University of California, Riverside

Security



Managing Your Data


Data Maintenance

The following information covers the rules and regulations for the collection, maintenance, and storage of sensitive electronic data.

Collecting and Retaining Data

Collect and retain only that data which is essential to the research/grant. Delete personal information when there is no longer a research need. Remove personal information not critical to research when distributing full data sets to downstream users. If personal information cannot be removed, investigate the use of safe unique identifiers instead of social security numbers. Be prepared in advance in the event of the need for any immediate notification to individuals whose personal data is retained on computing systems.

Downstream Users

When personally identifying information is included in the distribution of data to any downstream users, include notification of that fact, including reference to these guidelines. Label removable-media to indicate special handling is required; again use of safe unique identifiers should be considered.

External Service Providers

Review and update agreements with external service providers to ensure vendor compliance with restricted and sensitive data requirements.

Notification Requirements

Be prepared in advance in the event of the need for any immediate notification to individuals whose personal data is retained on computing systems.

Casual Viewing of Data

Never leave sensitive data exposed on computer screens when not in use or leave computer screens unattended without appropriate screen access controls.

Data Sanitization

Data sanitization, the act of making data on electronic devices unreadable by destruction of the device, or scrubbing the storage unit, is a necessary step in protecting your passwords or if you're a data custodian protecting data such as social security numbers, drivers licenses and credit card information. This final step ensures data isn't inadvertently disclosed and is as important as protecting data while at rest or during transit. Dispose all media containing protected data in a secure manner.  Comprehensive information on data sanitization including UCR policy and Best Practices, Steps to Follow, Methods of Data Sanitization, Data Sanitization Practices by Organization, Data Sanitization Form, and Resources can be found at C&C's Data Sanitization website.

Communications and Education

Educate investigators/researchers about safe handling of sensitive research data.

Electronic Devices Used to Store the Data

The steps required to secure electronic research data vary depending on the nature of the system in question (e.g. the steps needed to secure a USB hand-held flash drive differ from those required to secure a large server and relational database). Thus, after appropriately classifying the research data, the researcher should identify any / all systems that will be used to house / access this data.

The plan to secure research data should thus be a function of both the sensitivity of the data, as well as the hardware used to store the data. If the research data contains sensitive data and is transportable on a laptop or flash drive, it is recommended the data at rest be encrypted. If the data is kept in a physically secure location on a expertly administered server and not transmitted over the network sensitive data may not require encryption.

More Information 

General Campus Information

University of California, Riverside
900 University Ave.
Riverside, CA 92521
Tel: (951) 827-1012

Department Information

Computing & Communications
Computing & Communications Bldg.

Tel: (951) 827-4741
Fax: (951) 827-4541
E-mail: helpdesk@ucr.edu

Footer