Secure Research Data Strategy

Sensitive Research Data Usage Guide

v1.0, January 2020

The University of Chicago Research Data Protection Policy requires Principal Investigators to understand and comply with any security or privacy obligations associated with their sensitive research data. It also makes the Chief Information Security Officer (CISO) responsible for approving information security measures implemented to protect the security of Restricted Data and aiding Principal Investigators and Information Technology personnel in implementing such measures.

This guide is provided by the CISO’s Office to help Principal Investigators, their staff and students, Institutional Review Boards, IT Directors and their staff, University Research Administration staff, departmental Research Administrators, and others to identify suitable means by which to store and process sensitive research data sets. However, only the CISO’s Office or others specifically designated by the CISO have authority to determine acceptable security protections for a given data set.

This Guide does not address classification and protection of administrative data used for University operations. For that, refer to the UChicago Sensitive Data Usage Guide.

Research data is sensitive if it has any associated liability, either for people the data describe, for the Data Provider supplying the data to the University, or for the University because of regulatory or contractual obligations associated with the data or ethical or scholarly concerns associated with the data. This is how the CISO’s Office understands the term “Restricted Data” as used in the Research Data Protection Policy.

Principal Investigators (PIs) intending to work with identified human subjects data must first get their research protocol approved by an Institutional Review Board (IRB). Some research projects involve data from an external Data Provider, and Data Providers generally require that the University execute a contract, called a Data Use Agreement (DUA), before they will provide access to the data. University Research Administration (URA) has exclusive authority to execute DUAs on behalf of the University. Research projects involving identified human subjects with data from an external Data Provider must go through both the IRB and URA processes.

This Guide refers to three categories of security protection: Low, Moderate, and High. The types of measures needed to protect sensitive research data at each level are indicated below, as are examples of research data types, or characteristics of those data types, or of the security and privacy obligations associated with them through DUAs or approved IRB protocols.

This guidance is informative, not normative. Good judgment, informed by standards, is needed to ensure that protective measures in a given circumstance are sufficient while not overly burdensome. Guidance about who can make those judgments in which circumstances is incorporated into the tables below.

Greater protection can be applied than the minimum required! The Research Computing Center’s Secure Data Enclave provides High protection; that may be the simplest way to ensure sufficient care is being taken to comply with security and privacy obligations and safeguard the interests of those to whom the data pertains.

Some sensitive research data circumstances necessitate specific means to address security and privacy obligations and fall outside of the guidance framework below. Examples include:

  • Medical data belonging to the University of Chicago Medical Center
  • Research data for which a federal FISMA review is required (FISMA is Federal Information Security Management Act)
  • Research with payment card information

In such cases the CISO’s Office must be involved. Contact CISO@uchicago.edu.

A Division, School, Institute, or Department may impose their own security protections on sensitive research data, provided those protections are at least as effective as those defined here. Similarly, they may implement their own process for validating that sensitive research data will be suitably protected as long as the protections and process are approved by the CISO’s Office. Under the Research Data Protection Policy the University’s CISO is responsible for approving information security measures implemented to protect the security of sensitive research data; hence, processes specific to a Division, School, Institute, or Department are subject to review and approval of the University’s CISO.

Contact University Research Administration (URA) at srds-ura@uchicago.edu with questions or requests for assistance in connection with this guide. If URA staff cannot help you directly, they will call on information security, legal, or other subject matter experts to consult as needed.

How to Use this Guide

A given sensitive research data set carries with it a level of potential impact if its confidentiality should be breached. The higher the impact level, the greater the level of security that should be used to protect that data set.

The first table below identifies the standards by which a given computing environment can be determined to provide one of three security Protection Levels: Low, Moderate or High. The second table below lists criteria used to determine what Protection Level is needed to adequately protect a given sensitive research data set. This Guide essentially says that a research data set needing an identified Protection Level must be stored in a computing environment that provides the corresponding security Protection Level, or greater.

Protection Level of Computing Environments

Each computing environment in which sensitive research data is stored or processed must meet a Protection Level of Low, Moderate, or High as defined in the following table. Alternatively, an offline (no network access), physically secured room having appropriate physical access control and administrative procedures as certified by the CISO’s Office can be used.

In the following table, Protective Measures for each Protection Level may be technical or process-oriented. The “Who Can Validate” column identifies who can attest that a computing environment implements appropriate Protective Measures for the corresponding Protection Level.

As a general rule, sensitive research data goes into a computing environment that provides a sufficient Protection Level and must never leave that computing environment, though derivative data may.

Research computing environments certified by the CISO’s Office are listed on the SRDS website.

Protection Level Protective Measures Who Can Validate
Low Each computer used to store, process, or access sensitive research data meets all of the criteria in the Baseline Protection of End User Devices Policy, and the Information System and Managed End User Device Standards.

Sensitive research data must only be accessible by users specifically authorized in an associated DUA or approved IRB protocol to access their project’s research data.

Strong authentication (usually 2-Factor Authentication) is required to access a server that stores or processes sensitive research data.

On-campus eduroam or uchicago-secure wifi is permitted. In all other circumstances cVPN must be enabled before accessing a server that stores or processes sensitive research data over wifi.

UChicago Box may be used to receive and store sensitive research data from 3rd parties and share derivative research data with others to the extent permitted by terms in an associated DUA.

