Research Data Management Guidelines

The purpose of these minimum guidelines is to assist researchers with making informed decisions on how to secure research data regardless of form or location that is owned by the university or entrusted to the university for custodial use during the collection, storing, processing, and/or collaboration processes.  The guidelines support IT policies and standards.  If you have questions or comments, email itsecure@ncat.edu

  1. Determine the data classification level for the project. The data classification levels from most restrictive to least restrictive are Confidential, Sensitive, Controlled, and Public (reference the Information Security Policy for details). If more than one level applies, the most restrictive level takes precedence.
  2. Identify the physical location(s) the project team will access research data from (e.g., from N.C. A&T’s campus, from off campus within the United States, internationally).
  3. Password protect data. Effort has to be made for each team member to use OneID username and password authentication standards to access data at rest and in motion.  Password sharing is prohibited unless an exception is made by ITS.  
  4. Use multi-factor authentication (MFA) to access data at rest and in motion where possible.
  5. Encrypt data in motion and at rest including applications used to create surveys (https links) and collect data. If it can be applied, encrypt tools used to analyze data. 
  6. Redact, delete, or de-identify personal identifiers such as names, addresses, numbers, email addresses, etc. from digital and printed data where possible to reduce risk of participant identifiable records. Store identifier keys separately from participant identifiable records. 
  7. Store research data in ITS managed cloud and/or on-premise share repositories based on the data classification level. Charges may apply to accommodate storage requests.  Storing data on local hard drives is prohibited unless an exception is made by ITS.  OneDrive or Google Drive.
  8. Detachable media use such as USB and external hard drives are prohibited unless an exception is made by ITS.
  9. Store paper documentation and detachable media exceptions in a stationary, locked file cabinet or drawer that’s for exclusive project use with FOR AUTHORIZED USE ONLY visible signage. The key can’t open another filing cabinet or drawer that doesn’t contain project documentation.  Document key management process.
  10. Use university managed laptops and workstations configured with standards such as authentication, cloud applications (e.g., Adobe Creative Cloud, Microsoft 365, etc.) and endpoint protection such as software updates and anti-malware. Non-university devices require an exception by ITS.
  11. Utilize Qualtrics, the university’s web-based tool for creating, managing, and conducting surveys and analyzing data. Minimize collecting participant identifiers. Creating passwords for survey links to control participant access is suggested.
  12. Utilize Zoom, the university’s web-based collaboration tool for facilitating video conferencing, online meetings, screen sharing, chat, and mobile collaboration. Minimize recording participant identifiers. Use de-identification methods including inherent Zoom security features.  
  13. Use Secure Share to securely transfer files and send email. The university has Microsoft 365 and Google email.  Neither are secure methods to communicate confidential, sensitive, or controlled information.   For Secure Share, set message expiration date before clicking send.
  14. Document backup, retention, and destruction requests for research data stored digitally and in paper format. This includes data stored in Qualtrics, Zoom, and analytical applications.  Charges may apply to accommodate digital storage requests.    The research team is responsible for paper storage.  
  15. Backup raw data in the event recovery is necessary.

  16.  Keep a working copy(s) of data separate from a backup(s). Routinely backup data when a change(s) occurs.

  17. If you see something, say something. Report suspected and/or actual cybersecurity threats to the Principal Investigator (PI).  Also, report threats to informIT by clicking on the gold Report a Cyber Incident button or by clicking here.