Guidelines for the Protection of University Research Data

  1. Responsibilities of Researchers:
    All Researchers (and research teams) responsible for and affiliated with Georgetown University studies are required to understand and comply with University policies.  Further, Researchers are required adhere to all applicable classifications and protections relating to the data with which they work, and to comply with all requirements and regulations applicable to the protection of that data.

    ​Responsibilities of Researchers include:

  • Protection of Data Based on Classification. All Researchers must appropriately maintain the security of media and systems that store or transmit University data based on the classification of that data. University research data is classified as high risk until such time that it is authorized for external access, review, or publication.
     
  • Reporting Information Security Incidents. Researchers must report suspected or known compromises of information resources, including contamination of resources by computer viruses, to the UIS CIRT immediately upon discovery.
     
  • Stewardship of Research Data.  Principal Investigators serve as the stewards of their research data, responsible for the confidentiality, integrity, handling and protection of their data in accordance with University data security standards and applicable data use agreements.
     
  • Workstation Security.  Researchers are responsible for adhering to the standards and guidelines for workstation maintenance and security as outlined by the UISO technology policies.
     
  • University Credentials Management. Researchers are required to comply with the standards for NetID and password protection as defined by the UISO technology policies.
     
  • Accessing University Data, Networks and Systems.  Researchers must access University data and systems only as authorized to do so, and without allowing others access unless authorized by system or data owners. University data cannot be used outside of the scope in which access to that data was initially granted.
     
  • Appropriate Use of Technology Services. Researchers are responsible for using their University e-mail, cloud storage and related accounts for use in conducting University business.  The University expects all members of its community to use electronic resources in accordance with the Georgetown University Computer Systems Acceptable Use Policy.
     
  • Remote Work Guidelines. Researchers who work away from the Georgetown campus are required to comply with University security standards for secure electronic communications; data security, privacy, and protection; and, security incident reporting.
  1. Data Security for Researchers
    • Minimum Security Requirements

      All Researchers are responsible for adhering to the University minimum security standards related to data, system security, and credential management.  Georgetown Minimum Security Standards
       

    • Data Use Agreements
      Researchers that obtain data from external sources may be required to comply with data use agreements (DUA) generated by the data owner(s).  As the recipient of the data, the Researcher is the primarily responsible and liable for that data and is required to inform the appropriate University party of any obligations outlined in the DUA. Research Agreements
       
    • Familiarity with University Policies and Guidelines
      Researchers are responsible for the review of all relevant data security policies and guidelines, including, but not limited to:
      • Georgetown University Information Security Policy

      • Georgetown University Information Classification Policy

      • Computer Systems Acceptable Use Policy

      • Policy on the Use, Collection, and Retention of Social Security Numbers at GU

      • Intellectual Property Policy

      • Policies of the Office of Regulatory Affairs where relevant

      • Policies and Procedures of the Institutional Review Board, where relevant

  • Compliance with Relevant Laws, Policies and Regulations
    Researchers are responsible for the review of all relevant international, state and Federal laws, policies and regulations, including, but not limited to:
    • HIPAA/HITECH (Health records)
    • Data Breach laws (regulated Personally Identifiable Information)
    • FERPA (Student records)
    • GLBA (Financial records)
    • PCI (Credit card data)
    • GDPR (General Data Protection Regulation, enacted by the European Union)
    • Relevant law and regulations, local and federal

The Office of University Counsel will provide guidance and support with regard to applicable laws and regulations, and will notify the research community of such laws and regulations as required.

