Printed on: 04/18/2024. Please go to policy.umn.edu for the most current version of the document.
University of Minnesota  Administrative Policy

Research Data Management: Archiving, Ownership, Retention, Security, Storage, and Transfer

Sidebar

Expand all

Sidebar

Table of Contents

Questions?

Please use the contact section below.

Leave Feedback

Policy Statement

Management of research data is a shared responsibility among: the Research Innovation Office (RIO); the Office of the Vice President and Chief Information Officer (OVPCIO); Health Sciences; the University Libraries and system campus libraries; the colleges, schools and system campuses; and the Principal Investigator (PI).

University ownership and stewardship of research data that are generated or acquired by faculty, staff, and students through the use of University facilities and resources are based on applicable laws and regulations, sponsorship agreements, University policies, and sound management principles.

Ensuring that (i) research data management needs and regulatory obligations, including preservation and long-term accessibility, are met for critical, high-value research data, and (ii) operational considerations with respect to the various types of research data are captured is the joint responsibility of the Vice President for Research and Innovation, the Vice President and Chief Information Officer, the Vice President for Clinical Affairs, and the University Librarian and Dean of Libraries.

Ownership and Stewardship of Research Data

Unless superseded by specific terms of sponsorship or other agreements or University policy (see Administrative Policy: Copyright Ownership and Board of Regents Policy: Commercialization of Intellectual Property Rights (PDF)), the University owns all research data generated or acquired by University employees (faculty and staff) or non-student trainees or fellows (not employed by the University) through research projects conducted at or under the auspices of the University of Minnesota, regardless of funding source.

Students own research data that they generate or acquire in their academic work, unless the research data are:

  • generated or acquired within the scope of their employment at the University;
  • generated or acquired through use of substantial University resources; or
  • subject to other agreements that supersede this right (e.g., Research Data Ownership Acknowledgment form signed by student and PI).

Research data generated or acquired by students outside of their academic work or by volunteers through research projects conducted at or under the auspices of the University of Minnesota, regardless of funding source, are owned by the University unless superseded by specific terms of sponsorship or other agreements.

Multiple organizations or individuals may share ownership of research data, for instance, if the research data are generated or acquired through collaborative research.

The PI is the steward of the research data that are under their control. PIs are responsible for managing access to research data under their stewardship. PIs will select the vehicle(s) for publication or presentation of the data. PIs decide whether or not to share research data, including placing research data in public repositories, unless specific terms of sponsorship or other agreements supersede this right.

The University has the option to take custody of primary research data to ensure appropriate access in case of an allegation of research misconduct (see Administrative Procedure: Conducting an Inquiry).

Retaining and Archiving Research Data

PIs are responsible for ensuring that critical, high-value research data under their stewardship are preserved.

The PI is responsible for determining what needs to be retained in sufficient detail and for an adequate period of time to enable appropriate responses to questions about accuracy, authenticity, primacy, and compliance with laws and regulations governing the conduct of research.

PIs must retain research data for at least the minimum period required by applicable laws and regulations, sponsorship requirements, or other agreements. PIs may choose to retain the data beyond the minimum period, up to any deadline specified by laws, regulations or other agreements. Retention periods might be longer for data underlying published research.

PIs must ensure the destruction of research data when required by laws, regulations, or other agreements, on or before a specified deadline, and follow the applicable process for destroying research data:

Transfer of Research Data

If a PI leaves or joins the University or a project is moved to or from another institution, the PI may request that a copy of the research data be transferred. (See Administrative Procedure: Transferring Research Data.)

Meeting Data Management Requirements

The PI is responsible for educating all participants in the research project of their obligations regarding the research data, carrying out their data management plan (if applicable), and for protecting the University's rights and ability to meet obligations related to the research data.

If the PI is a group of researchers, the group must either take on joint responsibilities for complying with this policy or delegate different responsibilities to different members of the group.

The PI; relevant colleges, schools, and system campuses; and Sponsored Projects Administration (SPA) are jointly responsible for identifying research data management requirements that go beyond standard requirements as soon as the requirements become apparent. SPA must be notified and keep a record of such requirements. Furthermore, colleges, schools, and system campuses must inform the SPA if they sign contracts that include stipulations for research data management, including security and retention needs that go beyond standard requirements, e.g., NIST Cybersecurity Framework requirements.

The PI is responsible for working with University administrative and academic units to ensure compliance with this policy.

  • As soon as it becomes apparent, whether prior to or after acceptance of a grant or contract, that the PI cannot meet the responsibilities specified, the PI must consult with appropriate University officials in their colleges, schools, or system campuses.
  • Colleges, schools, and system campuses are responsible for responding to and working with a PI if they cannot meet any of the responsibilities assigned to the PI described in this policy.

