Research Data Management

1. What is the risk level of my data?
2. Is a password-protected laptop a secure place to store my data?
3. How long can/should I keep my data?
4. What is encryption? When and how should I encrypt my data?
5. What is cloud storage? Is it safe to store my data in the cloud?
6. Is it safe to store my data on mobile devices such as cell phones or USB keys?
7. What online survey software should I use?
8. What is the best way to share data with my co-investigators at other institutions?
9. What is the difference between wireless and wired internet connections? Is one safer?

NOTE: Many of the answers to these questions will depend on the level of risk associated with the data you have collected. If you aren't sure about the risk level of your data, you can reach out to UWinnipeg's Research Data Management Librarian.

Generally speaking, the risk level of your data relates to the sensitivity of your data. The following data classifications  have been adapted from UWinnipeg's forthcoming Information Security Policy, for the purposes of this guide. 

From the policy: "...As the University is committed to safeguarding to a high degree the University, the University Community, and third parties against harm, the academic research data of University employees, post-doctoral fellows, visiting scholars, interns, and students is University Data for the purposes of this Policy."

Public: University Data that is freely disclosed to the public or would cause no harm if so disclosed. For example:

• Research University Data made available to the public.

Internal: University Data that is not protected by law, agreement, or industry regulation, but may cause minor harm to the University or others if disclosed indiscriminately or beyond a need-to-know basis. For example: 

• University Data intended for the sole use of the University, e.g.:
  • budget and accounting figures;
  • office procedures and manuals;
  • building plans;
  • work cell phone numbers; and
• employee-specific email addresses, e.g., j.doe@uwinnipeg.ca.

Sensitive: University Data that must be protected by law, agreement, research protocol, or industry regulation; exposes non-public details of a University system; or may cause moderate harm to the University or others if disclosed to unauthorized individuals. For example:

• Anonymous, anonymized, or coded human research data that is deemed sensitive (as defined above);
• Personal information that is not classified as Highly Sensitive.

Highly Sensitive: University Data that must receive a high degree of protection by law, agreement, research protocol, or industry regulation; exposes non-public details of a critical University system; or may cause considerable harm to the University or others if disclosed to unauthorized individuals. For example: 

• Highly sensitive personal information, e.g.: Personal Health Information, accessibility and counselling information, social insurance number, biometric identifies including finder and voice prints and full-face images, race or ethnic origin, political or religious beliefs or membership, genetic information, sexual orientation or sex life, criminal records checks;
• Research University Data is that Highly Sensitive (as defined above). 

For questions about the Policy (not yet released), or questions about the risk level of your data, you can reach out to UWinnipeg's Research Data Management Librarian.

Collecting and storing data on a password-protected laptop is usually secure for low and medium risk data but it is NOT secure for high or extremely high risk data. If the data being collected is high or extreme risk, store the data on a password-protected and encrypted desktop (as they are less portable and more difficult to steal) in a locked office and/or on a password-protected server, etc.

For added security, encrypt your hard drive, use anti-virus software and anti-malware regularly, update your computer as soon as updates are available, and avoid common situations where your laptop may get stolen such as leaving it in a vehicle or public place unattended. Perhaps most importantly, regularly back up and secure your data.

Even for low risk data, it is best to take steps to secure your data to reduce the risk of having to redo work if your data is accidently deleted or your laptop or portable hard drive gets lost or stolen.

Windows has a free utility to encrypt your hard drive called BitLocker, though is only available for Windows Pro edition. However, Windows Home edition can still read BitLocker encrypted drives.

All Macs have drive encryption but it must be enabled.

It depends on your discipline, and the type and purpose of your data as well as the requirements of your publisher or grant, but here are some things to consider:

• Find a balance between the risks and benefits of retaining or deleting your data, paying special attention to how identifiable or risky the data is. 
• Plan to manage your data securely on an ongoing basis. What is your data management plan if you move on from this institution, this field, or this career?
• It is not inevitable that you will have to delete your data. If you have a good reason to keep your data, and a robust data management plan that describes your plans for how you will steward the data in the future, it is possible but uncommon to keep it indefinitely.

Encryption is a method of encoding your data so that only you, or someone you authorize, can access it. As a general rule, identifiable data obtained through research that is kept on a computer and connected to the Internet should be encrypted. There are a couple of different methods of encrypting your data and they both have benefits and disadvantages:

Encrypting Individual Files

Pros: Encrypting only select files such as those that are research related, or those that contain identifying information, keeps your data safe without any extra complications.

Cons: If someone had access to the computer where your data is stored they could break into it and view any non-encrypted files. You also have to remember to individually encrypt each new file you create. 

Encrypting Your Drive

Pros: Encrypting your entire drive protects from anyone to accessing any of your data without your authorization. Encrypting your whole device is also more convenient and less prone to error as all files are encrypted automatically. 

Cons: If you experience any corruption on your drive, it may be more difficult or even impossible to retrieve that data.

Methods to Try

To encrypt your whole drive, or individual files, try VeraCrypt (Windows/Linux/OS) or GNU PrivacyGuard (Windows/Linux/OS). Programs such as MC Office and Adobe also offer file-level encryption. These programs are recommended when there are few files to encrypt. To encrypt and compress files you are going to be sending over the internet try 7-Zip. UWinnipeg's Information Privacy Office provides more guidance on password protection and encryption.

