Data Management is an effective strategy for ensuring that data will be usable, preserved, maintained and accessible throughout the life cycle of a research project and for future generations of scientific research. As a greater number of federal funding agencies implement public access mandates, it has become clear that universities must take an active role in ensuring that researchers make their data accessible. Additionally, the University recognizes the importance of systematically preserving and retaining research data. As such, the University has implemented a Research Data Management policy to ensure that principal investigators and researchers understand their responsibilities in maintaining, preserving and making public their research data. This policy establishes broad principles for research data management. These policies are intended to be supplemented by applicable policies established by funding agencies and other relevant University and departmental policies.
FSU Libraries' Data Management site provides resources and information about data management planning, data storage, funding agency requirements, data curation tools, and options for sharing, licensing of publishing data sets.
DMPTool provides guidance and resources for your Data Management Plan. The goal is to provide a "flexible, online tool to help researchers create data management plans."
Because of the complexity of identifying authors of research reports and importance of ensuring scholarly integrity and the responsible reporting of research, an Authorship and Research Integrity Policy (see below) has been created to provide basic guidelines for authorship assignments and a means to resolve disputes that may arise.
A Data Use Agreement (DUA) is a contractual document between a Data User and a Data Provider, describing the provisions associated with the transfer of confidential, protected, or restricted-use data. Examples include records from governmental agencies or corporations, student records information, existing human research subjects data, and limited data sets. Broadly speaking, DUAs can be either Incoming (FSU receives data from an outside entity) or Outgoing (data housed or owned by FSU are shared with an outside entity).
DUAs address important issues such as limitations on use of the data, liability for harm arising from the use of the data, publication, and privacy rights that are associated with transfers of confidential or protected data. The DUA also assures that the Data User is using the data in accordance with applicable law (e.g. HIPAA, FERPA), and prevents the inappropriate use of protected or confidential data that could cause harm to the investigator, the University, or individuals whose data is part of the data set.
In general, a Data Use Agreement may include:
- What data will be released or shared
- Who has ownership of the data
- What, if any, identifiers will be included
- The purposes for which the data may be used
- With whom, if anyone, the data may be shared
- Data security and safeguards
- To whom violations of the agreement should be reported
- The term of the agreement
- The disposition of the data at the end of the agreement
- Any indemnification or insurance requirements
Sometimes, a transfer of data from one entity to another is addressed in the context of a larger agreement between the parties, such as a subaward agreement or a contractual services agreement. Data transfer as part of such a collaborative research project is often addressed in the study protocol or in the funding agreement terms and conditions. In those cases, a separate DUA is generally not necessary.
If you request data from an outside institution or organization, it is the responsibility of that organization to determine whether a DUA should be executed before providing the data. Some governmental organizations have an application process that must be completed prior to the start of negotiations. Please contact Glenn Ladwig, Research Legal Counsel, email@example.com when starting this type of application process for assistance with identifying and managing compliance issues. Incoming DUAs must be signed by the Vice President for Research (VPR) prior to receipt of the data by the investigator. See Processing a Data Use Agreement below.
When sharing data housed or owned by FSU with an outside organization, the University must consider multiple security and compliance criteria before determining whether or not a DUA is appropriate. Research Legal Counsel will work with the researcher to develop an appropriate agreement as needed. Outgoing DUAs must be signed by the VPR prior to submission of the data to the outside organization. See Processing a Data Use Agreement below.
It is the researcher’s responsibility to understand and strictly follow the terms of the DUA. It is assumed that a researcher who transmits a request for a DUA in RAMP has read and agrees to conform to its terms. The researcher may or may not be required to sign the DUA (as an acknowledgment rather than institutional acceptance). However, the VPR serves as the authorized signatory for research-based DUAs. See Processing a Data Use Agreement below.
Data Use Agreements and Human Subjects Research
DUAs are commonly used when a researcher wishes to access archives or restricted data sets that may contain identifiable information about individuals for the purpose of conducting projects that fall under HHS’s definition of research (45 CFR Part 46). Research dealing directly with data containing personal identifiers may require (1) a HIPAA authorization to use and/or disclose protected health information or (2) a HIPAA waiver. Application forms must address the protective mechanisms planned to protect the identity of persons and to evaluate the security of procedures to safeguard these identities. When a DUA is a part of the project submitted to the IRB, investigators should follow the Human Subjects Office protocol application guidelines on what information to include about data use.
Data Use Agreements and Non-Human Subjects Research
When conducting research with data that contains personal identifiers but does not fall under HHS’s definition of research (e.g. Other Sponsored Activity), then the IRB would not be involved in the review of the DUA. However, the HIPPA Privacy Rule applies when researchers want to obtain, create, use, and/or disclose individually identifiable health information. For Incoming data, FSU will expect that any HIPPA waiver would have already been obtained by the data owner, as outlined by the scope of an executed agreement between FSU and the Data Provider.
