

The Information Security Standard: Secure Use of AI Tools provides guidance on how to use these tools safely without putting institutional, personal, or proprietary information at risk. The AI: Cybersecurity Awareness and Guidance webpage addresses this standard and provides a helpful FAQ. 

Access Management

• Access to identifiable data should adhere to the principle of least privilege, meaning that only those that need to access the data should have access to the data.
• Appropriate and timely provisioning and deprovisioning of access must occur, meaning that when an individual needs access to data to perform their work, access is granted and once an individual no longer needs access to the data, the access is removed. 

Collaboration

• When collaborating for research, it is important to ensure that you utilize tools and storage locations that adequately protect your research data. Be sure to adhere to the Software and Data Storage guidance above to ensure the technology used to collaborate is in alignment with information security best practices.

Data Retention & Destruction

Good research data management includes designing the data management plan and research protocol in such a way that data retention and destruction, if applicable, are addressed.

• When designing the data retention and destruction requirements for the data management plan and research protocol, the researcher must consider the data type, any regulatory requirements associated with the data, and any requirements set forth in agreements and any contracts the university entered into with a research sponsor.
• The established retention period and corresponding destruction date, if applicable, must be documented within the research protocol.
• If there are Federal requirements for data sharing, or if the researcher has a need to retain the data for further research, at a minimum, the identifiers associated with the data must be securely removed from the research database and files as early in the process as possible.
• If applicable, the destruction of the data must follow the guidance for securely destroying data.

Additional Assistance

If you need additional assistance or guidance from an information security perspective, you can request a consultation with OHIO鈥檚 Information Security Office by .

• Please note: To effectively provide a consultation or review a contract, the submitter must include a summary of the research project, a data management plan, and all applicable contracts if the data protection agreement is a separate document.