Research Data Security

What are the concerns?

Research data security is crucial for national security because many research projects involve sensitive information that can impact national defense, public safety, critical infrastructure, or economic stability. 

Security
  • The unauthorized access or exfiltration of research data can lead to exploitation such as espionage, impersonation, or disinformation campaigns that undermines national security.
  • Securing research data prevents the unintended transfer of advanced technologies that hold significant economic value, such as developments in microchips, artificial intelligence, biotechnology.
  • Data security measures also help in safeguarding the intellectual property that contributes to a nation’s competitive advantage in the global market. 

While universities and government funding agencies continue to push for more openness in science, especially in regard to making research data publicly available, it may seem counterintuitive to think about data security – which can place limitations on who can access data or how it can be used.

However, when considering how research data is used throughout their lifecycle, it is evident that there are many reasons that all research data requires data security – with some data requiring more protections than others:

  • First, all research data requires some level of security, such as protection from alteration, loss, and cybercrime.
    • If research data can be easily altered or deleted, whether by mistake or manipulated by a malicious actor, we wouldn’t be able to trust the integrity of the information.
    • In addition, it can be costly to reproduce research data if data is lost or corrupted. Data protection and security measures such as backups, snapshots, and offsite storage can help mitigate the cost of data retrieval.
    • Finally, with the overall rise in cybercrime, research institutions are increasingly a target of ransomware attacks, which require a baseline of security measures to prevent.
  • Secondly, most research data will require different levels of security during different phases of its lifecycle.
    • Some researchers may wish to secure data during early phases of a research project to guard against introducing inaccuracies or incomplete data into the public sphere, which could result in misinterpretation or misuse. It is also possible that data undergoes changes during the peer review and validation process where researchers may refine their analyses to ensure the accuracy and reliability of the results.
    • Most research data will require some basic protections such as access control, accessibility, and attribution to ensure that researchers are the ones to decide when, how, with who and under what conditions data is shared – such as allowing project sponsors and collaborators access to the data.
    • All research data has intrinsic and intellectual value and researchers, sponsors, and the University may wish to protect their intellectual property rights in relation to commercially valuable discoveries.
  • Finally, there are a host of project-specific considerations that can include legal, ethical, regulatory, and logistical aspects that require additional security beyond the common measures. 
    • Sensitive data, such as that involving personal information, health records, or environmental impacts, often require additional safeguards to prevent unauthorized access and ensure that disclosure is in line with legal and regulatory requirements.
    • In addition, some data may be protected by contractual obligations. Specific agreements, such as Data Use Agreements, may define how data is to be shared, accessed, and controlled among partners.
    • In addition to legal, regulatory, and contractual requirements some research data may require cultural and ethical protections to respect the rights and customs of the involved communities.

Examples of Data Classifications:

While research data security principles can apply to any data, Princeton University may be subject to additional legal and regulatory requirements for related to specific data regulations, such as (but not limited to): 
 

 

Personally Identifiable Information (PII) and Protected Personally Identifiable Information (PPII) as defined by Office of Management and Budget’s (OMB) Guidance for Federal Financial Assistance or “Uniform Guidance”

Controlled Unclassified Information ("CUI”)

Personal Data as defined by the EU's General Data Protection Regulation (“GDPR”)

Personal Information as defined by China’s Personal Information Protection Law (“PIPL”)

Protected Health Information (“PHI”) covered by the Health Insurance Portability and Accountability Act ("HIPAA”)

Educational Records covered by the Family Educational Rights and Privacy Act (“FERPA”)

Student financial records and other financial records covered by the Gramm-Leach Bliley Act ("GLBA”)

Princeton's Actions:

 

  • Establishment of Protect Our Info, which describes the Universities data classification levels.
  • Establishment of Citadel, an on-premises secure research infrastructure to protect Restricted data including Controlled Unclassified Information (CUI), 
  • In 2023, the Office of the Dean for Research hired a Research Data Security Manager. 
  • Beginning in 2023, the Office of Information Technology rolled out new cybersecurity protocols for the University network and increased guidance to the community: Safe Computing | Information Security Office (princeton.edu)
  • An additional risk-focused assessment, led by the Office of Audit and Compliance, is expected to be conducted in 2024.

 

Processes, Forms, and Tools: