Guideline for Research Data Security

I. PURPOSE

The purpose of this document is to provide guidance for protecting university research data from unauthorized access or disclosure.

II. SCOPE

This guideline is applicable to UNC Charlotte faculty and staff as well as other authorized users who obtain, access or generate research data. This guideline also applies to Data Security Officers working with researchers and research team members to ensure implementation of the applicable security controls for research data.

III. CONTACTS

Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at ISCompliance-group@uncc.edu.

IV. GUIDELINES

Each college has a designated Data Security Officer (DSO) who will work with the researcher to develop and implement appropriate data security protections either in the form of a Data Security Plan or through general research-related data handling guidelines. When deemed appropriate based on the confidentiality of the data, the DSO may request that the individual conducting the research complete the Research Data Registration form. Information gathered includes:

• Research team members
• Data provider
• Research location
• Data description
• Data classification
• Data transmission/collection

The information submitted in the form will be maintained by the appointed Data Security Officer (DSO).

Data Security Plan

A Data Security Plan (DSP) is required for research involving the following:

1. Data subject to contractual access restrictions
2. Human subjects data if directed by IRB
3. Data classified as highly restricted by data custodian or DSO

A DSP is a formal document developed by the DSO working with the primary researcher. The security controls in a DSP will vary depending upon the specific security obligations based on laws, regulations, policies, and binding commitments such as data use agreements and participant consent documents.

Researchers working with confidential or sensitive level two data that doesn’t require a Data Security Plan should work with their DSO to implement the following security measures to protect their research data:

• Encrypt and password-protect the hard drive and removable media used to store or transfer research data.
• Encrypt data transferred to/from external networks.
• Password-protect the firmware to prevent starting up from another drive.
• Do not use shared or generic accounts.
• Regularly audit account ownership and permissions to ensure appropriate access.
• Follow the Standard for Account Passwords for all accounts.
• Use university-approved anti-virus software on computers storing research data.
• Enable screensaver after 15 minutes of inactivity and prompt for login when the screensaver has been activated to access hard drive.
• Limit data access to researchers and authorized research team members.
• Provide users with the lowest necessary level of access to data.

Researchers are responsible for following the prescribed data security controls throughout the duration of their research.

RELATED RESOURCES

• University Policy 311 Information Security
• University Policy 311.9 Regulation Regarding Third Party Data
• Standard for Account Passwords
• Standard for Encryption Controls
• Guideline for User Access Management
• ISO/IEC 27002

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by Information Assurance Committee 3/2/17
Updated 9/7/23