Research Data Security Checklist

The following checklist is intended to help you determine if there are elements within a research project that might have special security requirements and, therefore, require additional review by the Office of Information Security and/or Research Compliance.

Is there data involved in the project that meets any of the following criteria:
- Contains sensitive personally identifiable information (Sensitive PII)? Examples include name and social security number, passport id, bank account numbers, etc
- Contains individual health information, even if the data is anonymized or redacted.
- Contains data about children under the age of 18?
- Contains information that is considered proprietary by the organization providing the data and has special protection requirements in the contract.
- Contains personal data from European Union (EU) countries. Sensitive PII is generally protected in the U.S. but in the EU all personal data is protected under GDPR
- Contains information which the PI believes is highly valuable or sensitive and needs to be protected.
Export controlled: are there any data involved in the project that is:
- Federal data marked as or considered Controlled Unclassified Information (CUI)
- Controlled Information
- Encryption software
- Source code
- Technical Data
Are there specific regulations mentioned in the FOA, RFA, BAA, Award or Contract Terms and Conditions which need to be met. Examples include, HIPAA, GDPR, DFARS, etc
Are there specific security requirements or security control frameworks mentioned in the FOA, RFA, BAA, Award or Contract Terms and Conditions. Examples, NIST, ISO or “data must be maintained in a cold room”
Are there penalties for mishandling or losing custody of the data in the FOA, RFA, BAA, Award or Contract Terms and Conditions