RAMP Agreements allows for the electronic routing, review, and approval of data use agreements. Users may upload a draft agreement or the ask the Agreements team (via the submission process) to prepare the agreement for you. Effective December 2, 2019, use of RAMP Agreements was required for all DUAs.
Access RAMP Agreements by clicking on the icon on the MyFSU Portal.
How To Guides are available within the RAMP Help Center.
See also Research Data Security Best Practices.
Questions about DUAs may be addressed to Glenn Ladwig, Research Legal Counsel, at firstname.lastname@example.org.
- NIH Genomic Data Sharing (GDS) Policy
- Data Repositories
Public Access (PA) literature is freely available online but subject to standard copyright and licensing restrictions. It is free to view and download, but readers have limited rights to reuse the material without permission.
Open Access (OA) literature is freely available online and free of most copyright and licensing restrictions giving readers broad rights to reuse the material without permission (Peter Suber, Open Access Overview).
Open Data (from the Open Data Handbook) is data that can be freely used, reused and redistributed by anyone - subject only, at most, to the requirement to attribute and share alike.
To be considered "open," the data must have the following three characteristics:
- Availability and Access: The data must be available as a whole and at no more than a reasonable reproduction cost, preferably by downloading over the internet. The data must also be available in a convenient and modifiable form.
- Reuse and Redistribution: The data must be provided under terms that permit reuse and redistribution including the intermixing with other datasets.
- Universal Participation: Everyone must be able to use, reuse and redistribute - there should be no discrimination against fields of endeavor or against persons or groups. For example, ‘non-commercial’ restrictions that would prevent ‘commercial’ use, or restrictions of use for certain purposes (e.g. only in education), are not allowed.
U.S. Office of Science and Technology Policy (OSTP)
On August 25, 2022, OSTP published a memorandum entitled, “Ensuring Free, Immediate, and Equitable Access to Federally Funded Research.” This memorandum provides policy guidance to federal agencies with research and development expenditures on updating their public access policies. In the memorandum, OSTP recommends that federal agencies, to the extent consistent with applicable law:
- Update their public access policies as soon as possible, and no later than December 31st, 2025, to make publications and their supporting data resulting from federally funded research publicly accessible without an embargo on their free and public release;
- Establish transparent procedures that ensure scientific and research integrity is maintained in public access policies; and,
- Coordinate with OSTP to ensure equitable delivery of federally funded research results and data.
Read the complete memorandum at https://www.whitehouse.gov/wp-content/uploads/2022/08/08-2022-OSTP-Public-Access-Memo.pdf.
On February 22, 2013, the OSTP issued a policy memorandum entitled “Increasing Access to the Results of Federally Funded Scientific Research.” The intent of the policy is to ensure that results of federally funded research are made available to the public. This includes peer-reviewed publications and data. A portion of the policy states:
The Office of Science and Technology Policy (OSTP) hereby directs each Federal agency with over $100 million in annual conduct of research and development expenditures to develop a plan to support increased public access to the results of research funded by the Federal Government. This includes any results published in peer-reviewed scholarly publications that are based on research that directly arises from Federal funds, as defined in relevant OMB circulars.
Federal Agency Policy Matrix A table summarizing the Federal public access policies resulting from the US Office of Science and Technology Policy memorandum of February 2013.
Please address questions you may have about this topic to one of the following individuals:
- Diana Key, Director Research Compliance, email@example.com
- Devin Soper, Interim Associate Dean for Technology & Digital Scholarship and Director, Office of Digital Research & Scholarship, Florida State University Libraries, firstname.lastname@example.org
Florida State University’s information security and privacy policies and procedures effectively addresses the need to protect confidential and sensitive information that is maintained in the various spheres of University activities. The research setting poses particular information security risks and challenges, including regulatory and contractual constraints that require additional policy provisions and protective measures. To protect research data appropriately and effectively, FSU’s researchers, research oversight bodies, and information technology staff must understand and carry out their responsibilities related to data security.
See also Securing Human Subjects Research Data.
Controlled Unclassified Information (CUI) is information the federal government creates or possesses or the university creates or possesses on behalf of the government to which access or distribution controls have been applied in accordance with laws, regulations, or government-wide policies. CUI does not include classified information nor information the university possesses and maintains in its own systems that did not come from, nor was created or possessed by or for a government agency. A full list of controlled unclassified information types (categories & subcategories) is available at the CUI Registry.