NOTE: When data requires encryption is can be easy to make the mistake of encrypting some copies of your data but not others. Be sure to encrypt all copies of your data, this includes backups and data stored on mobile devices such as cell phones.

Cloud services store and share data by keeping it on remote servers accessed from the internet. Cloud services can be public or private. While any use of cloud services comes with some inherent risk, the risks for public and private servers are different. Some main differences include server location, server control, and attack surface. With public cloud storage, data is stored in servers that could be anywhere in the world, and thus subject to that country’s laws. With private cloud services your data is stored in local servers. Private companies control public cloud services and the data that is stored there. Access to data stored in private cloud services such as NextCloud is controlled by UWinnipeg. Finally, public cloud services have sprawling infrastructure with many different points where an unauthorized user could attempt to extract data, in some cases private services are less open to such attacks. Whether and what cloud services you can use will depend on the risk level of your data. 

Public Cloud Services 

Examples: GoogleDrive, DropBox, iCloud and Onedrive

If you must use these services, use them for only the lowest risk data.

Private UWinnipeg Endorsed Cloud Services 

Examples: Microsoft 365

While these services are more secure than public cloud storage services they are by no means completely secure. Data should be de-identified before it is uploaded to any of these services and high-risk data should never be stored in the cloud.

Recommendation: To increase protection for NextCloud accounts, UWinnipeg's TSC recommends using Two-factor Authentication.

The answer to this question is different depending on whether we are talking about a portable storage device that has an internet connection, such as a cell phone, or a device that does not have an internet connection, such as a USB key. 

For internet-connected portable storage devices:  

Pros: Collecting data on an internet connected portable storage device such as a cell phone can be a good choice because the technology is ubiquitous, familiar, convenient, fast, accurate, portable, and requires low power at a relatively low cost to the researcher. 

Cons: Data stored on or transferred from portable storage devices increases the risk of it being stolen or improperly accessed. However, encrypting the device and files reduces the risk of a data breach. Smart portable devices such as Google or Apple phones or laptops are often defaulted to backup all data to their cloud system potentially making sensitive data inadvertently available to Google, Apple or a 3rd party backup provider. 

For non-connected portable storage devices:  

Pros: Non-connected portable storage devices do not have the same vulnerabilities as internet-connected portable storage devices, while still providing storage and data transfer options. 

Cons: Data transfer can be less convenient. Some portable storage devices are easily corruptible and not built for long-term storage, for example inexpensive flash drives. Such devices are often small and easy to lose or break.

Qualtrics is web-based, research survey software that offers many advanced, but user-friendly, features. Qualtrics enables users to do surveys, get feedback, and conduct polls using a variety of distribution means. Qualtrics is cloud-based software and has proven to be a versatile resource for our researchers. The company migrated the servers available to University of Winnipeg researchers to Canadian sites to enhance data security. Other survey services should be avoided particularly those located in the USA like SurveyMonkey.

Before you share any data collected from human participants in any way, the key is to render that data as low risk as possible, for instance, by de-identifying it. Ideally, those collecting the research would remove all identifying personal information before the data was shared with research partners at other institutions.   

Use the following as general guidance, though always select a method of communicating your data that is consistent with its risk level:

Low risk data: Share data using UWinnipeg email and cloud services including free personal cloud services (Google Drive, DropBox, iCloud, Onedrive etc.)

Medium and High risk data: Share encrypted and password-protected files via UWinnipeg email and UWinnipeg approved cloud services.

Extreme risk data: Share data hand to hand on a password-protected and encrypted data storage device. Maintaining ethical high-risk data transfer between institutions may require individualized strategies. Contact UWinnipeg's Research Data Management Librarian for more information.

When it comes to connectivity, computers at UWinnipeg fall into 3 categories: computers that connect to the Internet wirelessly, computers that connect via wired networks and computers with no internet connection at all. These three different kinds of computers also represent three different levels of data security. Wireless connections are the least secure. Wired network access is more secure than wireless. Finally, using a computer that is not connected to the internet is the most secure way to store your data.

"Principle (e): Storage limitation,"Information Commissioner's Office, Accessed April 30, 2020, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/storage-limitation/.

"Research Support Fund: Accountability and Public Acknowledgement,"University of Winnipeg Research Office, Accessed April 13, 2020, https://www.uwinnipeg.ca/research/research-support-fund.html.

"Retaining personal data (Principle 5),"Information Commissioner’s Office, Accessed April 13, 2020. https://ico.org.uk/for-organisations/guide-to-data-protection/principle-5-retention/.

“Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans (TCPS 2)". Government of Canada Interagency Advisory Panel on Research Ethics. Accessed April 13. 2020, https://ethics.gc.ca/eng/documents/tcps2-2018-en-interactive-final.pdf.

Trucano, Michael. "Using mobile phones in data collection: Opportunities, issues and challenges," Edutech. April 18, 2014, Accessed April 13, 2020, https://blogs.worldbank.org/edutech/using-mobile-phones-data-collection-opportunities-issues-and-challenges.

Adapted with permission from Chandra Kavanaugh.