Institutional protocols for suitable research storage mediums

Purpose To establish best practice for researchers handling sensitive data in the course of their research.

Background: Many researchers opt to store data on devices such as USBs and external hard drives. These types of storage solution are vulnerable to loss and theft, posing a risk of data loss if data is not backed up. Such loss may also put researchers and the University in breach of Privacy legislation if the dataset contains sensitive personal information, or in breach of contractual arrangements where those arrangements require researchers to protect intellectual property rights, commercial interests, or to keep sensitive information safe. The Bond University Code of Conduct for Research Policy – TLR 5.06 (issue 3) states the following with respect to security in storage of Research Data:

3.1.6 Research data and records must be maintained securely to prevent unauthorised access, destruction, alteration or removal, accidental or intended damage or destruction.

3.1.7 Confidential research data and records must be stored securely (for example, in lockable filing cabinets or a lockable room with controlled access). When confidential research data and records are stored electronically (for example on a personal computer) precautions must be taken to control access to the research data and records. Such precautions include password access and ‘locking’ data files.

Australian Privacy Principles stipulate that

11.1 If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information: a from misuse, interference and loss; and b. from unauthorised access, modification or disclosure Recommendations: In view of these risks, Research Services and ITS seek to discourage the use of vulnerable portable storage solutions in favour of password protected on University network drives, which are accessible off Campus via the Citrix desktop environment and securely backed up. The University’s network drives thus have the additional advantage of allowing file retrieval in the event of a mishap.

Unless there are good reasons for acting otherwise, if work must be shared with co-researchers who do not have access to the Citrix desktop environment, researchers are advised to consider using one of the Australian cloud data storage sites recommended by the library such Cloudstor (a secure storage and file transfer platform hosted by Australia’s Academic and Research Network (AARNet)) .

Other services are not recommended unless they conform to Australian Privacy legislation. For a service to be an appropriate data repository or data transfer mechanism, ownership of and access to data must remain with the curator(s) of the data and not with the service provider. Data gathered under Australian Privacy Principles must not be placed with services physically located in countries where its content may be accessible to third parties, including state authorities of that region.

The Ethics Application form includes a page on projects’ plans for data management and researchers should be aware that BUHREC takes the issue of seriously. ADRs are asked to assist by considering the appropriateness of data management protocols when assessing whether the Faculty can support research applications.

Additional resources: Researchers may approach ITS for help to provide a solution if the data has specific requirements. Depending on the complexity of the requirements a business case, funding or additional time may be required in order to meet specific needs.

Further information about data storage services and resources on offer to Bond University staff and students is detailed in the accompanying Data Storage information, management and solutions at Bond University.