What are the concerns?
Research data security is crucial for national security because many research projects involve sensitive information that can impact national defense, public safety, critical infrastructure, or economic stability.
- The unauthorized access or exfiltration of research data can lead to exploitation such as espionage, impersonation, or disinformation campaigns that undermines national security.
- Securing research data prevents the unintended transfer of advanced technologies that hold significant economic value, such as developments in microchips, artificial intelligence, biotechnology.
- Data security measures also help in safeguarding the intellectual property that contributes to a nation’s competitive advantage in the global market.
While universities and government funding agencies continue to push for more openness in science, especially in regard to making research data publicly available, it may seem counterintuitive to think about data security – which can place limitations on who can access data or how it can be used.
However, when considering how research data is used throughout their lifecycle, it is evident that there are many reasons that all research data requires data security – with some data requiring more protections than others:
- First, all research data requires some level of security, such as protection from alteration, loss, and cybercrime.
- If research data can be easily altered or deleted, whether by mistake or manipulated by a malicious actor, we wouldn’t be able to trust the integrity of the information.
- In addition, it can be costly to reproduce research data if data is lost or corrupted. Data protection and security measures such as backups, snapshots, and offsite storage can help mitigate the cost of data retrieval.
- Finally, with the overall rise in cybercrime, research institutions are increasingly a target of ransomware attacks, which require a baseline of security measures to prevent.
- Secondly, most research data will require different levels of security during different phases of its lifecycle.
- Some researchers may wish to secure data during early phases of a research project to guard against introducing inaccuracies or incomplete data into the public sphere, which could result in misinterpretation or misuse. It is also possible that data undergoes changes during the peer review and validation process where researchers may refine their analyses to ensure the accuracy and reliability of the results.
- Most research data will require some basic protections such as access control, accessibility, and attribution to ensure that researchers are the ones to decide when, how, with who and under what conditions data is shared – such as allowing project sponsors and collaborators access to the data.
- All research data has intrinsic and intellectual value and researchers, sponsors, and the University may wish to protect their intellectual property rights in relation to commercially valuable discoveries.
- Finally, there are a host of project-specific considerations that can include legal, ethical, regulatory, and logistical aspects that require additional security beyond the common measures.
- Sensitive data, such as that involving personal information, health records, or environmental impacts, often require additional safeguards to prevent unauthorized access and ensure that disclosure is in line with legal and regulatory requirements.
- In addition, some data may be protected by contractual obligations. Specific agreements, such as Data Use Agreements, may define how data is to be shared, accessed, and controlled among partners.
- In addition to legal, regulatory, and contractual requirements some research data may require cultural and ethical protections to respect the rights and customs of the involved communities.
Examples of Data Classifications:
While research data security principles can apply to any data, Princeton University may be subject to additional legal and regulatory requirements for related to specific data regulations, such as (but not limited to):
Personally Identifiable Information (PII) and Protected Personally Identifiable Information (PPII) as defined by Office of Management and Budget’s (OMB) Guidance for Federal Financial Assistance or “Uniform Guidance”
-
-
The Office of Management and Budget’s Guidance for Federal Financial Assistance often referred to by its former name “Uniform Guidance” defines PII as information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. Section 200.303(e) of the OMB’s Guidance for Federal Financial Assistance requires that institutions must “take reasonable cybersecurity and other measures to safeguard information including protected personally identifiable information (PII).” While some PII may be made publicly available (i.e. telephone books, certain university directories), all PII requires a case-by-case assessment of specific risks and potential harms that might apply if the information were mishandled. Personally identifiable information and protected personally identifiable information will typically be protected by the security measures identified in Princeton’s “Confidential” and “Restricted” data classification levels, as defined in the University’s Information Security Policy.
Controlled Unclassified Information ("CUI”)
-
-
CUI is information the federal government creates or possesses, or that an entity creates or possesses for or on behalf of the federal government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. CUI designations and safeguarding requirements are only applicable when mandated by a federal agency in a contract, grant, or other agreement. Examples of CUI data could include but are not limited to financial documents, invoices, engineering drawings, technical specification, diagrams, and blueprints.
Personal Data as defined by the EU's General Data Protection Regulation (“GDPR”)
-
-
Regardless of where the data are processed, personal data relating to residents of the European Economic Area (“EEA”) are protected by extraterritorial privacy law. Additionally, data which cross international borders may be subject to additional requirements or protections. Data in this category may include any type of PII data that directly or indirectly identify citizens or residents of the EU, or data which are shared with collaborators or entities in another country.
Personal Information as defined by China’s Personal Information Protection Law (“PIPL”)
-
-
Regardless of where the data are processed, personal information relating to residents of the People’s Republic of China (“PRC”) are protected by extraterritorial privacy law. Additionally, data which cross international borders may be subject to additional requirements or protections. Data in this category may include any type of PII data that directly or indirectly identify citizens or residents of China, or data which are shared with collaborators or entities in another country.
Protected Health Information (“PHI”) covered by the Health Insurance Portability and Accountability Act ("HIPAA”)
-
-
Personally identifiable information (PII) that is used in conjunction with medical records, including payment for medical care becomes Protected Health Information (PHI). Data in this category may include medical or health information from a healthcare provider, health plan, employer, or healthcare clearinghouse and relates to a person’s physical/mental health or condition, the provision of health care to a person, or payment for the provision of health care to a person; or was created, received, maintained, or transmitted from a covered entity or business associate subject to HIPAA rules.
Educational Records covered by the Family Educational Rights and Privacy Act (“FERPA”)
-
-
FERPA defines an education record as any record directly related to a student which contains personally identifiable information and is maintained by the university or a party acting on behalf of the university. Examples of FERPA protected data could include but are not limited to grades, transcripts, enrollment records, advising records, testing and assessment data, correspondence, class lists, student course schedules, and disciplinary records.
Student financial records and other financial records covered by the Gramm-Leach Bliley Act ("GLBA”)
-
-
GLBA applies to higher education institutions specifically to the collection, storage and use of student financial records containing personally identifiable information, and to financial institutions and entities which receive customer information from other financial institutions. Examples of GLBA protected data could include but are not limited to tuition payment history, bank and credit card information, financial aid information (including FAFSA), parent financial records, credit reports and scores, account balances, payment history, investment information and loan application information.
Princeton's Actions:
- Establishment of Protect Our Info, which describes the Universities data classification levels.
- Establishment of Citadel, an on-premises secure research infrastructure to protect Restricted data including Controlled Unclassified Information (CUI),
- In 2023, the Office of the Dean for Research hired a Research Data Security Manager.
- Beginning in 2023, the Office of Information Technology rolled out new cybersecurity protocols for the University network and increased guidance to the community: Safe Computing | Information Security Office (princeton.edu)
- An additional risk-focused assessment, led by the Office of Audit and Compliance, is expected to be conducted in 2024.
Processes, Forms, and Tools:
- Protect Our Info
- Information Security Policy
- Steps for Requesting Citadel Account
- Princeton University CUI Handbook and Workflow
- Sending Files Securely
- Confidentiality Agreement Template
- Initial Review of Research Involving Human Participants
- Procedure for responding to a possible exposure of sensitive University data
- Institutional Review Panel for the use of Administrative Data in Research (PADR)
- Research Data Security
- Architecture & Security Review
- RIA/IRB Records Retention Guideline
- Encryption and International Travel
- Virtual Private Network (VPN) for Remote Access
- Bastion Hosts
- Data Classification Types Approved for OneDrive
- Data Transmission and Encryption Standards
- Locking Computer Screens and Devices
- Network Storage of Files Containing Personally Identifiable Information
- Personal Devices in China (including Hong Kong)