Some agencies require that CUI be protected consistent with The National Institutes of Standards and Technology (NIST) Special Publication 800-171 (NIST 800-171), which outlines specific controls which must be met while handling CUI. These controls already apply to some research being conducted at FSU, and will be required by more contracts as the University’s research portfolio grows and as federal agencies increasingly adopt these heightened security frameworks. For a more detailed overview, please see An Introduction to NIST Special Publication 800-171 for Higher Education Institutions.
The Department of Defense was the first to enact specific requirements for the protection of CUI. Other federal agencies are expected to adopt comparable regulations over the next year or two. The Offices of Research and Information Technology Services are committed to providing solutions to meet requirements for protecting CUI in compliance with its Federal or contractual obligations.
Florida State University’s information security and privacy policies and procedures effectively address the need to protect confidential and sensitive information that is maintained in the various spheres of University activities. The research setting poses particular information security risks and challenges, including regulatory and contractual constraints that require additional policy provisions and protective measures. To protect research data appropriately and effectively, FSU’s researchers, research oversight bodies, and information technology staff must understand and carry out their responsibilities related to data security.
FSU researchers are responsible for:
- obtaining the sponsoring agency's guidance concerning access to CUI;
- determining who will have access to CUI; and
- contacting the Office of Research Compliance Programs if a protection/security plan (e.g. technology control plan) is required to control access to and dissemination of CUI.
Code of Federal Regulations
32 CFR Part 2002, "Controlled Unclassified Information" established the policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI; self-inspection and oversight requirements; and other facets of the CUI Program. This rule affects federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to federal information and information systems on behalf of an agency.
Department of Defense (DOD)
When CUI may be shared with FSU, a DOD contract or subcontract may include DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. This clause requires that the researcher and the university meet specific National Institute of Standards and Technology (NIST) standards (NIST 800-171 Rev. 1) to safeguard CUI.
FSU’s Compliance Plan
There are multiple components required for compliance with the NIST standards. The regulation allows the contractor to self-attest to compliance if it can demonstrate implementation or planned implementation of the security requirements with a system security plan and associated plans of action documentation. FSU has developed the following documents which may be submitted with the proposal as required by the solicitation or the funding agency's contracting officer.
- System Security Plan (SSP) – A document that is periodically updated to describe system boundaries, system environments of operation, how security requirements are implemented and the relationships with or connections to other systems. This Plan is the university-wide IT platform for securing research-based CUI. Operational details for individual research contracts (e.g., Principal Investigator, department, contract number, computing requirements) will be prepared as supplements to this Plan.
- Plans of Action & Milestones (POAMs) – A document used to describe individual, isolated, or temporary deficiencies and the management plan designed to correct the deficiencies and reduce or eliminate vulnerabilities in the University’s systems utilized by the researcher.
Federal agencies may consider the University’s SSP and POAMs as critical inputs to the evaluation factor in the contract selection process. How and if this will be used in the proposal evaluation must be stated in the solicitation.
FSU has contracted with Amazon GovCloud to satisfy NIST 800-171’s infrastructure requirements. This secure enclave is branded for FSU as: NEST – Noles Environment for Secure Technology
- Diana Key, Director
Office of Research Compliance Programs
- Daniel Leggett, Program Director, Research Compliance
Office of Information Technology Services
Information Security and Privacy Office
Research Data Management Plans 101 - A data management plan (DMP) is a formal document that outlines how you plan to handle your data both during your research project and after your project is complete. The need for robust DMPs has increased, with more federal and private funding agencies requiring DMPs in their grant applications. So how do you create a DMP? In this 42-minute video, STEM Data and Research Librarian Nick Ruhs walked us through what DMPs are, resources that are available to help craft DMPs, how to create them, and examples of DMPs for specific funding agencies.
Secure Data Storage on OneDrive for Business & SharePoint Online Microsoft uses an industry standard encryption solution to protect data between the user’s device and the receiving server, internal server-to-server communications, and Bitlocker disk and file storage encryption which meets the federal FIPS 140-2 requirements for encryption strength. FSU's Information Technology Services published a matrix that identifies what types of data are approved for storage on FSU’s OneDrive for Business and SharePoint Online.
The Office of Digital Research and Scholarship (DRS) in University Libraries provides expertise and consultations on fulfilling funding requirements for public access to publications and data. DRS also offers data management planning services, assists researchers in the writing, editing and enactment of data management plans, and provides resources and information about data storage, funding agency requirements, data curation tools, data repositories, and the licensing or publishing of data sets.
Data Services University Libraries works in partnership with the Office of Research Development and the Research Computing Center to provide resources and information about data management planning, data storage, funding agency requirements, data curation tools, and options for sharing, licensing of publishing data sets.
Faculty Senate Open Access Resolution October 19, 2011 (excerpt from Faculty Senate Library Committee – Task Force on Scholarly Communications: Final Report)
DigiNole Commons, FSU’s Research Repository
Association of Research Libraries, Open Scholarship