Upload
randall-shelton
View
213
Download
0
Embed Size (px)
Citation preview
Safeguarding Research Data
Policy and Implementation Challenges
Miguel Soldi
February 24, 2006
THE UNIVERSITY OF TEXAS SYSTEM
2
• Copyright Miguel Soldi 2006. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
3
Outline
• Background• Policy Objective• Things to Consider• What Is the Best Approach?• Issues• Proposed Policy• Feedback Received• Challenges• The Outcome• Lessons Learned
4
Background
• In June of 2004, the State Auditor Office (SAO) issued a public report on the protection of research data • Higher education institutions should do more to protect
research data • Security of research data was inconsistent and
sometimes inadequate. • Institutions rely on decentralized departments and
individual researchers to protect research data.
• Findings are tracked by the Chancellor and Audit Committee of the Board of Regents.
5
Policy Objectives
Protect the confidentiality and integrity of research data without creating unjustified obstacles to the conduct of research activities
• Establish accountability.
• Identify sensitive research data based on Risk
• Develop and Implement a Security Plan to protect confidentiality and integrity of research data
6
Things To Consider
• What is the Environment? • Single or multiple institutions?• Centralized, Decentralized or Hybrid Policy
Development?• Centralized, Decentralized or Hybrid IT and Research
Governance? • Level of influence of Administrative IT or Information
Security in academic departments and research activities.
7
Things To Consider (cont.)
• What is the Environment? • Who Is (or Should be) Involved?
• Faculty Advisory Council• Chief Academic and Research Officers• Chief Business Officers • Chief Information Officers, IT Management and
Security Officers• Legal Office• Audit Office
8
Things To Consider (cont.)
• What is the Environment? • Who Is (or Should be) Involved?• What Is Already In Place?
• Data Classification Guidelines?• Confidential / Sensitive Data Protection Policies?• Information Resources Use and Security Policies?• Common definitions and understanding of terms and
requirements?• How much can be leveraged?
9
What Is the Best Approach?
• Depends on Environment and Policies already in place.
• Issue policy specifically for safeguarding research data• Align policy with Texas Administrative Code 202 and institutional
security policies
• Issue umbrella policy for safeguarding all Confidential and Sensitive data• Provide guideline for data classification• Include all data classified as confidential or most sensitive• Serve as baseline for current legal requirements (e.g., HIPAA,
FERPA) and for future mandates requiring protection of confidentiality, integrity and availability of data
• Amend existing IT security policies to address the requirements of the SAO
10
Issues
• Is all research data equal? Or equally important?
• Research is all about collaboration, collaborative evaluation, peer reviews, and exchange of data = Sharing
• Are we going to require more stringent control over research data than we do on patient information, HR or other sensitive data?
• Do we create separate data classification systems in regards to confidentiality, security, criticality, and risk?
• What is “inappropriate disclosure” when dealing with research data
11
Proposed Policy
• Safeguard all research data• Establish accountability• Institutional Research Security Coordinator• Establish schedule for risk assessments• Control access based on data sensitivity and risk
assessments• Prepare written security plan to protect research
data with safeguards• Provide training
12
Feedback Received
General• Overwhelming majority was negative, and in some cases,
markedly negative
• Policy is a well-intentioned attempt to provide direction to better protect research data but it is onerous and problematic.
• Much of the intent of the draft Policy is covered by the Texas Administrative Code TAC 202 and by other institutional policies.
• In its present form, the policy would: º impose an enormous logistical and economic burden on
investigators and institutionsº severely impede the conduct of research and research collaborationº undermine the principles and practices of the research community
with respect to the sharing of information among scientists
• The scope of the definition of research data is too broad
13
Feedback Received (cont.)
Control Access to Research Data
• The chilling effect of discouraging the free exchange of data, information and ideas among investigators by the imposition of penalties for “unapproved” data sharing.
• Providing access to research data to only those who need access to the data for approved research and other University business related activities is unreasonable given that PI’s routinely share research information for collaboration and review.
14
Feedback Received (cont.)
Accountability• Burdensome cost of establishing a large bureaucracy to monitor,
review and adjudicate issues related to data access, data sharing, data retention encompassed by the draft BPM
Protect Research Data with Security Safeguards• Concern about the cost of providing the highest level of secure
storage and archiving for the many terabytes of digital information generated by the researchers of a research university per year
• Enormous cost in time and effort of staff to implement a formal and thorough risk assessment process for the management of all research data generated by the researchers of a typical research university
15
Challenges
• How to safeguard research data while meeting the requirements of:• federal research grants,
• regulations related to the Responsible Conduct of Research
• scientific journals
• How to guarantee problem resolution to every PI and security of their corresponding unique environments given the large number of researchers?
• Decisions based on risk = risk assessments? How to implement in a large research institution?
16
• Safeguard all research data• Establish accountability• Institutional Research Security Coordinator• Control access based on data sensitivity and risk
assessments• Prepare written security plan to protect research
data with safeguards• Establish schedule for risk assessments• Provide training
The Outcome
17
The Outcome (cont.)
• Applies only to “sensitive” digital research data for which there are clear scientific and institutional grounds for monitored secure storage, controlled access and guaranteed retention
• Clearly establishes accountability at different levels
• Allows each institution determine how its data is classified and the appropriate measures to meet the policy requirements
• Requires a plan to classify digital research data into sensitive and non-sensitive based on risk• Control access to sensitive digital research data• Protect sensitive digital research data.
• Includes an audit requirement to ensure compliance
18
Lessons Learned
• It is a very complex and politically charged undertaking – gauge your audience carefully.
• Get all constituencies involved early
• Communicate openly and communicate often
• Start as broad and specific as possible
• Do not lose heart – it is a long process
• Do not take feedback personally – even if it is.
19
Thank You
THE UNIVERSITY OF TEXAS SYSTEM