This guidance is designed to help researchers determine the classification of their research data. Data classification is a necessary first step in choosing appropriate storage options, purchasing new software or hardware, and using external services or infrastructure for research data.
Which environment should I use to store my institutional data?
Why and when is research data considered institutional data?
According to policies DM-01 and UA-05, research data is considered institutional data unless an agreement assigns ownership to the sponsor. Examples include sponsor-initiated clinical trials and consulting contracts where the third party keeps ownership of the data.
Research data is considered institutional data when:
- IU manages the award or contract for the project generating the data.
- IU has ethical or legal obligations (i.e., IRB, animal care and use, biosafety, etc.) related to the project or data.
- Data is generated, collected, or analyzed by IU faculty or staff in their roles.
Generally, research data is considered institutional when IU has legal and/or ethical obligations regarding the associated award, project, or the data itself. External data (public domain, open, or licensed) that is reused in IU research must follow the same guidelines as institutional data to ensure integrity and quality, but IU does not claim ownership of external data.
Guidance for classifying research data
See the Data Sharing & Handling (DSH) Tool to see how common research data elements* are classified.
If the DSH Tool does not provide the classification level for all data in your research project, proceed to Step 2.
Consider the following two questions:
Question 1: Do any data elements or variables fall under one or more of the following categories of protected data?
- Health Information Portability & Accountability Act (HIPAA)
- Personally Identifiable Information (PII) for human participants in research
- Endangered Species Act
- Related to patent application
Action: If you answered yes, your data are considered critical. Proceed to Step 4.
Question 2: Do any data elements or variables fall under one or more of the following categories of protected data?
- Family Educational Rights & Privacy Act (FERPA)
- Export Control regulations
- European Union General Data Protection Regulation (GDPR)
- Mental health and other health related data that is not subject to HIPAA
- Related to a commercial product or service
- Non-standard contractual requirements - The contract or agreement with the sponsor/vendor requires IU to handle the data in ways that deviate from or exceed our usual security measures.
- Controlled Unclassified Information (CUI)
Action: If you answered yes, your data may be considered critical. Proceed to Step 3.
Due to the complexities of local, state, federal, and international regulations, the classification of data is not always obvious. If you answered yes to Question 2 above, contact the appropriate office(s) listed below to get a final determination on the data classification.
- FERPA > Contact Data Steward for Student Data (DataStu@iu.edu)
- Export Control > Contact the IU Export Control Office (export@iu.edu)
- EU GDPR > GDPR Working Group (gdpr@iu.edu)
- Mental health and other health related data not subject to HIPAA > Contact the Health Data Steward (mawerlin@iu.edu)
- Commercial product or service > Contact an Innovation & Commercialization Manager
- Specific contractual requirements > Contact SecureMyResearch
- Controlled Unclassified Information (CUI) > Contact SecureMyResearch
When your dataset includes any data elements that are classified as critical, you must handle (collect, store, manage, analyze, etc.) the entire dataset as critical data. When feasible, store the critical data in a different system than the less sensitive data. For example, avoid storing PII with other data by creating unique participant identifiers that are recorded in a separate file. Ensure that the PII is stored in one of the approved locations for critical data.
How do I manage critical research data?
- Choose a dedicated file storage service that is appropriate for your use case.
- Use Secure Storage responsibly (Guidance for Google & Microsoft)
- Secure your entire workflow (Get help from SecureMyResearch)
- See the Critical Data Guide for more tips