For a better experience, click the Compatibility Mode icon above to turn off Compatibility Mode, which is only for viewing older websites.

Research Data Management Guidance, Tools & Resources

Research data management (or RDM) is a term that describes the organization, storage, preservation, and sharing of data collected and used in a research project. This guide will assist researchers in planning for the various stages of managing their research data and in preparing data management plans required with funding proposals.

The following steps will help you write-up a comprehensive Data Management plan (DMP).

  1. Identify your Data Types
  2. Identify your Users
  3. Identify your Storage needs
  4. Consult with an Expert
  5. Make a Data Management Plan (DMP)
  6. Review the How-To section for specific instructions 

Note: It is recommended to go through the above items in the same order. 

This research data management guidance, tools & resources was put together by the CNHP REsearch Data MAnagement Protocol (REDMAP) group comprising of  representatives from the CNHP Office of Research, CNHP IT, Corporate Compliance and Privacy Office, DU Office or Research and the Drexel libraries.

Some common data classifications used in research. 

  1. Public: Data that may be disclosed to the public. Examples include course catalogs.
  2. Internal: Data that is not meant for public distribution. Examples include process documentation, meeting minutes, donor information.
  3. Confidential: Data that is disclosed or compromised could have on the universities operation and/or reputation. Examples include contracts, financial information, donor information, internal memos.
  4. Sensitive: Data that if disclosed or compromised could put the university at a legal and/or financial risk. Examples include Personally Identifiable Information, Private Health Information, credit card numbers, FERPA information.
    What kind of data will the vendor/application store, transmit or have access to? Please check all the boxes which are applicable.
    1. Personally Identifiable Information (PII): Any information that may be used to distinguish or trace a person’s identity. Examples of PII include a Name, Email, DOB, Phone, Address, Social Security Number (SSN), a driver’s license, passport or state ID,  and so on.
    2. Payment Card Information (PCI): Is credit card-related information covered by the Data Security Standards of the Payment Card Industry (PCI). Financial Information: is any information that a student or other third party provides in order to obtain a financial service from the university.
    3. Patient Health Information (PHI): Any PII in combination with health information covered by the Health Insurance Portability and Accountability Act (HIPAA).
    4. FERPA Information: Any data that could be used to identify a student as covered by the Family Education Rights and Privacy Act (FERPA).

Some common sub-classes of Sensitive data used in research

  1. Limited Data sets: The Privacy Rule primarily addresses identifiable and de-identified information. But it also includes a middle option wherein investigators may use patient data that qualifies as "identified data" in the form of a "limited data set" without HIPAA Authorization or a waiver of HIPAA Authorization. The Limited data set permits the use of select identifiers with limited Privacy Rule requirements can be used for research, health care operations and public health purposes only. The Limited Data Set is identified data requiring permission of the record custodian for data use. You MUST disclose any forms of Limited data sets in the data management section and follow up with CNHP-IT to ensuring adherence with applicable Federal/State laws and DU policies. For more information go to this HHS Website.
  2. Coded Data: Direct personal identifiers have been removed (e.g., from data or specimens) and replaced with words, letters, figures, symbols, or a combination of these (not derived from or related to the personal information) for purposes of protecting the identity of the source(s); but the original identifiers are retained in such a way that they can be traced back to the source(s) by someone with the code. Note: A code is sometimes also referred to as a “key,” “link,” or “map.”
  3. De-identified: All direct personal identifiers are permanently removed (e.g., from data or specimens), no code or key exists to link the information or materials to their original source(s), and the remaining information cannot reasonably be used by anyone to identify the source(s). For more information on De-Identification can be found in this HHS website.
  4. Anonymous data: Unidentified (i.e., personally identifiable information was not collected, or if collected, identifiers were not retained and cannot be retrieved); information or materials (e.g., data or specimens) that cannot be linked directly or indirectly by anyone to their source(s).

Clearly identifying the users and their roles will significantly reduce the chances of data loss, theft or corruption.