  1. Managing Research Data
  • De-identified and Identified Research Data:
    • Wherever possible and practical, data should be stored, transmitted, and shared in de-identified form.
    • Where use of de-identified data is not feasible, the data must be handled, stored, and processed in accordance with UIS minimum security standards. 
    • Logs with identification information must not be stored in the same location as the de-identified data. This applies to both electronic and paper logs
    • Paper logs must be stored in a secure, locked location – where possible in a safe – when not actually in use.
  • Research Data Repositories
    • Data repositories must be stored in appropriately secured environments:
      • Managed by a designated Georgetown Technology Service Provider
      • Restricted access at the folder or file level
      • Regularly backed up to an appropriate location
      • High Risk data may not be stored on a local workstation drive:
        • May not be stored on the desktop or laptop hard drive
        • Must be transferred to a Georgetown Box folder specifically established for the storage of data at hand
        • May not be stored on portable media
           
  • Securing Research Data Repositories
    • Repositories must be properly secured:
    • Protected with password and two-factor authentication
    • Encrypted in transit and, where appropriate, at rest
    • Access provided based on role and ‘need to know, least privilege’ basis
    • Access logs regularly reviewed
    • Deprovisioning and passwords changes when there are personnel changes
    • Patient information procedures should follow MedStar policies
       
  • Access to Research Data
    • Access to research data must be properly authorized and managed:
      • Based on employee’s role
      • On a ‘need to know’ basis
      • Based on the  ‘principle of least privilege’
      • Reviewed regularly
      • Passwords changed when there are personnel changes
      • Access must take into account the classification of the data
         
  • Research Data Management
    • IRB approval, where applicable:
      • Protection of data must follow procedures described to, and approved by the IRB.
      • IRB applications may include additional safeguards not required under existing policy, but may not contain fewer than the minimum standard
      • IRB-approved protocols must be followed consistently. 
    • In other cases, data use agreements, contractual agreements, and applicable government regulations may govern the management and protection of research data.
       
  • Requests for Research Data
    • Principal Investigators authorize access to research data
      • Authorizations for access must follow University and MedStar policies and procedures
      • Where PHI and/or High Risk data are to be shared with external investigators or other personnel, University policies and guidelines are extended with that data
      • Data sharing plans must not violate University or MedStar policies and guidelines

 

  1. Workstation Security
  • Requirements for All Managed University Workstations:
    • All applicable security updates and other critical patches to the operating system are required on all workstations, as directed by UIS
    • Workstations are compliant with University minimum standards and applicable systems security policies and guidelines
    • Updated University-issued anti-virus software
    • Password-protected screen saver with a short timeout period
    • Managed user accounts with least-privilege permissions
    • Only approved, authorized software installed
    • Safeguard portable computers and mobile devices by using cable locks or securing them up in drawers or cabinets.
    • Never leave a laptop unattended.
    • Report lost or stolen devices to the UIS and GUPD
    • Do not place your laptop in checked luggage, or otherwise let it be stored as baggage.  Keep it with you at all times.
    • Keep your devices secured when in hotels and on-site at study locations.
       
  • Removal or Reassignment of Devices and Workstations​ 
    • When a workstation is no longer to be used by the Researchers in support of a particular study, the data should offloaded to a University-managed long-term storage repository where it can be secured and backed up.
    • If the device is being reassigned to a different user or taken out of service, Your designated Technology Service Provider staff and the Help Desk will take the appropriate measures to ensure that the device does not contain University data prior to its disposal. 
      ​​
  1. Reporting Information Security Incidents

A data security incident is the attempted or actual unauthorized access, use, disclosure, modification, or destruction of Institutional information. This includes interference with information technology operation and violation of University policy, state or Federal laws, or applicable regulations.
​Examples of security incidents include:

  • Computer system compromise
  • Unauthorized access to, or use of, systems, software, or data
  • Unauthorized changes to systems, software, or data
  • Loss or theft of equipment storing Research data
  • Denial of service attack
  • Interference with the intended use of technology resources
  • Compromised user accounts
  • Targeted phishing attack

​The Cyber Incident Response Team (CIRT) is the group within the University Information Security Office that is responsible for investigating, mitigating and remediating threats to security incidents. It is important that actual or suspected security incidents are reported as early as possible so that the CIRT can limit the damage and cost of recovery. Include as much specific details regarding the issue so the CIRT can work as quickly as possible.

Important: If the incident includes any immediate physical danger or involves the presence of unknown/unauthorized persons, contact GUPD immediately at 202-687-4343 or call 911