When the responsibilities assigned to the PI described in this policy exceed the capacity of the PI's college, school, or system campus, the respective college, school, or system campus is responsible for informing the Executive Vice President and Provost and working with RIO, OVPCIO, and Health Sciences (in case of health-related research data) to assist the PI in meeting research data management needs. If the research data management needs cannot be met by the University, the PI must be informed in a timely and transparent manner.

The Vice President for Research and Innovation, in consultation with the VP and CIO, the VP for Clinical Affairs, the University Librarian and Dean of Libraries and the Chief Financial Officer, has the authority to deny acceptance of grants or contracts if the University cannot meet the data management requirements of the sponsor.

Securing Research Data

PIs must ensure that research data are protected according to application specifications in Administrative Policies: Data Security Classification and Information Security. PIs can request a risk assessment to determine security requirements and must collaborate with University Information Security if requested in accordance with the Administrative Policy: Information Security Risk Management. PIs must meet all other data security requirements that may be specifically required under the terms of a contract or grant or other agreement or under laws and regulations associated with research data.

Reason for Policy

Research data management is based on (a) the University's commitment to research excellence and fostering discovery, (b) applicable laws and regulations, (c) the University's need to enable appropriate responses to questions about accuracy, authenticity, and primacy of research conducted under the auspices of the University, (d) the University's interest in supporting and commercializing intellectual property, and (e) the continuing value of the research data to the PI and the research community. The research environment is changing due to the exponential growth of data, legislative and sponsor mandates on data management, and new solutions for data storage.

This policy will:

  • clarify responsibilities and accountability with respect to research data management, which is shared among multiple units;
  • aid in decision making with respect to acceptable practices for management of research data;
  • promote coordination between support providers to ensure that services meet the functionality needs of the University research community and avoid overlap or competing service offerings; and
  • help the University to assure compliance with all applicable laws and regulations and internal requirements with respect to research data management practices, data storage, data security, and sharing and dissemination of research data.

Contacts

SubjectContactPhoneEmail
Primary Contact(s)James Wilgenbusch612-624-1355[email protected]
Responsible Individuals
Responsible Officer Policy Owner Primary Contact
  • Vice President for Research and Innovation
  • Director of Research Computing
  • James Wilgenbusch
    Director of Research Computing

Definitions

Critical, High-value Research Data

Data that (i) enable appropriate responses to questions about accuracy, authenticity, primacy, and compliance with laws and regulations governing the conduct of research; (ii) are necessary to validate research findings and cannot be easily regenerated if lost; or (iii) have high potential to be reused by researchers in other significant research.

Retention

Retention refers to the University-Wide retention schedule as well as individual unit retention schedules. Retention schedules detail how long records and information must be kept for legal, historical, and administrative needs. 

Principal Investigator (PI)

The individual or individuals primarily responsible for and in charge of a research project.

Research Data

Recorded factual material commonly accepted in the scientific or scholarly community as necessary to validate research findings, excluding preliminary analyses, drafts of scholarly or scientific work, plans for future research, peer reviews, communications with colleagues, and physical objects (e.g., laboratory samples).

Substantial University Resources

Resources provided by the University that go above and beyond what is customarily provided to University employees or students. Substantial resources will vary by department/unit and context. To be substantial, the resources must be beyond the ordinary and must be more than what other members of the department or students in similar situations are regularly offered as support for their work.

Use Cases

Use cases capture and describe system requirements and minimum security standards for data. A use case represents a specific example of data types together with workflow steps to achieve a research goal.

Responsibilities

VP for Research and Innovation, VP and CIO, VP for Clinical Affairs, and the University Librarian

  • Jointly responsible for ensuring that research data management needs and regulatory obligations, including preservation and long-term accessibility, are met for critical, high-value research data, and operational considerations with respect to the various types of research data are captured.
  • Evaluate existing research data management solutions across the University.
  • Determine future research data management requirements.
  • Appoint and oversee the work of the Institutional Cyberinfrastructure Group (ICIG).

Vice President for Clinical Affairs

The Vice President for Clinical Affairs, through the University's Health Information Privacy and Compliance Office (HIPCO), oversees regulatory compliance for all health care/patient related data to ensure that University research data management practices meet applicable laws and regulations, including HIPAA and HITECH, for health related data. They are also responsible for managing all health care/patient related data.

  • storage, security, and access management to such data;
  • retention, preservation, and proper destruction of such data;
  • privacy; and
  • sharing of health related data, whether within or external to the University.

These responsibilities cover health-related data, including data originating from University health care partners and other external parties, unless superseded by specific terms of sponsorship or other agreements.

