Research Data Security Classifications
High risk data
See a detailed definition and examples of high risk research data, as well as policies and procedures for using and sharing high risk data.
Definitions and examples
Data are classified as High Risk when protection of such data is required by law or regulation, protection is necessary in order for the University or its affiliates to meet compliance obligations, or the unauthorized disclosure, access, alteration, loss or destruction of those data could have a material impact on the University or its affiliates’ mission, assets, operations, finances, or reputation, or could pose material harm to individuals.
Examples include, but are not limited to, occurrences of personally identifiable information (PII) (including social security numbers), protected health information (PHI), any data the University receives that are contractually restricted, or data that are regulated by export control laws or have a national security classification. For some industry sponsored research, the raw data may be considered high risk but the results can be more broadly shared. The breach of confidentiality requirements or other terms related to research data in some research contracts may also involve risk of substantive harm to the University. The University may extend High Risk requirements to items not specifically listed above as warranted.
Process for handling high risk data
Access and use
Access to High Risk data must be carefully safeguarded. High-Risk data must be stored, used, and disclosed to those who have a documented need, and who follow the appropriate access management procedures. Such procedures may require special training, data use agreements, IRB approval, or other documentation. Protection of High-Risk data is the responsibility of everyone who is granted access or uses such data by adhering to University policies for the handling of such data. For example, a technology control plan may be required.
Alternatives to using High Risk data should be identified and used whenever possible. For example, de-identified patient data should be used instead of a data sets that include patient identifiers whenever possible.
Specific University policies may apply to particular data in this classification, e.g., Security of Electronic Protected Health Information, Information protected by FERPA, etc. See Policy Appendix B for related policies.
Willful or repeated misuse of high-risk data can result in penalties or sanctions. Within the university these penalties may range from restrictions on an individual’s access to high-risk data for research up to and including dismissal from the University. If federal or state laws are violated, criminal prosecution may result.
High Risk data must be protected even if (and particularly when) the data are allowed to be shared outside the University. Disclosure of High-Risk data to a third-party agent or vendor must be approved by the University and is permitted only if the agent or vendor assumes a legally binding obligation to safeguard the use and disclosure of the information. These arrangements should be codified in a data use agreement negotiated through ORPA utilizing the IORA Agreements module.
Storage and application
High Risk Information in paper form must be stored in locked or otherwise secured areas when not in active use. High Risk Data in electronic form must be stored securely according to established university procedures (see Policy Appendix C). As a general rule, High-Risk data should never be stored on personal laptops or other personal storage devices and investigators should look for secure cloud solutions to store and analyze their data. For example, for cloud storage or shared access, high-risk data should be stored on Box, not Dropbox. In situations where High-Risk data must be stored on local devices, appropriate security measures must be in place, including but not limited to, encryption and the ability to delete data remotely in the event that the devise is stolen or lost. In the case of human subject research data, protocols should be reviewed and approved by the Research Subject Review Board and the Guideline for Human Subject Research Data Security Requirements must be followed, including the completion of the University of Rochester Human Subject Research Electronic Data Security Assessment Form.
High Risk data stored, processed, or managed by vendors or other third parties must also be similarly protected. Contact an Information Security Officer (email InfosecRiskandCompliance@UR.Rochester.edu) or a Privacy Officer for advice and assistance.
Transmission
Reports and communications should not include High Risk Information unless essential to perform the function for which the communication is made. Transmission of High-Risk data must be by secure methods. If High-Risk data are transmitted by e-mail or other electronic transmission, they must be encrypted or otherwise adequately protected. The electronic exchange of High-Risk Information outside of the University of Rochester must have proper approval in the form of a data use agreement approved by ORPA, and follow documented procedures (see Policy Appendix C).
Labeling
Information that is classified as High Risk should be clearly labeled as such. It is a best practice to provide such a label to warn others clearly that this information is High Risk and should be treated accordingly.
Destruction
When a record containing High-Risk information is no longer needed according to record retention guidelines, it must be disposed of in a manner that makes the High-Risk data no longer readable or recoverable. Destruction of paper records containing High Risk data normally should be accomplished by shredding. Destruction of electronic records containing High-Risk data begins with deleting the data from its storage location(s), i.e., from all systems and devices including email, trash, backup, and file storage. Refer to IT security for implementing appropriate measures.
Reporting unauthorized disclosure of high-risk information
Prompt reporting of unauthorized disclosure of High-Risk Information is essential for the University to meet its obligations under law, regulation, and contract. The office to which violations should be reported depends on the nature of the violation. Violations around human subjects research should go to OHSP, export control to the Office of Research Project Administration (ORPA), Protected Health Information to a URMC Privacy Officer, etc. If uncertain as to which office should be contacted, ORPA or the Office of Counsel can provide direction. The University will not take disciplinary action against any person solely because of their good faith reporting of a disclosure. Individuals who report violations of this Policy will be protected from retaliation resulting from providing information. Individuals who report violations of this Policy to the Integrity Hotline can remain anonymous.
