Research Data Security, Management, and Control

An accurate research record is key to any research study or project. Proper management, security, and preservation of these records ensures that they are available should the need arise and are protected from improper destruction or deletion. Cleveland State University and the principal investigator (PI) of a research project have responsibilities and rights concerning access to, use of, and maintenance of data resulting from research conducted by faculty, students, or staff at CSU.

The PI has the right and authority to control the appropriate use of, and access to, any data resulting from research conducted under their management or supervision, including the use of data in scholarly publications and presentations. Under Ohio law (Ohio Revised Code §3345.14) and federal regulation (OMB Circular A-110, Sec. 53), any tangible research property, including data and/or other records of research conducted under the auspices of Cleveland State University, belongs to the university.

Compliant record keeping of physical and electronic data records is critically important if questions arise regarding the accuracy or integrity of data.

Any request for controlled-access data must be reviewed by the Technology Transfer Office and is subject to review by the Research Integrity Officer.

Research Compliance

Research Data are primary records that are necessary for the reconstruction and evaluation of reported results of research and the events and processes leading to those results, regardless of the form of the media on which they may be recorded. Such data may include lab notebooks, computer storage (e.g., hard drives), cloud storage, or other storage mechanisms.

If you are not dealing with research data, but are handling student data, employee data, health data, etc., you should follow university guidance for sensitive university data.

Data Collection and Retention

Under federal regulations, the university must retain research data in sufficient detail and for an adequate period of time to enable appropriate responses to questions about accuracy, authenticity, primacy, and compliance with laws and regulations governing the conduct of the research. The principal investigator is responsible for the collection, management, and retention of research data. The PI should adopt an orderly system of data organization, and should communicate the chosen system to all members of a research group and to applicable administrative personnel as appropriate. The PI should establish procedures for the protection of essential records in the event of a natural disaster or other emergency.

Research data should be archived for a minimum of five years after the final project closeout (this is based on the longest required retention period under the various applicable federal regulations), with original primary data retained wherever possible. Longer retention periods may be justified due to:

  • The terms of a sponsored research agreement
  • Protecting intellectual property resulting from the work (e.g., data used to support a patent or copyright application must be archived for a minimum of twenty years or other time as required by the Technology Transfer Office)
  • Allegations of research misconduct or conflict of interest
  • Student involvement in the research (typically, retention at least until a degree is awarded or the student has clearly abandoned the work)

Beyond the period of retention specified here, the destruction of research records is at the discretion of the PI according to their college or department policy. Records will normally be retained in the unit where they are produced. Research records must be retained in university facilities, unless the Vice President for Research grants specific permission to do otherwise.

Data Security

Research data that incorporates personally identifiable or sensitive elements (such as Social Security numbers), or proprietary university information or trade secrets or includes controlled unclassified information or export controlled information, must have adequate security protections and be treated as "sensitive data" under the Administrative Data Policy 3344-8-02. It is the responsibility of the PI to properly identify the classification of their data and to provide appropriate protections, as well as any additional data security that may be specifically required under the terms of a sponsored program agreement or data use agreement.

It is the responsibility of the PI to immediately report any suspected or proven disclosure or exposure of personal information or other restricted data in the custody of the PI, co-investigator(s), research staff or students, which is stored in a university computer, system, or data network resource, to IS&T and to the Research Integrity Officer.

A data security plan template is available and provides general guidance for creating a data security and/or data management plan for research data. This guidance and template may not be sufficient for all situations, and the investigator is responsible for familiarity with Cleveland State's data security requirements as well as those of the sponsor (if the research is funded) or data provider.


The PI has the right and responsibility to ensure that research is accurately reported to the scientific and academic community, as well as to select the vehicle for publication or presentation of research data and results. In the case of research conducted with a co-PI(s), the co-PI(s) jointly share the right and responsibility to ensure that research is accurately reported to the scientific and academic community as well as to select the vehicle for publication or presentation of research data and results unless they agree otherwise in writing.


To ensure needed and appropriate access as, for example, to facilitate a response to an allegation of research misconduct, the university has the option to take custody of the primary data and research records in a manner specified by the Vice President for Research. Students, postdoctoral researchers, research associates and fellows, or other research trainees (hereinafter "researchers") may be granted access to research data by a PI for academic or research purposes in connection with a course of study or degree program or in their capacity as employees.

  • Researchers given access to research data from any source are subject to all university rules, state and federal laws, and contractual obligations relevant to the data.
  • Faculty and staff who give researchers access to data must inform them, in writing where appropriate, of any limitations or restrictions on the use or dissemination of the data.
  • Researchers must retain access to data resulting from research projects they themselves have initiated, and to data acquired by processes for which they were primarily responsible.
  • Researchers previously given access to research data in connection with a course of study, degree program, or contract may be denied such access by the PI or other responsible university official for reasonable cause.
Transfer in the Event an Investigator or Researcher Leaves the University

In general, when the PI or co-investigators involved in research projects at CSU leave the university, they may take copies of research data for projects on which they have worked.  As required by academic practice, the use of such data (for example, to conduct additional research, or for presentation or publication) is dependent on agreement with the PI, or as may be formally agreed-upon beforehand by the PI and other co-investigators in a data use agreement. In all cases, the PI must retain the primary research data at the university unless specifically authorized.  
If a PI leaves the university or a project is moved to another institution, the primary research data may be transferred after written agreement between CSU and the other institution. Such a written agreement will provide for:

  • Adoption by the new institution of all custodial responsibilities for the data, including acceptance of all university and federal security requirements for restricted data that is transferred
  • Formal recognition by the new institution of Cleveland State University's continued ownership of the data
  • Guaranteed access by Cleveland State University to the primary data, should such access become necessary.
Export Control

The PI is responsible for assuring compliance with any agreed-upon restrictions from sponsors (including publication and sharing with non-U.S. citizen collaborators and/or students) when using data that is controlled under federal International Traffic in Arms Regulations or Export Administration Regulations. If a PI has any questions about export control, they should contact the Technology Transfer Office.

Controlled-Access Data Sets

Certain databases containing personally identifiable data and/or other sensitive data, such as names and addresses, income data, educational attainment, genomic data, and others, are managed by an entity (the "maintainer") that manages the access and usage of those data. Access to these datasets requires a data use agreement between the University and the maintainer, and the University's endorsement of the PI's access to those data. PIs requesting access to a controlled-access data set must have their request reviewed and accepted by the Office of Research. The signature of the PI, a department chair, or college dean is not sufficient.

PIs are expected to strictly comply with all terms of the data use agreement and of the maintainer of the data sets. If the data maintainer allows a PI to download a copy of a controlled-access data set for local access and, those data may only be stored on an on-campus, university-managed computer. Cleveland State does not permit the storage of controlled-access data sets on any other computer system or storage media.

Any research that involves data from human subjects, whether or not it is from a controlled-access repository, must have IRB approval prior to the initiation of that research. IRB approval is required before the Office of Research will agree to a data use agreement for controlled-access data.

Developed from Ohio State University Data Policies and NIH Security Best Practices