Colleges, Schools, and System Campuses

Work with RIO, OVPCIO, and AHC (in case of health-related research data) HIPCO to:

  • identify and track their research data management needs, including future capacity needs, and inform the Executive Vice President and Provost about those needs.
  • manage the departure of a PI leaving the University where the University intends to continue ownership of the research data. The college where the PI resided must designate a person responsible for ongoing data management.
  • manage written requests to send a copy of University research data to another organization

Office of the Vice President and Chief Information Officer (OVPCIO)

Responsible for the information technology strategy for the University, which includes a strategy for research data storage, archiving, and information security and addresses the information technology needs of the University, including the needs of research data storage.

Research and Innovation Office (RIO)

The VP for Research and Innovation is responsible for ensuring that:

  • research data management practices meet state and federal regulations, sponsor requirements, and University policies;
  • research data management practices do not conflict with other University policies or interests, such as the protection of research subjects, national security interests, intellectual property, or technology transfer;
  • non-compliance concerns with associated partner units are reviewed;
  • risks associated with data management in research are monitored; and
  • risk mitigation is done in collaboration with associated units.

Principal Investigator (PI)

  • Determines what needs to be retained in sufficient detail and for an adequate period of time.
  • Manages access to research data.
  • Selects the vehicle for publication or presentation of the research data.
  • Shares research data, including placing research data in public repositories, unless specific terms of sponsorship or other agreements supersede these rights.
  • Is responsible for ensuring that critical, high-value research data under their stewardship are preserved.
  • Educates all participants in the research project about their obligations regarding research data.
  • Alerts Sponsored Projects Administration (SPA) if a grant or contract may require management of research data that go beyond standard requirements.
  • Ensures that all appropriate data security requirements are met and follows the applicable process for destroying research data.
  • Responsible for working with University administrative and academic units to ensure compliance with this policy.

Sponsored Projects Administration (SPA)

Identifies and tracks sponsor requirements for research data management, including security and retention needs that go beyond standard requirements. Communicates exceptional sponsor requirements for research data management to the PI and administering unit of the grant or contract, and if needed, to other units, such as the Libraries, OIT, or the ICIG.

Institutional Cyberinfrastructure Group (ICIG)

The Institutional Cyberinfrastructure Group (ICIG) reports back regularly to the VP for Research and Innovation, the VP and CIO, the VP for Clinical Affairs, and the University Librarian and Dean of Libraries (Twin Cities campus), who, in turn, assign primary responsibilities for implementation to respective units. The implementation of each of the research data management solutions becomes the responsibility of the unit to which primary responsibility is assigned, but must be consistent with University technology standards developed by OIT.

The ICIG operates in an advisory capacity and includes representation from the University research community and those responsible for managing research data. The ICIG:

  • develops, maintains, and regularly updates a categorization scheme for research data based on use cases;
  • solicits and receives use cases from PIs; colleges, schools, and system campus administrators; or other unit administrators involved in research data; and
  • makes recommendations for central research data management solutions when non-central research data management solutions do not meet regulatory requirements and contractual obligations; do not align with the University's risk tolerance; may exceed the college, school or system campus' capacity; or may lead to inefficient use of resources.

The ICIG will take into account the varying capacities of colleges, schools and system campuses to manage research data when recommending solutions.

Leaders in Units other than Colleges, Schools, and System Campuses

Work with RIO, OVPCIO, and HIPCO to identify and track their research data management needs, including future capacity needs.

University Librarian and Dean of Libraries

  • Ensures accessibility and preservation of research data through curation, metadata, repositories, and other access and retrieval mechanisms to meet federal, state, sponsor, and University requirements.
  • Trains and supports researchers in the creation and implementation of data management plans.
  • Assists campus library directors if their assigned responsibilities exceed campus capacity.
  • Works with campus library directors to develop research data management solutions system-wide, where appropriate.

Related Information

Board of Regents Policies

Administrative Policies and Procedures

Other Related Information

History

Amended:

November 2023. Comprehensive Review. Changes made to reflect name changes to key governance groups and governance groups that no longer exist to address unit name changes to key UMN organizations and changes in the data management requirements of sponsored research organizations. Updates were made to address requirements for data retention and archival not just destruction of records.

Additional appendices were added for reference and completeness and some small changes were made for clarity and consistency.

Amended:

September 2018 - Comprehensive Review, Minor Revisions: Changes in senior leadership structure and terminology about Human Research Protections incorporated into this policy.

Effective:

December 2014 - New Policy, 30 Day Review. 1. Clarifies ownership and stewardship of research data, transfer to other institutions, and access by third parties. 2. Establishes the high level guidance for coordinating the institution's efforts to satisfy research data storage and associated infrastructure needs.