/Office for Research and Innovation
Office of Research Security

 

Research Data Protection and Security 

Stony Brook University (SBU) remains committed to the principles of academic freedom and the open exchange of knowledge, which serve as the bedrock of research and scholarship.  Our faculty, staff, and students are encouraged to participate in fundamental and applied research, as these may promote the creation of knowledge and enrich learning experiences.  In addition, data and intellectual property  derived from both funded and unfunded research activities  should be secured in a manner consistent with applicable requirements, including those of federal and state agencies, as well as SBU's own policies.

SBU Research Data Ownership, Retention, and Access Policy

SBU Research Data Ownership, Retention, and Access Policy 

Quick Facts: 

  • All Research Data and related records belong to the University unless such ownership is precluded by the terms of an award or other agreement.
  • When faculty (Principal Investigator) leave SBU, transfer of Research Data requires prior approval. 
  • Faculty (Principal Investigator) are responsible for develop, maintain, and manage policies and procedures for their data assets, including management, sharing, retention, security, and disposition of Research Data. 
  • Research Data must be retained for at least three years after the end of a research project, however, there may be circumstances or requirements for longer periods of retention (see policy for examples). 

SBU Research Data Ownership, Retention, and Access Policy  provides a baseline requirement.   Award terms and conditions, U.S. federal laws and regulations, international laws, or other circumstances may impact obligations and require more stringent protections standards.  

Schedule a Meeting with an Research Data Security Professional

SBU Information Security Program (ISP)

SBU's Information Security Program (ISP) brings people, process and technology together to manage cyber risk to SBU's mission, and to protect all members of our community.  The Information Security Program Council (ISPC) acts to set information security program priorities, responds to input from the working groups, and acts to formally adopt policies and procedures. In addition to working group team leads, it consists of a core group of senior leaders and others who have a vested interest in assuring the success of the information security program.  

Policies and Resources

Notify the cybersecurity team if you aware of a potential cybersecurity incident.  How to report an incident.

SBU Training Requirement

The Division of Information Technology (DoIT)  is responsible for the oversight of cybersecurity training. All faculty and staff are required to take annual Cybersecurity Awareness Training.

Guidance for Research Data Protection

Overview: Protection of  Data 

The standard to which data is protected depends upon the source and type of data. Researchers are obligated to protect data to the standards required in the agreements/awards for their projects. 

Below is a discussion of common data types and sources with best practices and/or legal requirements for data protection.  Researchers should be familiar with the standards for the type of data that they work with in their projects.    

Fundamental Research Data

Data that is  free of restrictions and intended to be published. 

Even when there is an intent to publish, it is important to to protect the integrity of the data and control access so the researchers who developed the ideas and associated research and data are the ones who decide how and to whom it is released.  

Research Cybersecurity Baseline 

Research Physical Security Baseline

In some cases, additional data protections are needed beyond these recommended baselines.  These are discussed below.

Restricted Research Data

Data that has limitations on its access or use. 

This may include export-controlled data, U.S. government controlled data, proprietary data, and personally identifiable data all discussed below in more detail. 

Important: Researchers should be aware that acceptance of pre-publication and/or foreign national  participation approval (written or verbal agreement) moves their collected data into the category of restricted data.

Export Controlled Data  

Data that is subject to U.S. export control regulations. 

Export Controlled Data

U.S. Government Controlled Data

Data that is subject to U.S. government controls.   

This data when identified by the federal government is required to be protected to specific standards.  Watch the SUNY/RF Introduction to CMMC (FCI and CUI) video clip.  Additional information is also provided at the below links. 

Federal Contract Information (FCI) 

Controlled Unclassified Information (CUI) 

Note: to attend conference sessions and/or meetings where CUI will be disclosed, a Military Critical Technology Data Agreement (DD2345)would be required.

Classified Information 

Note that SBU does not conduct Classified Research

Proprietary Data 

Data that is sensitive, confidential, or unique to a person, institution, or business. 

This can be intellectual property, confidential business information, or other data that is not generally available to the public. 

Proprietary Data 

Note: This could be SBU data or data received from a 3rd party. 

Personally Identifiable Information 

Data related to persons that is protected by federal, state, and international laws.  

In the U.S. there is not one law that protects personally identifiable information (PII).

Personally Identifiable Information  

Public Health Information 

Personal Data and International Laws

NIH Controlled-Access Data Sets (Genomic)

 

Research Data Management Resources

Research data management is a collaborative effort between the researcher, Division of Information Technology (DoIT),  Stony Brook Medicine IT (SBMIT), Office for Research and Innovation, and other key administrative offices.   Below are some key resources. 

