Secure Research Data Strategy

v2.0, September 2021

The University of Chicago Research Data Protection Policy requires Principal Investigators to understand and comply with any security or privacy obligations associated with research data that falls within section V of the policy – Restricted Data and Personally Identifiable Information.  Research data requires a higher level of protection if it has any associated liability, either for people the data describe, for the Data Provider supplying the data to the University, or for the University because of regulatory or contractual obligations associated with the data or ethical or scholarly concerns associated with the data. This is how the CISO’s Office understands the term “Restricted Data” as used in the Research Data Protection Policy.

The Research Data Protection Policy places responsibility for approving information security measures implemented to protect the security of Restricted Data and aiding Principal Investigators and Information Technology personnel in implementing such measures on the Chief Information Security Officer (CISO).

This guide is provided by the CISO’s Office to help Principal Investigators, their staff and students, Institutional Review Boards, IT Directors and their staff, University Research Administration staff, departmental Research Administrators, and others to identify suitable means by which to store and process research data sets. However, only the CISO’s Office or others specifically designated by the CISO have authority to determine acceptable security protections for a given data set.

This Guide does not address classification and protection of administrative data used for University operations. For that, refer to the UChicago Sensitive Data Usage Guide which includes a list of Sensitive Data Types.

Given a certain research data set, the first section below, “Research Data Classification” illustrates the criteria used to determine what Protection Level is needed to adequately protect the data set. The second section, “Protection Levels”, identifies the standards by which a given computing environment can be determined to provide one of three security Protection Levels: Low, Moderate or High.

Research Data Classification

The Protection Level that should be used to protect a given research data set is determined by either the type of data, its source (or Data Provider), or by particular security or privacy obligations associated with the data. In the following table, the resultant Protection Level is the higher of that indicated by the criteria in the “Research Data Type or Source” and “Privacy and Security Obligations” columns.

Data Use Agreements and other contractual obligations and IRB determination may result in differing protection level requirements.  In these cases, the CISO’s office will recommend a protection level but a higher level is most often the best route.  

Protection Levels

This Guide refers to three categories of security protection: Low, Moderate, and High. The types of measures needed to protect sensitive research data at each level are indicated below, as are examples of research data types, or characteristics of those data types, or of the security and privacy obligations associated with them through DUAs or approved IRB protocols.

This guidance is informative, not normative. Good judgment, informed by standards, is needed to ensure that protective measures in a given circumstance are sufficient while not overly burdensome. Guidance about who can make those judgments in which circumstances is incorporated into the tables below.

Greater protection can be applied than the minimum required! The Research Computing Center’s Secure Data Enclave provides High protection; that may be the simplest way to ensure sufficient care is being taken to comply with security and privacy obligations and safeguard the interests of those to whom the data pertains.

Research Data Protection Guide (PDF)

Research Data Type or Source Privacy and Security Obligations Protection Level Protective Measures Who Can Validate
Data that is made publicly available by its source. None – no contractual obligations, no regulatory obligations. None Minimal N/A

Personal information whose breach would result at most minimal harm to those it pertains to and at most minimal harm to the University.

Non-personal confidential information, e.g. purchased commercial data sets with contractual terms that have minimum security requirements

Education records produced by the University of Chicago as defined by FERPA. For this purpose, the University of Chicago Laboratory School is considered to be a different educational institution than the University of Chicago.

DUA likely include terms like

– “Data User shall use appropriate safeguards to prevent use or disclosure of the data other than as provided for by this Agreement”

– Don’t combine the Data with other data sets”

DUA requires simple security measures like

  • Device encryption
  • No remote access

Destroy data following the termination or expiration of the Agreement

Low

Each computer used to store, process, or access sensitive research data meets all of the criteria in the Baseline Protection of End User Devices Policy, and the Information System and Managed End User Device Standards.

Sensitive research data must only be accessible by users specifically authorized in an associated DUA or approved IRB protocol to access their project’s research data.

Strong authentication (usually 2-Factor Authentication) is required to access a server that stores or processes sensitive research data.

On-campus eduroam or uchicago-secure wifi is permitted. In all other circumstances cVPN must be enabled before accessing a server that stores or processes sensitive research data over wifi.

Some computers are managed by an IT support service that is known to ensure that these criteria are met. When that is not the case, the computer must be validated to meet these criteria. This can be done by the IT Director supporting the Principal Investigator’s Department, following guidance provided by the CISO’s Office, or by the CISO’s Office directly.

Personally identified information whose breach could result in moderate harm to those it pertains to, to the Data Provider, or to the University.

De-identified, non-aggregated information comprising any of the types listed below requiring High Protections.  IRBs will often review whether a data set can be considered de-identified. DUAs will identify data sets as de-identified or not as well.

