Research data management

Considerations

A data storage strategy outlines where and how you’ll store your data as you work through your project. There are many things that should be considered when planning your data storage approach including access and security requirements, the level of data sensitivity, storage costs and any relevant legislation.

Having a well-thought out plan for your data storage will ensure that you can avoid:

  1. Data loss from human or technical error
  2. Data breaches, which may be malicious or accidental
  3. Breaching funder or legislative requirements
  4. Collaborator frustration from unforeseen access issues

Access and Security

Information security specialists have developed a useful acronym to use to assess your plan for data storage:

C - Confidentiality: Your data shouldn’t be made available to people who aren’t authorised to view it.
I - Integrity: Your data should be kept accurate and complete - no-one should be able to edit it without your knowledge and permission.
A - Availability: Your data should be able to be accessed by the appropriate people when they need to in a useful way.

Balancing these three considerations can be difficult. Keeping all your research on piece of paper in a tightly locked office might provide good confidentiality, but it might not be very available to your collaborators. Putting all your working data up on an open Google Sheet that anyone can edit might result in great availability, but poor integrity. It’s important for you to understand how confidential your data should remain; how many people should be allowed to edit/modify it; and how people will get to the data when needed.

The Curtin University Information and ICT Appropriate Use Policy states that all datasets “will be identified and protected in a manner that is appropriate to their sensitivity and importance” - not all research projects will require the same approach and not all data within a research project will require the same treatment; some access requirements will make particular approaches more suitable or less suitable for your research project. That’s why it’s good to consider your approach to these issues alongside each other.

In addition to the information security requirements of Curtin, you may also need to adhere to requirements from industry or governmental regulatory bodies, funder/grant bodies or from external collaborators. Careful consideration of all these demands early on can help avoid problems at later stages.

Data sensitivity

When deciding on storage and access systems, it’s crucial to consider how sensitive the data is. Unauthorised disclosure of sensitive information can cause serious damage to individuals and organisations, so mitigating that risk is critical to the data management planning process and to the ethical conduct of research.

The Curtin Information Security Classification Decision Flowchart and the Information Security Classification Policy below can help you decide what the appropriate category of Information Security is for your data. The Decision Framework on the Use of Cloud Services linked below gives some considerations and guidelines when choosing a cloud storage system for your research data.

This classification can help determine:

  • Where the data should be stored
  • Who can access the data
  • How the data should be disposed

It may be useful to note that for most Curtin research involving humans, the classification should be Confidential or Protected.

Backups and Safeguards

Data loss, whether caused by technical or human error, can set your research back for years. Backups and safeguarding refers to your steps and plans to minimise the risk of loss or destruction of your data. The specifics of your plan will depend on your dataset size, software or instrumentation used and your research process, but some recommendations are universal:

  1. An automated backup procedure is better than a manual one.
  2. Backups should occur at regular intervals and whenever major changes are made.
  3. Store your backups on multiple types of storage in multiple locations. The link below on the 3-2-1 Backup Method describes this more.

  • Data Backup
    The UK Data Service provides a list of things to consider when planning your approach to backups.

  • 3-2-1 Backup Method
    A description of the 3-2-1 backup method - a strong and common backup approach.

External hard drives

As a general guide, using external hard drives should only be done when there is a specific need, such as research with fieldwork where there is no internet access or specific instrumentation requirements.

Any research data assigned as For Official Use Only, Confidential, Confidential: Personal or Protected under the Curtin Information Security Classification Policy must be encrypted when stored on any removable hard drive. If the research is being done on Curtin-owned PCs, researchers should contact DTS for support with Windows BitLocker. Researchers using their own computers should look into Veracrypt, Cryptomator or other trusted solutions.

If hard drives are used as a storage option, you should follow the standard cybersecurity advice provided by DTS for your encryption key and look at strong passwords, third-party password managers and 2-factor authentication.

Defence and Strategic Goods List

The Customs Act 1901, the Defence Trade Control Act 2012 and the Defence and Strategic Goods List 2019 establish a set of restrictions to control the flow of items and technology related to the armed forces or goods that are inherently lethal, or to things that aid their development or manufacturing. These restrictions also extend to data, information and software that meet this criteria.

One of the requirements is that anyone anyone importing, exporting or otherwise moving any of these things to have a permit. If you believe your research falls into this category, please read the information in the “Exporting controlled goods and technologies” link below and contact the Research Office for guidance and help.