A data management plan (DMP) is a formal document that outlines how data will be handled during and after a research project.

  • Many funding agencies,  especially government sources, require a DMP as part of their application processes.
  • Even if your research is not funded documenting a plan for your research data is a best practice.  
  • It can be helpful to use a tool like the  Data Management Plan Tool (DMP Tool) to create a DMP that meets the sponsor's requirements. 

A data protection plan for research projects outlines how the researcher will safeguard sensitive and/or restricted data.  

  • Key aspects of a data protection plan include framework for handling data, risk management, access control, incident response, training, relevant regulations. 
  • In some cases, data protection and/or security are required as part of Data Management Plans.
  • In other cases, data protection plans are required by the Office of Research Security to document how a researcher will comply with enhanced cybersecurity or privacy requirements. 

Contact the Office of Research Security for assistance with Data Protection Plans.

Data storage security involves protecting research data from unauthorized access, loss, or corruption. This includes:

  • Implementing measures to safeguard data both during storage and transmission
  • Establishing secure backup and disposal procedures.
  • Key practices include encryption, access control, secure storage locations, and regular backups. 

The Research Computing and Informatics (RCI) serves the advanced computing needs of the SBU research community.  

  • RCI can assist with services and/or resources for data management, processing, and storage.

Learn more about RCI and the resources

Research Data Protections 

Research data should be appropriately protected for third-party use.  Below are some common ways to protect research data when engaging with external collaborators/sponsors/partners. 

A Data Use Agreements (DUA) is used to outline terms and conditions for transferring and using non-public data.  DUAs are commonly used for the transfer of personally identifiable information. 

The Office for Sponsored Programs Administration maintains a website for Data Use Agreements

A Non-Disclosure Agreement (NDA)  is used to outline protections for sensitive information and obligates the receiving party to keep information confidential.  NDAs  are commonly used to protect proprietary information. 

Intellectual Property Partners maintains a website for Non-Disclosure Agreements

Requests for Non-Disclosure Agreements should be sent to sbu_nda_stonybrook.edu

New Technology Disclosures (NTD) are submitted to Intellectual Property Partners to create a record of an invention, the inventors, sponsorship of the work, and public disclosures.  

Intellectual Property Parnters (IPP) maintains a website for New Technology Disclosures

Contact IPP about your new technology disclosure at sbu_ntd@stonybrook.edu

U.S. Government Prohibitions 

The U.S. government has issued prohibitions on the procurement and/or use of certain technologies, equipment, and services particularly on federal contracts.   

These are primarily prohibitions on specific vendors and/or manufacturers.  Special attention should be paid to purchases for any of the below technology areas. 

Restricts purchase and use of telecommunications and survelliance equipment in federally sponsored awards from specified vendors/manufacturers.   

There is a general prohibition on campus for these vendors/manufacturers.

Read More

Restricts the use of Byte Dance/TikTok on devices when working on federal contracts. 

Read More

Restricts the purchase and use of drones (unmanned aircraft systems (UAS)) in federally sponsored awards from specified vendor/manufacturers. 

Read More

Restricts hardware, software and services developed or provided by the Kaspersky Lab Covered Entities.

Read More

International Travel and Data Security

Policy on Data & Devices for International Travel 

Travelers should closely follow published IT Security Considerations While Traveling and International Transfers: Shipments, Hand-Carry, and Electronic Transmissions

Additionally, when traveling to High-Risk Countries (defined in the policy)- travelers:

  • Must not take University laptops, tablets, mobile devices, or any device containing Sensitive Information with them. 
  • Must not take peronally owned laptops, tablets, mobile devices or any device (1) containing Sensitive Infomration or (2) connected to SBU resources with them. 

See Laptop Loaner Program for travel to high risk countries  

Questions? 

Contact the Research Security Program 

Additional SBU Contacts:

Report Concerns about Research Security

If after reviewing the information provided on this website or any other resource on research security and it is believed that a violation may have ocurred use the below resources: 

  • EthicsPoint: Reports may be submitted via SBU's secure third-party confidential reporting system by web and mobile devices or telephone (see information provided below).  Select the "Export Control/Research Security Concern" type. Reports may be submitted anonymously.  Mobile & Web Report is available or you may report by phone at (833) 223-7024  OR You may e-mail or call (631-632-1954) the Director of Research Security.