Data Security, Storage, Access, Transfer and Destruction

Researchers should guard data in regards to:

  • Network security: Keeping confidential data off the Internet and in extreme cases, store sensitive materials on computers not connected to the internet.
  • Physical security: Restricting access to buildings and rooms where computers or media are kept. Only let trusted individuals troubleshoot computer problems.
  • Computer systems and files: Maintaining virus protection software up-to-date, don't send confidential data via email (or, if you must, use encryption), set passwords on files and computers, react with skepticism to phone calls and emails that claim to be from your institution's IT department.

IT College Representatives

Contact information: Colleges, Representatives and Email  

College Representative Email
Arts & Letters Greg Topple
Business Peter Goumas
Design & Social Inquiry Matthew Canavan
Education Steve Diaz
Engineering Mahesh Neelakanta
Honors Mike Hampton
Medicine Jeffrey Clark
Nursing Jony Singh
Science Jaime Paredes

For additional questions please contact Research Integrity Office at: or 561-297-1383.

Database Storage and Disposal Recommendations


data storage
  • It is advisable to export data from raw SQL database or input the data in analytical files in a manner that strips the immediately identifying variables from the SQL database or the paper files.

When creating databases in analytical files:

  • Check that they do not contain names or identifiers.
  • Utilize dedicated password protected, restricted-access space on shared network drives and conduct and save analytic work directly into these locations.
  • The use of cloud-based servers to store and manipulate data is also a feasible secure option to manage data without permanent local storage.
  • Contact your College IT representative to explore the options for Florida Atlantic available servers and storage options.
  • The use of remote access software is an alternative solution.


  • If a local copy of the data is required, follow recommendations in the sections below.
  • Work within the secure network as much as possible, and when possible, upload your work to dedicated space on Florida Atlantic shared network drives.
  • After uploading to Florida Atlantic network drives, remove local workspaces and copies of the data when no longer needed.


password If computers are used to record human subjects research data, the computer(s) and corresponding files should be password-protected. At Florida Atlantic, protection of individual faculty/staff computers is managed by the Office of Information Technology (OIT).

Document Protection  


Password-protection of individual files/documents is usually offered by the manufacturer of the software, (i.e.: Microsoft). Users must control the security of their own documents.

Back Up  

global data

In general, good practice is to have three copies in at least two locations (e.g. original + external/local backup + external/remote backup). Geographically distribute your local and remote copies to reduce risk of calamity at the same location (power outage, flood, fire, etc.).

retrieve files

To be sure that your backup system is working, periodically retrieve your data files and confirm that you can read them. You should make these checks when you initially set up the system and on a regular schedule thereafter. CDs or DVDs are not recommended because they are easily lost, decay rapidly and fail frequently.

Florida Atlantic has a policy in place 6 for backups to ensure that the institution has a safe and recent copy of data in case a system crashes or other disaster occurs. The system(s) run a backup script each night when there is little activity. A third-party cloud storage company maintains offsite backup data. All data is encrypted and stored safely.

Personal Identifying Information  

separate data

Personal identifying information should be kept separate from the research data AND data should be stored in an encrypted format.

Florida Atlantic Supportive Storage Options

Data Access

data access

The research plan should determine which personnel will have access to the data.

Principal investigators should have clearly established who controls the data (e.g., the PI, a student, lab personnel, university, or sponsor).

The IRB protocol should specify whether any outside parties will have access to study data and the process for storing and/or transferring that data.

Data Sharing and Transfer

Why data is shared?

  • Required by publishers (e.g., Cell, Nature, Science).
  • Required by government funding agencies (e.g., NIH, NSF).
  • Allows data to be used to answer new questions.
  • Makes research more open.
  • Makes your papers more useful and citable by other researchers.

Data transmission needs a plan to protect the confidentiality of the data.

Research teams are advised to develop standard operating procedures regarding a secure transmission process regardless of the data being anonymous, coded or non-sensitive.

Secure data transmission processes are a best practice and mitigate the potential of data breaches.

Florida Atlantic provides extensive guidance, software and resources to assist researchers to encrypt and transfer data.

How to Share Data?

Data Information  

central repository

Sharing data

  • File Formats for Long-Term Access: The file format in which you keep your data is a primary factor in the ability to use your data in the future. Plan for both hardware and software obsolescence.
  • Don't Forget the Documentation: Document your research and data so others can interpret the information. Begin to document your data at the very beginning of your research project and continue throughout the project.
  • Ownership and Privacy: Make sure that you have considered the implications of sharing data in terms of copyright, IP ownership, and subject confidentiality. The way to share your data must be planned and described in the original research protocol. Always work with your IT representative, to establish a realistic, up-to-date sharing plan.
  • Refer to Florida Atlantic-Sponsor Research for need and terms of Data Use Agreements Guidance:
    Click here to review guidance document.

An optimal option is to create/find a data repository. The decision should be based on the long-term security offered and the ease of discovery and access by colleagues in the field. There are two common types of repository to look for:

  • Discipline specific: Accepts data in a particular field or of a particular type (e.g., GenBank accepts nucleotide sequence data).
  • Institutional: Accepts data of any type produced within the institution that maintains it (e.g., the University of California's Merritt) Central Data Repository.

Transfer of De-Identified Data

Responsibilities Beyond Research Team

Prior to data access, students and external investigators not explicitly listed in the IRB data access listing should:

Note: This must all be documented electronically or on paper, approved by the PI and the data manager should be informed.

Note: The data manager will create an individual folder on the secure server or cloud server for each separate study project.

Responsibilities of the Principal Investigator

  • Verify documents listed above are complete.
  • Make sure DUA is in place.
  • Create an individual folder on the secure server or cloud server for each separate study project.
  • Create the data set with a mapped set of Identification numbers (NEWID) without personal identifiers.
  • Safeguard the Identification key. It will not be on a personal computer.
  • According to the data use timeline or DUA or the research plan, send an email to the student or scientist and ask them to delete the data set. This email will be kept on file for the record.

Data Retention and Destruction

OHRP logo OHRP: 45 CFR 46 requires research records to be retained for at least 3 years after the completion of the research.

hipaa compliance logo HIPAA: Records must be retained for a minimum of 6 years after each subject signed an authorization.
fda FDA: Records must be retained for a period of 2 years following the date a marketing application is approved for the drug for the indication.

va VA: Records must be retained indefinitely per VA federal regulatory requirements.
sponsor requirements Sponsor Requirements – contract: PI must insure that he/she complies with any terms for record retention detailed in the contract.

Competent data destruction services should be used to ensure that no data could be recovered from old electronic media. The U.S. Department of Defense (DoD) 5220.22-M standard for permanently removing data from disks is considered the most rigorous standard. DoD-compliant disk sanitization software may be used to overwrite or wipe data content from electronic media. Note: free versions of this kind of software may not be DoD-compliant.