PI/Custodian: The principal investigator (PI) is the data custodian. All Research related data MUST reside with the PI at ALL TIMES. It is the data custodian’s responsibility that the data is stored safely and securely. It is recommended that the custodian periodically (yearly) perform a data privacy and security audit. The custodian is the ONLY person authorized to share data with team members, collaborators and other personnel as per the needs of the project.

Drexel Authorized Users: These comprise of personnel who have a valid Drexel account (abc123@drexel.edu) and are authorized to operate on the PI’s data. Drexel authorized users will use their Drexel email Id and password in order to operate on the data.

Non-Drexel Authorized Users: Include all members of the research team who do not have a valid Drexel email id but are authorized to access the research data. Non-Drexel  authorized users will use either their Institutional login or their personal login to access the files.

Authorized Drexel Administrative and Support staff: These include only Drexel faculty or staff who are authorized to assist the PI with technical help like setting up backup/archive mechanisms, periodic data audits, hardware and software issues, data loss, data corruption, data breaches, etc.

Anonymous users: This group includes personnel who will have access to data without needing to log into the system. These include publically posted data, email blast recipients, website viewers, etc. Since these members do not have the capacity to be audited, the data sent to them should be considered a high-risk data and should be:

 

Guidelines for research data storage

The 3-2-1 rule is a best practice for backup and recovery. It means that when you build out your backup and recovery strategy you should:

  • Keep at least three copies of your data: That includes the original copy and at least two backups.
  • Keep the backed-up data on two different storage types
  • Keep at least one copy of the data offsite

Implementing this procedure gets tougher when dealing with PHI and especially challenging when dealing with non-Drexel team members. There are many ways of implementing the 3-2-1 backup policy using the tools available at Drexel University. One such implementation is illustrated below. We highly recommend that you consult the experts before planning your implementation.

3-2-1 Backup Plan 

Privacy/Security Grid

Storage Solution

Export-controlled data

PHI

Drexel Authorized Users

Non-Drexel Authorized Users

Anonymous Authorized Users

Data tied to user account

Auto-Backup

Yes/No/*

Notes

Drexel OneDrive

No

Yes

Yes

Yes*

Yes*

Yes

Yes

Needs a computer with enough storage

Encrypted File Server

Yes

Yes

Yes

No

No

No

No

Only accessible within Drexel network/VPN

File Server

?

No

Yes

No

No

No

No

Only accessible within Drexel network/VPN

CrashPlan

?

Yes

No

No

No

Yes

Yes

Data cannot be shared

LiquidFiles

?

Yes

Yes

Yes

No

Yes

No

Send and request huge data files via email

Encrypted Email

?

Yes

Yes

Yes

Yes

Yes

No

Must use keyword [encrypt] in the subject

Drexel Encrypted Computer

Yes

Yes

Yes

No

No

No

No*

Must be procured and setup through CNHP IT

Portable Encrypted Drives

No

No

Yes

Yes

Yes

No

No

Must be procured and setup through CNHP IT

 

Data storage solutions offered by CNHP

Drexel OneDrive:

Features: 5TB of storage per user. Ability to restore recent versions of files within recovery window. Useful for collaboration and production environment. Can be used so synchronize copies of files to a computer.

Important Notes: Can not be used for export controlled data. Version history not saved indefinitely. Sharing sensitive data outside of Drexel requires permission (request from SensitiveDataSharing@drexel.edu). Data is tied to user’s account (when user account is deleted, data will be deleted as well)

Drexel File Server (Encrypted):

Features: Security permissions set with assistance from CNHP IT. Data storage option for export-controlled data. Requires Drexel encrypted computer for access. Data is not tied to a user account.

Important notes: Limited file recovery window. Working directly from file server is not recommended. Useful as location to store backup copy of data that is accessed infrequently.

Drexel File Server (Unencrypted):

Features: Accessible from Drexel and non-Drexel computers (Drexel encrypted computers are recommended). Data not tied to user’s account.

Important notes: PHI not allowed. Per-user storage quota (can be increased in most cases). Data not encrypted at rest.