UChicago’s Code42 may be used to back up desktops and laptops unless prohibited by specific terms in an associated DUA.

Some computers are managed by an IT support service that is known to ensure that these criteria are met. When that is not the case, the computer must be validated to meet these criteria. This can be done by the IT Director supporting the Principal Investigator’s Department, following guidance provided by the CISO’s Office, or by the CISO’s Office directly.
Moderate Protective measures offering at least the protection of those for Low as required by specific security and privacy obligations associated with the research project as agreed and certified by the CISO’s Office.

Alternatively, a computing environment designed to host multiple research projects certified by the CISO’s Office for this Protection Level. The “Core” level of protection as defined in the University Edition Cyber Security and Data Privacy Policies Templates is used as a standard for this Protection Level.

CISO’s Office
High A computing environment designed to host multiple research projects certified by the CISO’s Office for this Protection Level. Includes annual risk assessment. The “FISMA Low” level of protection as defined in the University Edition Cyber Security and Data Privacy Policies Templates is used as a standard for this Protection Level. CISO’s Office

Research Data Classification

The Protection Level that should be used to protect a given research data set is determined by either the type of data, its source (or Data Provider), or by particular security or privacy obligations associated with the data. In the following table, the resultant Protection Level is the higher of that indicated by the criteria in the “Research Data Type or Source” and “Privacy and Security Obligations” columns.

Circumstances matter! For example, an IRB can determine that primary data collection for a study, ie, where an investigator gathers data directly from a human subject, might require Low or Moderate protection, but the same type of data obtained from a Data Provider might require High protection due to terms in the Data Provider’s DUA.

Protection Level Research Data Type or Source Privacy and Security Obligations
Not sensitive Data that is made publicly available by its source. None – no contractual obligations, no regulatory obligations.
Low Personal information whose breach would result in no to minimal harm to those it pertains to and no to minimal harm to the University

Non-personal confidential information, eg, purchased commercial data sets

Education records produced by the University of Chicago as defined by FERPA. For this purpose, the University of Chicago Laboratory School is considered to be a different educational institution than the University of Chicago.

DUA includes terms like

  • “Data User shall use appropriate safeguards to prevent use or disclosure of the data other than as provided for by this Agreement”
  • “Don’t combine the Data with other data sets”

DUA requires simple security measures like

  • Device encryption
  • No remote access
  • Destroy data following the termination or expiration of the Agreement
Moderate dbGaP

ICPSR

Personally identified information whose breach could result in moderate harm to those it pertains to, to the Data Provider,  or to the University.

De-identified, non-aggregated information comprising any of the types listed below under High. NB: Whether a data set can be considered to be de-identified can be complicated. IRBs can make this determination and some DUAs do too.

A Limited Data Set under HIPAA is presumed to require High Protection Level, though CISO’s Office or Privacy Officer may determine that Moderate Protection Level is sufficient if the data is not identifiable or re-identifiable and if the planned research workflow would benefit accordingly.

Personally identified, non-public data of any of the following types should be reviewed by the CISO’s Office, unless an IRB has determined a different level of protection for data collected by an investigator directly from human subjects. The CISO’s Office will consult with the PI to determine whether the specific research circumstances warrant Low, Moderate, or High Protection Level. Examples:

  • Ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Sexual orientation or information about sex life
DUA contains up to dozens of security obligations that are not very prescriptive

DUA requires written Data Security Plan must be provided to the data provider/source

DUA invokes specific privacy regulations such as the General Data Protection Regulation

DUA contains reporting obligations in the event of breach of the Agreement or inadvertent disclosure

DUA gives the Data Provider the right to inspect data security policies and procedures

High Medical records such as treatment, insurance, or payment records (from a Health Care Provider other than the University of Chicago Medical Center).

A Limited Data Set under HIPAA is presumed to require High Protection Level, though CISO’s Office or Privacy Officer may determine that Moderate Protection Level is sufficient if the data is not identifiable or re-identifiable and if the planned research workflow would benefit accordingly.

Data subject to export control restrictions

Highly confidential, non-public personally identified information whose breach could result in serious or lasting harm to those it pertains to, to the Data Provider, or to the University. Examples:

  • Mental health records
  • Social Security Numbers
  • Driver’s license or state ID number
  • Biometric data (e.g. finger print, retina scan, etc.)
  • Email address or personal information together with password or security questions
  • Financial information not regulated by the Payment Card Industry, such as credit reports, records of a financial institution, bank account or bank routing numbers

Data of any of the following types is also considered highly confidential personally identified information whose breach could result in serious or lasting harm to those it pertains to, to the Data Provider, or to the University, unless an IRB has determined a different level of protection for data collected by an investigator directly from human subjects:

  • Financial information not regulated by the Payment Card Industry
  • Genetic data
  • Education records produced by educational institutions other than the University of Chicago. For this purpose, the University of Chicago Laboratory School is considered to be a different educational institution than the University of Chicago.
  • Information about minors under the age of 18
  • Information about criminal history
  • Information about physical, emotional or other abuse
  • Information about substance abuse or treatment
  • Employment records
Data Provider requires Business Associate Agreement

Security obligations that incorporate Federal standards or regulations such as HIPAA, HITECH, NIST, FARS, DFARS, ITAR, EAR, or others published in the Code of Federal Regulations (CFR)

Onerous, fairly prescriptive security obligations

Requirement to keep data in a physically secured room with no network access