Research Guides: Research Data Management: Storing and securing data

Creating a data security plan

The first step to storing data securely is to determine what storage (and transmission) systems are appropriate for the security needs of your data. Use the VCU Data Classification Tool first, to learn what security category your data falls into. Second, use the DMS to explore appropriate storage options for the data. If appropriate, you can also use the DMS to submit a data security plan to the infosec team.

Data classification tool
Start by determining whether your data is Category I, Category II, or Category III. This dool will let you check off the types of data you are creating, and then it will tell you what security category the data is.
VCU DMS for data security planning
Once you know your data category, the DMS will allow you to choose technology platforms that are appropriate to the security Category for collecting, transmitting, and storing that data. You can also submit your data security plan for approval by technology services Information Security team.

Using Google Drive for data storage

Google Drive (part of Google Apps for Education provided by VCU to staff and faculty) can be used to store non-sensitive and some sensitive data as outlined below. Your VCU Google Drive account is maintained with good privacy protections by the VCU Technology Services. This allows some, but not all, sensitive data to be stored in your Drive storage space. Faculty and staff at VCU have unlimited storage, but it is important to be careful about what you store and how you set up your files.
Keep in mind that only your VCU Google Drive should be used for storing data. This is the Google Drive that you log into with your vcu.edu email address. Be careful not to store sensitive information of any kind on a free (gmail.com) Drive account, which are not protected by Technology Services so those free gmail.com privacy and security policies are different.
According to the VCU/VCUHS Joint Information Management and Security Framework, Google Drive can be used to store most data. In some cases, you will need to set up your folders according to the instructions in the next section to keep your data secure. Controlling and monitoring your sharing access is key to the proper use of campus Google Drive for data storage.

Data that can be stored in Google Drive: First name, init/Last name, FERPA directory information, Employee/Personnel Records, University Financial Records, Contracts/Grants info, Information under NDA, Investigative/Court Information, Protected Research/Intellectual Information, Information belonging to federal government with sensitivity rating of low (FISMA low), copyrighted protected information

Data that can be stored in Google Drive with proper sharing and access control: SSN, FERPA Non-directory information, Driver’s License or State Issued ID, Criminal Justice Information, Financial Aid Information, Donor information, PII of Children Under 13, PPRA regulated information, PII of EU Citizens, Authentication (Log-in) Credentials (if encrypted)

Data that needs assessment/approval and proper sharing and access control: Medical/Mental History, Medical Treatment or Diagnoses Information, Health Insurance Policy numbers, HIPAA PHI (ACE/from Covered Entities), Identifiable genetic information

Data that can not be stored in Google Drive: Credit/Debit Card info, dbGaP data, The Cancer Genome Atlas (TCGA) data, Information belonging to federal government with sensitivity rating of moderate or high (FISMA, Moderate+High), Export Controlled Information

Google Drive Folder Security

If you are happy with the way you organize your physical records, you can use the same structure in your Google Drive. You might want to add a ReadMe Document to your folders to clarify what information is in that folder. This is especially helpful for spreadsheets, where a readme file can be used to define what is being recorded in the various rows and columns.

If you need to find another method of organization, one way is to create folders for each Project, then another level of folders for the types of experiments, surveys, and data collection you do.

The important thing to remember when you create folders and documents that will be shared with collaborators, be they students, technicians, or other faculty, add them by name individually. Do not share data openly with a link. Instead, use the Advanced sharing to be sure that you are the final authority on who does and does not have access, and which collaborators can change the data.

You must also make sure you, as the owner, are the only one who can share or delete the documents. This is especially important if you add collaborators as "editors" who can add data or text to the files. You can limit the ability of editors to share documents by changing the Sharing settings. At the top of the Sharing settings window there will be a gear symbol. CLick on the gear to show a checkbox - unclick editors can change permissions and share. Uncheck this box; it is essential that you maintain control over who has access to the data.

In long projects with changing teams, you should also review permissions each semester and remove access from team members who are no longer on the project. Reviewing project security regularly is a best practice for protecting your data.

We recommend viewing this video on safe file sharing from VCU Technology Services.