CrashPlan:

Features: Retains archive version of files forever, even if file is deleted. Unlimited storage. Already running on most CNHP User’s PCs and Macs. Useful as archive option.
Important notes: Must be paired with Drexel computer that stores data destined for CrashPlan. CrashPlan archive accessible only to subscribed user account. Requires subscription or data will be deleted. Backup status needs to be monitored by user.

LiquidFiles:

Features: Very large file size limit. File download history is tracked. Useful if file is too large to send via encrypted email.
Important notes: Access requested through CNHP IT and requires approval from Drexel Privacy Office. Limited number of downloads per file.

Encrypted Email:

Features: Easy to use (add [encrypt] to the subject of your message). Important notes: User needs to verify identity with Microsoft account or one-time passcode. Attachment size limit.

Drexel Encrypted Computer:

Features: Storage is expandable as needed/budget permits. Provides offline copy of data. Can serve as data backup and provide secondary storage location for OneDrive.

Important notes: Hardware can fail, resulting in data loss unless CrashPlan or OneDrive Sync is running on device.

Drexel REDCap

Features: HIPAA compliant survey and data collection program, developed specifically for research use. Please read the How-To section for instructions on activating your REDCap access.

Important notes: Online data collection portal. Data can exported or shared in a de-identified format almost instantly, if the project was properly setup.

 

 

At any point in the formulation of your Data Management Plan (DMP), you may consult an expert.

A few places you might find these resources are:

  1. CNHP IT
  2. CNHP Office of Research
  3. Drexel Libraries
  4. Corporate Compliance and Privacy Office

Note: In order to provide our best possible support to your project (throughout its data life cycle), please consult an expert prior to submitting your DMP. 

We are currently working with DMP Tool to create templates unique to CNHP researchers.

Meanwhile, feel free to explore their library of available templates for creating a DMP.

Answers to a few commonly asked questions

How to share files with collaborators without a Drexel login

  1. Does the external user have a OneDrive account (either a personal one or through their institution)
    1. If YES: Get their OneDrive Login email address
    2. If NO: Ask the user to create a OneDrive account using their email address. This can be a free personal OneDrive account.
  2. Get the EXACT email used by the external user to login to their OneDrive.
  3. Notify SensitiveDataSharing@drexel.edu about the user’s name, email and folder being shared.
    1. Even if the external user is IRB approved, Drexel needs to know the exact email to which files are shared. This helps with maintaining proper audit trails, a HIPAA compliance requirement.
  4. Go to the OneDrive file/folder that you want to send; click on the “Share” option and type the external user’s EXACT OneDrive email. If you wish to send a read-only copy, make sure you uncheck the allow-editing option.
  5. Send invite from the PI’s Drexel OneDrive sub-folder to the external user.
  6. CHECK with the user immediately if they have access. This also ensures that you sent the share to the correct email address. If the link was sent to a wrong person or if there are any issues, contact CNHP IT immediately.
  7. For the most part, External users can work entirely on the OneDrive web interface using their browser (www.onedrive.com). However, if they need to download and save files onto the local computer, the device needs to adhere to DU’s encryption policy. Contact CNHP IT for more information.

Note: Sharing files in the cloud is a very sensitive process as it is very easy to make mistakes. Please contact CNHP IT if you have any questions.

How to obtain a Drexel REDCap login using your Drexel login credentials (e.g. abc123)

  1. Register for REDCap:Register for REDCap access by filling out the form here: REDCap Registration.
  2. Complete the Training:Go to http://learn.drexel.edu to access the online learning management system. Detailed instructions will be in the email.
  3. Notify the team: After you have passed the test, please send an email to Research.Informatics@Drexelmed.edu informing them that you have taken and passed the REDCap quiz.
  4. Login to REDCap: Once notified that you have access, go to Drexel REDCap Site and login with your Drexel credentials. This will be your REDCap portal. Bookmark this link if necessary. You are ready to start your first project!

Note: There is a similar looking site REDCap Training Site. This site is for training purposes only. Do not use this site for collecting or storing research data.