A Limited Data Set under HIPAA is presumed to require High Protection Level, though CISO’s Office or Privacy Officer may determine that Moderate Protection Level is sufficient if the data is not identifiable or re-identifiable and if the planned research workflow would benefit accordingly.

Personally identified, non-public data of any of the following types should be reviewed by the CISO’s Office, unless an IRB has determined a different level of protection for data collected by an investigator directly from human subjects. The CISO’s Office will consult with the PI to determine whether the specific research circumstances warrant Low, Moderate, or High Protection Level. Examples:

  • Ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Sexual orientation or information about sex life

Some data sets that are acquired may also require a Moderate level of protection.  Some examples include:

dbGaP

ICPSR

DUA contains up to dozens of security obligations that are not very prescriptive

DUA requires written Data Security Plan must be provided to the data provider/source

DUA invokes specific privacy regulations such as the General Data Protection Regulation

DUA contains reporting obligations in the event of breach of the Agreement or inadvertent disclosure

DUA gives the Data Provider the right to inspect data security policies and procedures

Moderate

Protective measures offering at least the protection of those for Low as required by specific security and privacy obligations associated with the research project as agreed and certified by the CISO’s Office.

Alternatively, a computing environment designed to host multiple research projects certified by the CISO’s Office for this Protection Level. The “Core” level of protection as defined in the University Edition Cyber Security and Data Privacy Policies Templates is used as a standard for this Protection Level.

CISO’s Office

Medical records such as treatment, insurance, or payment records (from a Health Care Provider other than the University of Chicago Medical Center).

A Limited Data Set under HIPAA is presumed to require High Protection Level, though CISO’s Office or Privacy Officer may determine that Moderate Protection Level is sufficient if the data is not identifiable or re-identifiable and if the planned research workflow would benefit accordingly.

Data subject to export control restrictions

Highly confidential, non-public personally identified information whose breach could result in serious or lasting harm to those it pertains to, to the Data Provider, or to the University. Examples:

  • Mental health records
  • Social Security Numbers
  • Driver’s license or state ID number
  • Biometric data (e.g. finger print, retina scan, etc.)
  • Email address or personal information together with password or security questions
  • Financial information not regulated by the Payment Card Industry, such as credit reports, records of a financial institution, bank account or bank routing numbers

Data of any of the following types is also considered highly confidential personally identified information whose breach could result in serious or lasting harm to those it pertains to, to the Data Provider, or to the University, unless an IRB has determined a different level of protection for data collected by an investigator directly from human subjects:

  • Financial information not regulated by the Payment Card Industry
  • Genetic data
  • Education records produced by educational institutions other than the University of Chicago. For this purpose, the University of Chicago Laboratory School is considered to be a different educational institution than the University of Chicago.
  • Information about minors under the age of 18
  • Information about criminal history
  • Information about physical, emotional or other abuse
  • Information about substance abuse or treatment
  • Employment records

Data Provider requires Business Associate Agreement

Security obligations that incorporate Federal standards or regulations such as HIPAA, HITECH, NIST, FARS, DFARS, ITAR, EAR, or others published in the Code of Federal Regulations (CFR)

Onerous, fairly prescriptive security obligations

Requirement to keep data in a physically secured room with no network access

High A computing environment designed to host multiple research projects certified by the CISO’s Office for this Protection Level. Includes annual risk assessment. The “FISMA Low” level of protection as defined in the University Edition Cyber Security and Data Privacy Policies Templates is used as a standard for this Protection Level. CISO’s Office

Additional Guidance

Principal Investigators (PIs) intending to work with identified human subjects data must first get their research protocol approved by an Institutional Review Board (IRB). Some research projects involve data from an external Data Provider, and Data Providers generally require that the University execute a contract, called a Data Use Agreement (DUA), before they will provide access to the data. University Research Administration (URA) has exclusive authority to execute DUAs on behalf of the University. Research projects involving identified human subjects with data from an external Data Provider must go through both the IRB and URA processes.

Some sensitive research data circumstances necessitate specific means to address security and privacy obligations and fall outside of the guidance framework above. Examples include:

  • Medical data belonging to the University of Chicago Medical Center
  • Research data for which a federal FISMA review is required (FISMA is Federal Information Security Management Act)
  • Research with payment card information

In such cases the CISO’s Office must be involved. Contact CISO@uchicago.edu.

A Division, School, Institute, or Department may impose their own security protections on sensitive research data, provided those protections are at least as effective as those defined here. Similarly, they may implement their own process for validating that sensitive research data will be suitably protected as long as the protections and process are approved by the CISO’s Office. Under the Research Data Protection Policy the University’s CISO is responsible for approving information security measures implemented to protect the security of sensitive research data; hence, processes specific to a Division, School, Institute, or Department are subject to review and approval of the University’s CISO.

Contact University Research Administration (URA) with questions or requests for assistance in connection with this guide. If URA staff cannot help you directly, they will call on information security, legal, or other subject matter experts to consult as needed.