Safeguarding Research Data

Policy and Implementation Challenges

Miguel Soldi

February 24, 2006

THE UNIVERSITY OF TEXAS SYSTEM

2

• Copyright Miguel Soldi 2006. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

3

Outline

• Background• Policy Objective• Things to Consider• What Is the Best Approach?• Issues• Proposed Policy• Feedback Received• Challenges• The Outcome• Lessons Learned

4

Background

• In June of 2004, the State Auditor Office (SAO) issued a public report on the protection of research data • Higher education institutions should do more to protect

research data • Security of research data was inconsistent and

sometimes inadequate. • Institutions rely on decentralized departments and

individual researchers to protect research data.

• Findings are tracked by the Chancellor and Audit Committee of the Board of Regents.

5

Policy Objectives

Protect the confidentiality and integrity of research data without creating unjustified obstacles to the conduct of research activities

• Establish accountability.

• Identify sensitive research data based on Risk

• Develop and Implement a Security Plan to protect confidentiality and integrity of research data

6

Things To Consider

• What is the Environment? • Single or multiple institutions?• Centralized, Decentralized or Hybrid Policy

Development?• Centralized, Decentralized or Hybrid IT and Research

Governance? • Level of influence of Administrative IT or Information

Security in academic departments and research activities.

7

Things To Consider (cont.)

• What is the Environment? • Who Is (or Should be) Involved?

• Faculty Advisory Council• Chief Academic and Research Officers• Chief Business Officers • Chief Information Officers, IT Management and

Security Officers• Legal Office• Audit Office

8

Things To Consider (cont.)

• What is the Environment? • Who Is (or Should be) Involved?• What Is Already In Place?

• Data Classification Guidelines?• Confidential / Sensitive Data Protection Policies?• Information Resources Use and Security Policies?• Common definitions and understanding of terms and

requirements?• How much can be leveraged?

9

What Is the Best Approach?

• Depends on Environment and Policies already in place.

• Issue policy specifically for safeguarding research data• Align policy with Texas Administrative Code 202 and institutional

security policies

• Issue umbrella policy for safeguarding all Confidential and Sensitive data• Provide guideline for data classification• Include all data classified as confidential or most sensitive• Serve as baseline for current legal requirements (e.g., HIPAA,

FERPA) and for future mandates requiring protection of confidentiality, integrity and availability of data

• Amend existing IT security policies to address the requirements of the SAO

10

Issues

• Is all research data equal? Or equally important?

• Research is all about collaboration, collaborative evaluation, peer reviews, and exchange of data = Sharing

• Are we going to require more stringent control over research data than we do on patient information, HR or other sensitive data?

• Do we create separate data classification systems in regards to confidentiality, security, criticality, and risk?

• What is “inappropriate disclosure” when dealing with research data

11

Proposed Policy

• Safeguard all research data• Establish accountability• Institutional Research Security Coordinator• Establish schedule for risk assessments• Control access based on data sensitivity and risk

assessments• Prepare written security plan to protect research

data with safeguards• Provide training

12

Feedback Received

General• Overwhelming majority was negative, and in some cases,

markedly negative

• Policy is a well-intentioned attempt to provide direction to better protect research data but it is onerous and problematic.

• Much of the intent of the draft Policy is covered by the Texas Administrative Code TAC 202 and by other institutional policies.

• In its present form, the policy would: º impose an enormous logistical and economic burden on

investigators and institutionsº severely impede the conduct of research and research collaborationº undermine the principles and practices of the research community

with respect to the sharing of information among scientists

• The scope of the definition of research data is too broad

13

Feedback Received (cont.)

Control Access to Research Data

• The chilling effect of discouraging the free exchange of data, information and ideas among investigators by the imposition of penalties for “unapproved” data sharing.

• Providing access to research data to only those who need access to the data for approved research and other University business related activities is unreasonable given that PI’s routinely share research information for collaboration and review.

14

Feedback Received (cont.)

Accountability• Burdensome cost of establishing a large bureaucracy to monitor,

review and adjudicate issues related to data access, data sharing, data retention encompassed by the draft BPM

Protect Research Data with Security Safeguards• Concern about the cost of providing the highest level of secure

storage and archiving for the many terabytes of digital information generated by the researchers of a research university per year

• Enormous cost in time and effort of staff to implement a formal and thorough risk assessment process for the management of all research data generated by the researchers of a typical research university

15

Challenges

• How to safeguard research data while meeting the requirements of:• federal research grants,

• regulations related to the Responsible Conduct of Research

• scientific journals

• How to guarantee problem resolution to every PI and security of their corresponding unique environments given the large number of researchers?

• Decisions based on risk = risk assessments? How to implement in a large research institution?

16

• Safeguard all research data• Establish accountability• Institutional Research Security Coordinator• Control access based on data sensitivity and risk

assessments• Prepare written security plan to protect research

data with safeguards• Establish schedule for risk assessments• Provide training

The Outcome

17

The Outcome (cont.)

• Applies only to “sensitive” digital research data for which there are clear scientific and institutional grounds for monitored secure storage, controlled access and guaranteed retention

• Clearly establishes accountability at different levels

• Allows each institution determine how its data is classified and the appropriate measures to meet the policy requirements

• Requires a plan to classify digital research data into sensitive and non-sensitive based on risk• Control access to sensitive digital research data• Protect sensitive digital research data.

• Includes an audit requirement to ensure compliance

18

Lessons Learned

• It is a very complex and politically charged undertaking – gauge your audience carefully.

• Get all constituencies involved early

• Communicate openly and communicate often

• Start as broad and specific as possible

• Do not lose heart – it is a long process

• Do not take feedback personally – even if it is.

19

Thank You

THE UNIVERSITY OF TEXAS SYSTEM