Moderate risk data
Reference a detailed definition and examples of moderate risk research data, as well as understand procedures for using and sharing moderate risk data.
Definitions and examples
Some research data is appropriate for sharing with others at the University or with research collaborators outside the University, but is not appropriate to be known by or shared with the general public. Data should be classified as Moderate Risk where the unauthorized disclosure, access, alteration, loss or destruction of those data would be expected to have an adverse but not material impact on the University and its affiliates’ mission, assets, operations, finances, or reputation, or only limited harm to individuals. Such data can be made available to members of the University community or close collaborators at other institutions with a related research interest, and is not restricted by local, state, national, or international statute regarding disclosure or use.
Examples include, but are not limited to, preliminary or unpublished research data, grant application related documents, correspondence, and salary information. Experimental data generated under grants (NIH, CDC, NSF, etc.) which does not contain regulated data elements (PHI, etc.), but is not ready for public release would be considered moderate risk. (Pre-publication posting of manuscripts is not considered even moderate risk, but best policies would be to NOT release the raw underlying data prior to publications.)
Note that the analysis of large“de-identified” datasets to identify specific individuals is an evolving field, and investigators should work with the Office for Human Subject Protection (OHSP) and the University of Rochester Medical Center (URMC) Privacy Office to ensure that the data are truly de-identified according to current standards.
Distinctions in risk level may exist between data disclosure and data loss. For example, data generated collaboratively across institutions but archived at UR would represent a moderate risk for loss or compromise, but once published or released publicly, could be shared freely. In such a case, moderate risk precautions should be taken to ensure data preservation and integrity to avoid data loss, but once results are made public the data may be otherwise treated as low risk for disclosure.
Some research data may be considered to be “dual use,” meaning that although the research itself is focused on basic knowledge or societal benefit, the data may have alternative use as the basis for military or nefarious applications. When research activities involve select agents, advanced technology development, or infectious agents, careful consideration should be given to the potential misuse of the data in determining the level of classification before sharing. For clarification of risks related to dual use, consult the University export control officer or the University biosafety officer.
In some situations, potentially publishable data collection and analysis may be done on operations (particularly in the clinical realm). There may be special privacy or reputational risks associated with the sharing or release of such data. Individual units may have more restrictive policies around the public release or use of data related to their operations.
Process for handling moderate list data
Access and use
Moderate-risk data are not intended for public dissemination in general, but they may be released to external parties at the discretion of the investigator, recognizing that there may be some risk associated with such disclosures. As the steward of the data, the investigator is likely the best person to assess the nature of the risks of sharing unpublished data and the potential benefits of doing so. Moderate risk institutional data associated with research are governed by university policies on Institutional data (e.g. salary information). An exception to the sharing of research data per se is the sharing of de-identified data from human subjects. Any sharing of human subject data must be consistent with the permission given during the consenting process (e.g. signed consent document). In this case, the growing ability to use de-identified data (particularly genetic data) to re-identify study subjects creates a greater than usual risk for sharing these data. In this case, data use agreements and approval by the IRB should be used to ensure proper protections of human subjects. If investigators have questions about the consequences of data sharing, they should confirm with ORPA that there are no strict requirements associated with sharing the particular Moderate-Risk data in question.
storage and protection
Moderate Risk Information should be protected behind electronic firewalls or in private paper files in secured offices and should not accessible by the public or the University community at large.
Transmission
Moderate Risk data can be freely shared with appropriate parties within the University environment. If investigator elects to share their data outside the University, appropriate safeguards should be in place to guard against dissemination of the data more broadly than intended. For example, the use of secure websites or encryption may be appropriate in some circumstances.
Labeling
Information that is classified as Moderate Risk does not require labeling for internal use and distribution. If data are shared outside the University, the investigator should evaluate whether the receiving party is trusted or if a formal data handling agreement is needed (except in the case of human subjects data, in which case a data use agreement is required).
Destruction
Disposition of Moderate-Risk research data should adhere to guidelines of the funding agency for data archiving.
Low risk data
Definition: Data should be classified as Low Risk where the unauthorized disclosure, access, alteration, loss or destruction of that data would not be expected to have any effect on the University and its affiliates’ mission, assets, operations, finances, or reputation, would not be expected to pose any harm to individuals, or where such data are intended for public disclosure.
Examples: Examples include de-identified or non-human research data, and published research data, as well as data that are contractually required to be released or already reside in a publicly accessible repository.
Access and use: Low-Risk data are available to all members of the University community and may be released to the general public. In many cases, particularly for sponsored research, the sponsor may require public access to the data.
still have questions?
We’re here to help
If you have questions about these processes or need additional support, the Data Governance and Support Office can help.