UD Seal
Managing research data risks

Managing research data risks

All data, including research data, carries risk. Although risk management probably isn't the primary focus of your research efforts, it's an important step in helping your project stay on track and avoiding penalties.

To help you spend less time managing risk and more time conducting research, use the resources on this page to understand the different risks that could affect your data and your project and plan how to appropriately manage those risks.

You can use the information on this page to inform your data management plan. Example DMP wording is included in the table below. You can also contact IT Security for a consultation about research data risk and for assistance in incorporating risk management strategies into your data management plan and research practices.

The table below is available for download (without the example DMP wording) as the Managing Research Data Risks PDF.

Type of risk

Does it apply to you?

Recommendations for managing the risk

Example data management plan wording

Confidentiality risk

Will your project involve any data that has restrictions on who can view or access it?

Do you have any data that...

  • can only be disclosed to authorized parties?
  • is required by law, regulation, or contract to remain confidential?
  • is sensitive by nature and would have a negative impact if disclosed?
  • would be valuable to hackers, corporate spies, foreign intelligence, etc.?

Data confidentiality is about protecting data against unintentional, unlawful, or unauthorized access, disclosure, or theft.

  1. Encrypt the data at rest and in transit
  2. Control access to the data1
  3. Physically secure devices and paper documents
  4. Securely dispose of unneeded data and devices
  5. Acquire data only as needed
  6. Use data only as needed
  7. Manage devices2

Data confidentiality risks will be managed through the use of encryption, access controls, and device security best practices.

Integrity risk

Will your project involve any data that, if not maintained with integrity, would significantly impact the accuracy or feasibility of the study?

Do you have any data that...

  • must remain accurate and uncorrupted?
  • must only be modified by certain individuals or in a controlled manner?
  • must come only from trusted sources?

Data integrity is about protecting data against improper maintenance, modification, of alteration. It includes data accuracy and authenticity.

  1. Back up the data
  2. Control access to the data2
  3. Log data access and changes
  4. Use hashing to check file integrity
  5. Perform data verification and validation

Data integrity risks will be managed through the use of backups, access controls, and data verification and validation.

Availability risk

Will your project involve any data that, if lost, stolen, or destroyed, would be irreplaceable or would significantly impact the feasibility of the study?

Do you have any data that...

  • must remain available or accessible during the project?
  • must remain available or accessible after the project is complete?
  • cannot be easily re-obtained or re-created?

Data availability is about the timeliness and reliability of access to and use of data. It includes data accessibility.

  1. Back up the data
  2. Inventory the data
  3. Use metadata to identify and describe data
  4. Manage record retention
  5. Securely dispose of unneeded data and devices
  6. Arrange for publication and curation of data after project completion

Data availability risks will be managed through the use of backups and appropriate record retention practices.

Privacy risk

Will your project involve any data that, either by itself or in combination with publicly available information, has the potential to violate privacy expectations or individuals?

Do you have any data that...

  • involves human subjects?
  • has explicit legal or regulatory privacy protection requirements?
  • is sensitive, or has the potential to be sensitive if combined with other information?

Data privacy is about respecting individuals' reasonable expectations to be free from unreasonable observation and excessive collection of personal data (what is being observed and how it is being used).

  1. De-identify or aggregate data where appropriate
  2. Provide fair notice of monitoring, data collection, and/or data usage
  3. See the recommendations for confidentiality risks above

Project data will be de-identified or aggregated where appropriate to protect the identities and privacy of human subjects.

Human subjects will be provided with fair notice of monitoring and will provide consent where appropriate or necessary. Data collection and usage practices will be described in a privacy statement available to all subjects.

Legal, regulatory, and contractual risk

Will your project involve any data that is subject to legal, regulatory, or contractual requirements?

Do you have any data that...

  • is subject to laws or regulations (e.g., FERPA, HIPAA, COPPA)?
  • is provided to you under a contract or agreement?
  • is subject to grant or contract restrictions or security requirements?

Data laws and regulations govern the handling of particularly sensitive kinds of information and may present the risk of fines, funding loss, or even imprisonment. Health data, education records, defense articles, and other data present legal and regulatory risk that goes hand-in-hand with other risks like confidentiality, privacy, human, etc.

Sponsored research agreements may specify data security standards and requirements that must be followed during or after the study. Data contracts may govern how data from a particular source or generated by a particular contract can be used or what rights researchers acquire to that data.

  1. Be aware of relevant laws, regulations, and contract requirements and how they apply to your data
  2. Include requirements in your data management plan
  3. Consult General Counsel or IT if you have compliance questions

NOTE: Your data management plan should explicitly address compliance with applicable laws, regulations, and contract requirements. For example, your data management plan should provide written affirmation of compliance with NSF grant requirements or regulations like HIPAA.

Human risk

Is every member of your team, including you, aware of data risk and security?

Is your team...

  • aware of their responsibility for security?
  • aware of security best practices?
  • watchful for unusual behavior that may indicate data theft?

Human risk includes human vulnerability to social engineering, awareness of security practices, and insider threats.

  1. Sign up for Secure UD Training
  2. Discuss security with your team and make it integral to your project
  3. Consult IT if you have questions

NOTE: Your data management plan may include training requirements or other security awareness efforts for your research team. This training may be mentioned in the context of other necessary training, such as hazardous materials training or animal safety training.

1 Controlling access to data includes: authorizing access based on "need to know," uniquely identifying and authenticating users, using two-factor authentication (2FA) where practical, and periodically reviewing access.

2 Managing devices includes: using anti-virus software, routinely patching software, whitelisting applications, using device passcodes, suspending inactive sessions, enabling firewalls, and using whole-disk encryption. These tasks can be automated and managed for desktop and laptop computers through computer management.