Data Management & Sharing

Data security and privacy are critical components of Research Data Management, ensuring that sensitive or personal information is protected from unauthorized access, breaches, or misuse. Researchers must implement secure storage solutions, encryption, and access control measures to safeguard data throughout its lifecycle. Additionally, compliance with privacy regulations like GDPR and HIPAA is essential when handling personal or health-related data.

Key Practices:

• Encryption: Encrypt sensitive data, both at rest and in transit, to protect against unauthorized access.
• Access Control: Implement role-based permissions to ensure that only authorized personnel can access sensitive information.
• Data Anonymization: For datasets containing personal or sensitive information, use anonymization or de-identification techniques to protect individual identities.
• Regular Audits: Conduct security audits and assessments to ensure that data handling practices comply with current regulations and best practices.

Regulatory Compliance: (Check with your grant or IRB for specific guidance on data security.)

• FERPA (Family Educational Rights and Privacy Act): Governs the privacy and security of student education records in the U.S.
• GDPR (General Data Protection Regulation): Governs the handling of personal data for research conducted in the European Union or involving EU citizens.
• HIPAA (Health Insurance Portability and Accountability Act): Regulates the use of health-related data, particularly in the United States, ensuring that personal health information (PHI) is securely managed.

Best Practices:

• Backup and Recovery: Implement regular backup procedures and ensure that data recovery strategies are in place to protect against loss or corruption.
• Data Retention Policies: Establish clear guidelines for data retention, deletion, and archiving, ensuring that sensitive data is only stored for as long as necessary.

When securing research data, it’s important to differentiate between full disk encryption and client-side encryption. Full disk encryption (e.g., MS BitLocker installed on university devices) protects data stored locally but doesn’t secure data once it leaves the device. Cloud platforms like OSF and Figshare provide encryption for data at rest and in transit, but client-side encryption tools like VeraCrypt or Cryptomator allow you to encrypt files before uploading, ensuring data remains secure throughout transmission and storage, especially for sensitive research.

Open-source options for client-side encryption include:

• VeraCrypt
• Cryptomator

Key practices include:

• Role-Based Access Control (RBAC): Define roles based on responsibilities (e.g., data manager, analyst) and assign permissions accordingly.
• Least Privilege Principle: Ensure users only have access to the data necessary for their role, minimizing potential security risks.
• Multi-Factor Authentication (MFA): Add another layer of security by requiring multiple forms of identification. Sac State uses DUO. 
• Audit Logs: Track access and modifications to sensitive data to detect unauthorized activity.

Data anonymization is the process of removing or modifying personal identifiers in a dataset to prevent individuals from being identified. Key techniques include masking or generalizing data (e.g., using age ranges instead of specific ages), suppression (removing identifiable fields), and pseudonymization (replacing private identifiers with fake ones). These methods help protect privacy while still allowing data to be useful for analysis, ensuring compliance with ethical standards and data protection laws.