Securing Research Data

The following guidance is designed to keep your data safe from unintentional destruction or disclosure, ensuring the resiliency of your study so it can progress. While this is not based on any specific security framework, it is important for any faculty conducting research to be able to answer the following questions about the data that they handle:   

1. Where is the data coming from?   

2. Where will the data be stored?   

3. Who needs access to the data?   

4. Are there individuals external to OSU?   

5. Do individuals with access to the data need to be able to modify the data? Or do they only need to be able to see the data?   

6. What is the plan for disposing of the data when it is no longer needed?   

7. Is there an application needed to ingest the data?   

These questions need to be answered and understood by both the faculty conducting research and IT staff supporting those faculty. Depending on the study, there may be additional questions to answer or additional details to account for. It is imperative that the data owner works with their unit’s IT staff to develop and agree upon a security plan for managing research data.   

The DST team is available to connect faculty with their unit’s IT, or to answer any general questions they may have about securing research data.   

Research data can be anywhere from S1 (Public) to S4 (Restricted), depending on the types of data being handled. Certain types of research information, such as Research Health Information (RHI) data is automatically classified as S4 (Restricted) according to Ohio State's Institutional Data Policy (IDP). This means that a considerable amount of care needs to be taken with the data and ensuring that the right storage solution is chosen. Fortunately, there are multiple options available which may hold S4 data.  

Cloud Storage: Microsoft 365, Microsoft Azure and Amazon Web Services (AWS) are all cloud services approved for S4 data storage.   

• If you wish to use a cloud service not listed above, it must undergo a risk assessment before being implemented. 

• OTDI maintains a Cloud Services Registry with detailed information on using AWS and Microsoft Azure applications and the level of data they are approved for.  

• OTDI also maintains a Cloud Assessment Registry for all third-party cloud services that have gone through the university risk assessment.   

Equipment/Non-Cloud Storage: Your unit’s IT staff must be consulted to ensure any equipment or non-cloud storage is available and configured to appropriate standards before being used for the research project.     

If you are unsure who to contact, DST is available to assist in facilitating these discussions.  

If a cloud application is to be used to interact with the data in any way, and this application has not already been assessed, then it must be submitted for a risk assessment. More details about this process are available on risk assessment webpage. 

See "Data Storage" above for more information about already approved cloud resources.

When transferring research data, IT staff should always be involved to ensure safe handling of the data. If the recipient and transfer process were not already established in a security plan and you are unsure of whom to contact, please email securemyresearch@osu.edu and DST will work to get you in touch with the proper staff.  

To ensure proper disposal of your research data, please consult with your unit IT staff or email securemyresearch@osu.edu to get connected.