How do I determine the classification of research data?

This guidance is designed to help researchers determine the classification of their research data. Data classification is a necessary first step in choosing appropriate storage options, purchasing new software or hardware, and using external services or infrastructure for research data.

Which environment should I use to store my institutional data?

Why and when is research data considered institutional data?

According to policies DM-01 and UA-05, research data is considered institutional data, unless the data are generated or collected under an agreement that assigns ownership to the sponsor. A common example of this exception is sponsor-initiated clinical trials. Other common scenarios include consulting contracts under which the third party does not give up their ownership of the data.

The following is a list of common, but not exclusive, scenarios in which research data are considered institutional data.

  • IU is managing the award or contract for the project generating the data in question.
  • IU has other ethical or legal obligations (i.e., IRB, animal care and use, biosafety, etc.) with respect to the project or data in question.
  • Research data are being generated, collected, analyzed by faculty or staff in their role at IU.

In general, research data is considered institutional data when IU has legal and/or ethical obligations with regards to the associated award, project, or the data itself. If external (public domain, open, or licensed) data are reused in the conduct of research at IU, the external data must be handled according to the same guidance used for institutional data to ensure the integrity of the data and research, but IU does not assert ownership.

Guidance for classifying research data

Step 1 – Review existing data classifications

See the Data Sharing & Handling (DSH) Tool to see how common research data elements* are classified.

If the DSH Tool does not provide the classification level for all data in your research project, proceed to Step 2.

Step 2 – Identify relevant data regulations

Consider the following two questions:

Question 1: Do any data elements or variables fall under one or more of the following categories of protected data?

  1. Health Information Portability & Accountability Act (HIPAA)
  2. Personally Identifiable Information (PII) for human participants in research
  3. Endangered Species Act
  4. Related to patent application

Action: If you answered yes, your data are considered critical. Proceed to Step 4.

 

Question 2: Do any data elements or variables fall under one or more of the following categories of protected data?

  1. Family Educational Rights & Privacy Act (FERPA)
  2. Export Control regulations
  3. European Union General Data Protection Regulation (GDPR)
  4. Mental health and other health related data that is not subject to HIPAA
  5. Related to a commercial product or service
  6. Non-standard contractual requirements - The contract or agreement with the sponsor/vendor requires IU to handle the data in ways that deviate from or exceed our usual security measures.
  7. Controlled Unclassified Information (CUI)

Action: If you answered yes, your data may be considered critical. Proceed to Step 3.

Step 3 – Get help from the experts

Due to the complexities of local, state, federal, and international regulations, the classification of data is not always obvious. If you answered yes to Question 2 above, contact the appropriate office(s) listed below to get a final determination on the data classification.

  1. FERPA > Contact Data Steward for Student Data (DataStu@iu.edu)
  2. Export Control > Contact the IU Export Control Office (export@iu.edu)
  3. EU GDPR > GDPR Working Group (gdpr@iu.edu)
  4. Mental health and other health related data not subject to HIPAA > Contact the Health Data Steward (mawerlin@iu.edu)
  5. Commercial product or service > Contact an Innovation & Commercialization Manager
  6. Specific contractual requirements > Contact SecureMyResearch
  7. Controlled Unclassified Information (CUI) > Contact SecureMyResearch

Step 4 – Manage your research data appropriately for its classification

When your dataset includes any data elements that are classified as critical, you must handle (collect, store, manage, analyze, etc.) the entire dataset as critical data. When feasible, store the critical data in a different system than the less sensitive data. For example, avoid storing PII with other data by creating unique participant identifiers that are recorded in a separate file. Ensure that the PII is stored in one of the approved locations for critical data.

How do I manage critical research data?

  1. Choose Secure Storage @ IU
  2. Use Secure Storage responsibly (Guidance for Google & Microsoft)
  3. Secure your entire workflow (Get help from SecureMyResearch)
  4. See the Critical Data Guide for more tips