Research Data Management

Description:  

Data that could cause harm to the institution, our partners, data subjects or national security if disclosed.  

Such data is typically Personal Identifiable Information (PII) data subject to regulatory controls or data subject to contractual restrictions.

Examples:  

• Identifiable human subject data
• Contractually restricted data
• HIPAA-regulated protected health information from a “Covered Entity”
• Export controlled information
• FERPA-regulated student educational records
• Other regulated data and data that when merged becomes sensitive and could impact financial standing, economic prospects, provide information about criminal activities or otherwise harm an individual

Handling Requirements:

• Obtain Institutional Review Board (IRB) approval or determination of exemption for obtaining, collecting, storing or analyzing PII for research
• Legal agreements when transferring data into or out of UAlbany (please contact [email protected] with any questions)
• Access must be restricted to authorized personnel  
• Encryption is required for data storage (data at rest) and transmission (data in transit)
• A written Data Management Plan (DMP) or Technology Control Plan (TCP)
• Must comply with applicable laws
• Must comply with institutional data management plan standards
• Strict virtual and physical access controls and audit logs
• Training for all project personnel in Research Security and cybersecurity is required, and other training as appropriate to the project (please visit the Regulatory & Research Compliance Training webpage for more information)

Description:

Data from research that is not yet analyzed and is not ready for publication. This data can also include proprietary information related to commercial endeavors.

This data does not contain PII, information regulated by the federal or state government, and is not subject to contractual obligations, but requires safekeeping to protect from external entities.

Examples:  

• Draft manuscripts
• Internal reports
• Preliminary data
• Lab-specific protocols
• Anonymous survey results where subjects were promised confidentiality
• De-identified data
• Coded (pseudonymized) data where the identifiers will not be released
• Audio or video data that cannot be linked to an individual

Handling Requirements:

• Obtain IRB approval or determination of exemption for obtaining, collecting, storing or analyzing PII for research
• Legal agreements as appropriate
• Access limited to project team members
• Stored on secure institutional systems with access controls
• Develop a written Data Management Plan (DMP)

Description:  

• Any Personal Data that is either anonymous or identifiable personal data lawfully in the public domain at the time it is collected for research
• Data that is not bulk personal data, as defined in 28 CFR Part 202
• Data that is not proprietary or intended to be commercialized
• UAlbany-developed software that is made freely available to the public without restriction or tracking
• Records of the institution released pursuant to a freedom of information request that are not excepted from public disclosure

Examples:  

• Results of research
• Open datasets
• Conference presentations
• Staff directory information published on the website
• Non-confidential data
• Public data

Handling Requirements:  

• Obtain IRB approval or determination of exemption, as appropriate
• No restrictions on access or distribution
• May be shared widely to public servers or websites without restriction 

• Researchers: Classify data appropriately, follow handling requirements and report breaches.
• Data Stewards: Assist with classification, ensure compliance and provide training
• Information Technology Services (ITS): Provide secure infrastructure and support for data protection
• Office of Regulatory and Research Compliance (ORRC): Monitor adherence to legal and regulatory obligations 

1. Creation: Classify data at the point of creation or collection.
2. Storage: Use appropriate storage solutions based on classification.
3. Sharing: Share data only with authorized individuals and under approved agreements.
4. Retention: Retain data according to institutional and funding agency policies.
5. Disposal: Securely delete or destroy data when no longer needed. 

All DUA requests, whether they be an initial request or a modification request, should be submitted by the Principal Investigator. 

Completed DUA packets should be sent to [email protected].  

Initial Request Packet 

Submit the following to request the University enter into an agreement for access to third-party data: 

• DUA Initial Request Form
• DUA Signature Forms from all data users subject to the agreement
• The proposed Data Use Agreement and any other forms requiring a University signature
• Any other relevant, data-related forms submitted to the data owner or sponsor (such as a data use application, confidentiality agreements, etc.)
• An IRB determination letter (only for data connected to human subjects)
• A separate Data Management Plan, if created 

Modification Request Packet  

Submit the following to request a modification to an existing DUA or to add data users to an existing DUA’s coverage: 

• DUA Modification Request Form
• A list of all personnel who would have access to the data under the modified agreement
• DUA Signature Forms (see link above) from all new data users subject to the agreement
• Copies of previously submitted forms
• An updated Data Use Agreement and any other forms requiring a University signature
• Any other relevant, data-related forms submitted to the data owner or sponsor (such as a data use application, confidentiality agreements, etc.)
• An IRB determination letter (only for data connected to human subjects)