Procedure
Sidebar
Table of Contents
Governing Policy
Questions?
Please use the contact section in the governing policy.
Overview
This procedure assists our University research community and Principal Investigators (PIs) in classifying and identifying the security level of research data. PIs must ensure that research data are protected according to application specifications in Administrative Policies: Data Security Classification and Security Level and Information Security. Data owners are responsible for determining the data classification level. See Appendix: Data Classification Owner/Custodian Table. Data can not be moved between classifications or be subject to a different classification by an individual other than the data owner.
Research data may be classified as Private-Highly Restricted, Private-Restricted or Public by the data owner. The security level is assigned to technology and is primarily derived from the data security classification. Security level also includes consideration for the need to protect the integrity, and availability of the technology. The security levels for technology used to secure or handle research data are High, Medium, or Low, and additional controls may be required based on other agreements, regulations, laws, or compliance frameworks. The security level is used in the Information Security standards to determine whether a security control is required, recommended, or optional at that level.
Research data may be subject to specific compliance requirements (e.g., HIPAA, FERPA). Additional controls beyond those specified in the standards may apply. Contact the appropriate Compliance Officer for details or the Institutional Review Board (IRB) process.
Determining Security Level for Research Data
| Data Classification | Examples | Security Level | Classification Procedure |
|---|---|---|---|
| Private-Highly Restricted | Research or proprietary data from an external entity subject to government dissemination restrictions
Research data subject to external Data Use Agreements, laws, regulation | HIGH + Custom | SPA or UFRA reviews contractual agreements with PI |
| Private-Highly Restricted | Health Information
Research Health Information (RHI)
| HIGH + HEALTH | HIPCO determines category of health data during IRB review |
| Private-Highly Restricted | Sensitive Research Data
| HIGH | HIPCO determines category of health data and IRB indicates data are sensitive during IRB review; or PI identifies |
| Private-Restricted | Non-sensitive Human Participant Data
| MEDIUM | HIPCO determines category of health data and data is adequately de-identified during IRB review FERPA compliance office determines FERPA applies with appropriate consents Pseudonymization determined by non-US collaborator or, if necessary, ECRS |
| Private-Restricted | Non-sensitive, proprietary data - not subject to government dissemination restriction | MEDIUM | PI identifies, consults with SPA as necessary |
| Private-Restricted | Student Data (FERPA) | MEDIUM | FERPA compliance office determines FERPA applies with appropriate consents |
| Public | Research data that could be made public Published research data Anonymized and aggregated data collected from human participants that cannot lawfully be re-identified | LOW | PI identifies FERPA compliance office determines student data is adequately de-identified during IRB review |
Process
Principal Investigators Classifying Research Data
Refer to the information provided in the table above to determine the data classification and security level for the research data.
- Identify the required minimum necessary research data elements within the comprehensive data set prior to the collection of the data.
- Review any associated data use agreements or contracts for specific restrictions such as government, industry, or other restrictions imposed via contract terms. The research grant or contract may need to be reviewed to determine the type of additional restrictions that apply.
- HIPCO ([email protected]) determines if data is Health Information and what Health Information regulations apply to the data.
- If HIPCO determines that Health Information regulations do not apply and the data is adequately de-identified or anonymized during the IRB review phase, the data is considered private restricted and may follow a MEDIUM security control level. For further guidance, see the published HIPCO De-identified Data Sets and Limited Data Sets document.
- FERPA Compliance Office determines if FERPA applies or does not apply, and provides guidance regarding any required consents or de-identification.
- HIPCO ([email protected]) determines if data is Health Information and what Health Information regulations apply to the data.
- Consult the table above to determine the appropriate classification procedure for your research data.
- Contact the appropriate compliance officer. See Appendix: Data Classification Owner/Custodian Table to determine if other laws or regulations apply (i.e, FERPA, GDPR, PCI, GLBA)
- If the data has not been classified or requires clarification, consult the data owner responsible for similar types of data. Data owners are responsible for determining the data classification level. See Appendix: Data Classification Owner/Custodian Table
- If the data has already been published for public consumption, the data are classified as Public.
- Examples of research subject to government restrictions:
- Protected Health Information (PHI)
- Technical data or software subject to the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR)
- Controlled Unclassified Information (CUI)
- Federal Contract Information (FCI)
- Covered Defense Information (CDI)
- Data subject to cybersecurity requirements administered by the National Institute for Standards and Technology (NIST) (NIST SP 800-53, 800-171, etc.)
- Data subject to Federal Information Security Management Act (FISMA)
- Data subject to Federal Risk and Authorization Management Program (FedRAMP)
- Determine if the data is subject to dissemination, or publication restrictions.
- University Enterprise data for the purpose of conducting research must adhere to existing procedures as defined in Administrative Policy: Information Security. See Administrative Procedures: Sharing Data with Audiences External to the University and Sharing Data with Audiences Internal to the University
- Follow the University of Minnesota’s Administrative Policy: Information Security and its defined security controls and standards for the security level at which the research data has been classified. The following security levels most frequently apply to technologies that interact with research data. A PI must meet all other data security requirements and controls that may be specifically required under the terms of a contract or grant or other agreement or under laws and regulations associated with research data.
- HIGH:
- Regulated Data: Apply the defined HIGH + Custom security controls, along with any additional requirements from regulations, laws, or other controls that may mandate further security measures beyond the University’s Information Security Standards. Contact SPA for assistance regarding controls for regulated data.
- Health Information: Apply the defined HIGH + Health, Health Information Minimum Security Controls (login required)
- Sensitive Research Data: Apply the defined HIGH security controls defined in the Information Security standards
- MEDIUM:
- Apply the defined MEDIUM security controls defined in the Information Security standards
- LOW:
- Apply the defined LOW security controls defined in the Information Security standards
- HIGH:
- Once the appropriate classification has been identified, reference resources identifying appropriate storage locations: Storage Selection Tool and Computer Device Guide for Research.
Frequently Asked Questions
Where can I find further guidance on HIPAA related health information compliance (e.g. securing research data, CTSI Clinical Data Repository, De-Identified Data Set or Limited Data Sets)?
Health Information Privacy and Compliance Office (HIPCO) has guidance to help researchers in these compliance areas.