Research Data Guide

Data is rarely stored in just one place throughout the entire data lifecycle.

Data might be...

• Collected on a lab computer.
• Processed and analyzed on a laptop. 
• Moved to an institutional server or external hard drive for long-term storage.
• Shared in a public cloud-based repository.

Throughout your research process, track and document where your data will be stored at different stages. Plan this out ahead of time so you always know what data is located where. Consider saving multiple copies of your data and dispersing them geographically to protect against hardware failure or environmental disaster.

Data security should never be an afterthought: 

• If you are collecting personal health information, data must be secured in a way that is HIPAA compliant. 
• If you are working on patents or commercial data, that information must be protected and secure from theft or damage.
• Even if your data contains no "sensitive" information, be mindful of your intellectual property.* You work hard to collect your data, and you should be taking steps to make sure it is secure.

*See the SUNY page on Copyright and Faculty Ownership of Intellectual Property for more information. 

Basic Data Security Considerations

• Add passwords to files or folders. 
• Lock unused machines in your lab or office
• Work with the DoIT to understand campus security policies and procedures. What extra steps can be taken to keep your data safe?

Cloud Storage Basics

When considering cloud storage:

1. Always check cloud storage ownership policies. Some cloud servers have policies that allow them to claim ownership of your data!
2. Use more than one storage provider. If a cloud storage service goes bankrupt or goes down, your data is still available and secure.

When storage is needed for data subject to HIPAA regulations, there are additional factors to consider around storage. Under HIPAA:

• You should have documentation of who is responsible for managing stored data. You should also document any transfer of stored data from one storage site to another. Decide who is authorized to transfer data at the beginning of a project.
• PHI (Protected Health Information) requires end-to-end encryption, meaning the data must be encrypted in its original location, the connection that data must travel through to get to its destination must also be encrypted, and the data must remain encrypted in the other storage location. The encryption key to access the data should also always be stored in a separate location. 
• HIPAA data should not be kept on a portable device; ideally, it should be stored at a secure offsite facility. 
• Cloud storage is allowed under HIPAA only if the HIPAA-covered entity enters into a HIPAA-compliant business agreement with the cloud storage provider and it complies with the HIPAA Rules. For example, you would be violating HIPAA if you put PHI on your personal Google Drive, but if your workplace enters into a Business Associate Agreement with Google Drive for Work, that storage will be HIPAA compliant.