A data storage strategy outlines where and how you’ll store your data as you work through your project. There are many things that should be considered when planning your data storage approach including access and security requirements, the level of data sensitivity, storage costs and any relevant legislation.
Having a well-thought out plan for your data storage will ensure that you can avoid:
Information security specialists have developed a useful acronym to use to assess your plan for data storage:
C - Confidentiality: Your data shouldn’t be made available to people who aren’t authorised to view it.
I - Integrity: Your data should be kept accurate and complete - no-one should be able to edit it without your knowledge and permission.
A - Availability: Your data should be able to be accessed by the appropriate people when they need to in a useful way.
Balancing these three considerations can be difficult. Keeping all your research on piece of paper in a tightly locked office might provide good confidentiality, but it might not be very available to your collaborators. Putting all your working data up on an open Google Sheet that anyone can edit might result in great availability, but poor integrity. It’s important for you to understand how confidential your data should remain; how many people should be allowed to edit/modify it; and how people will get to the data when needed.
The Curtin University Information and ICT Appropriate Use Policy states that all datasets “will be identified and protected in a manner that is appropriate to their sensitivity and importance” - not all research projects will require the same approach and not all data within a research project will require the same treatment; some access requirements will make particular approaches more suitable or less suitable for your research project. That’s why it’s good to consider your approach to these issues alongside each other.
In addition to the information security requirements of Curtin, you may also need to adhere to requirements from industry or governmental regulatory bodies, funder/grant bodies or from external collaborators. Careful consideration of all these demands early on can help avoid problems at later stages.
When deciding on storage and access systems, it’s crucial to consider how sensitive the data is. Unauthorised disclosure of sensitive information can cause serious damage to individuals and organisations, so mitigating that risk is critical to the data management planning process and to the ethical conduct of research.
The Curtin Information Security Classification Decision Flowchart and the Information Security Classification Policy below can help you decide what the appropriate category of Information Security is for your data. The Decision Framework on the Use of Cloud Services linked below gives some considerations and guidelines when choosing a cloud storage system for your research data.
This classification can help determine:
It may be useful to note that for most Curtin research involving humans, the classification should be Confidential or Protected.
Information Security Classification Policy
Provides a framework to assist in assessing the sensitivity and importance of University information.
Information Security Classification Decision Flowchart [PDF, 414kB]
A simple flowchart to help determine the appropriate security classification of information (for Curtin staff only, access requires being logged in first to Curtin staff portal).
Decision Framework on the Use of Cloud Services [PDF, 305kB]
An advice sheet to help identify risks associated with cloud computing (for Curtin staff only, access requires being logged in first to Curtin staff portal).
Data loss, whether caused by technical or human error, can set your research back for years. Backups and safeguarding refers to your steps and plans to minimise the risk of loss or destruction of your data. The specifics of your plan will depend on your dataset size, software or instrumentation used and your research process, but some recommendations are universal:
The UK Data Service provides a list of things to consider when planning your approach to backups.
3-2-1 Backup Method
A description of the 3-2-1 backup method - a strong and common backup approach.
As a general guide, using external hard drives should only be done when there is a specific need, such as research with fieldwork where there is no internet access or specific instrumentation requirements.
Any research data assigned as For Official Use Only, Confidential, Confidential: Personal or Protected under the Curtin Information Security Classification Policy must be encrypted when stored on any removable hard drive. If the research is being done on Curtin-owned PCs, researchers should contact DTS for support with Windows BitLocker. Researchers using their own computers should look into Veracrypt, Cryptomator or other trusted solutions.
If hard drives are used as a storage option, you should follow the standard cybersecurity advice provided by DTS for your encryption key and look at strong passwords, third-party password managers and 2-factor authentication.
The Customs Act 1901, the Defence Trade Control Act 2012 and the Defence and Strategic Goods List 2019 establish a set of restrictions to control the flow of items and technology related to the armed forces or goods that are inherently lethal, or to things that aid their development or manufacturing. These restrictions also extend to data, information and software that meet this criteria.
One of the requirements is that anyone anyone importing, exporting or otherwise moving any of these things to have a permit. If you believe your research falls into this category, please read the information in the “Exporting controlled goods and technologies” link below and contact the Research Office for guidance and help.
Exporting controlled goods and technologies
Information from the Research Office at Curtin on the requirements around controlled goods.
Defence and Strategic Goods List 2019
The current legislative instrument defining the controlled goods.