Research Data Management (RDM): Data Storage & Security

Improper research data management practices can lead to significant security risks.  The types of risk encompass various areas of seriousness, including breaches of confidentiality, integrity, privacy, legality, and human risk. 

It's imperative for researchers to:

• understand the types of risk that can occur
• be aware of practices for securing and protecting research data

Know your research data:  what it is, and where it's located
Maintain an inventory of your data (and keep it up-to-date)
Record details of who owns the data created by the research
Be aware of the location in which the research data is held (eg repository, personal device etc)
Record the back-up details:  the parties responsible for data back-up; the location where backed-up data is held; the back-up frequency       
 

Be vigilant about matters of confidentiality
Be alert to ethical requirements regarding the collection, storage and disclosure of personal and confidential information
When in doubt, seek expert advice to ensure that proper procedures for protecting personal identifying information and confidentiality are met
 

Understand the expectations placed on researchers
Various parties (including your own institution) will have input and expectations surrounding your research processes. 
Pay attention to their expectations, and be prepared.  Avoid uncertainty by seeking advice when in doubt
 

Research data security:  whose job is it?
Roles and responsibilities for research data management can be held across an institution
Take steps to identify "who does what" in the RDM space
You will find people capable of offering help and advice on a range of RDM matters
You may find Research Office staff; Institutional Repository and Library staff; and ICT people all playing unique roles in RDM processes

Source:  Educause, 2017, "Top information security concerns for researchers", https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/resources/information-security-guide/toolkits/top-information-security-concerns-for-researchers      

Managing confidential and other sensitive information:  The researcher's role is ...

• "to exercise care in handling confidential or other sensitive information used in or arising from a research project to ensure that the security and privacy measures that are used for research data and primary materials are proportional to the risks associated with the confidentiality or sensitivities of these data and materials"

Which categories of research data carry obligations of confidentiality, or other sensitivities?

• "data or information that is commercial-in-confidence or that is inherently confidential and which has been provided in confidence (e.g. secret and sacred religious or cultural practices, or information on the location of vulnerable species)
• sensitive data or information subject to privacy legislation (e.g. identifiable human medical/ health and personal data or information)
• data or information subject to classification regimes and other controls (e.g. national security information, police records or information and primary materials subject to export controls)"

To which aspects of research data management do these obligations relate? 

• These obligations relate to storage, access and sharing of the data and information  
• They should be recorded in a data management plan  
• Sensitive research data may be appropriately shared through mediated access arrangements and the application of a risk assessment framework.

Source:  These statements are derived directly from the NHMRC publication  "Management of Data and Information in Research: A guide supporting the Australian Code for the Responsible Conduct of Research. 2019,   National Health and Medical Research Council, Australian Research Council and Universities Australia. Commonwealth of Australia, Canberra"

All material presented in this NHMRC publication is provided under a Creative Commons Attribution 4.0 International licence (www.creativecommons.org.au)

Investigate and implement adequate steps to secure your data against loss

• Regularly assess your data and storage options to ensure that they remain secure   
• Strict attention to data security is vital:  data that goes missing, or is stolen or misused, can result in reputational damage for the research team
• Investigate storage options in your institution.  Is there a secure data-store available for depositing your research data?  Are there institutional regulations about the processes, locations and conditions related to research data?

Source:   ACU RDM Toolkits  

Consider appropriate locations for storing original data and backups.

• Storage devices such as USBs and hard drives can be easily misplaced, or malfunction
• Desirable option:  duplicate all data, and store duplicates in locations away from the originals
• Check funder specifications:  they may have mandated data storage requirements

• Set a realistic schedule for backing up data
• Think about the rate at which the data is being collected
• If changes to the data are frequent, then your backup and storage schedule will be at a high frequency
• Remember that diligence in data storage and backup is a key feature of keeping the data secure

Source: Sewell, C  2020, The No-Nonsense Guide to Research Support and Scholarly Communication, Facet Publishing, UK

• Enable re-use of your data by assigning appropriate licences  (Creative Commons)
• Make preparations for the destruction of confidential or disused data – seek advice on secure methods for doing this  

Considerations for storing non-digital data

Ensure that the conditions under which the material is stored will not impact its durability  

Check that your proposed storage area is climate-stable, structurally sound, and physically appropriate ie free of damp, fire risk, insect pests etc  

Devise, document and communicate a system for securing and accessing the material by those who are authorised:  include matters of security (eg keys, passwords); rules surrounding removal of materials; and check-out/check-in procedures   

Decide who is responsible for authorising access to the non-digital data by others.  Work out the process, and communicate it.  

Decide who is responsible for documenting, organising, labelling, storing, maintaining, and checking the non-digital data.