Research Data Risk Classifications, Definitions, and Examples
Low Risk
Loss of confidentiality, integrity, or availability of this data would have little to no adverse impact on the University or UVM Health's mission, operations, safety, finances, reputation, or on patients' rights or welfare.
Examples
- Human subject data from public databases
- Coded non-sensitive human subject data
- De-identified human subject data
- Some Exempt determinations
Moderate Risk
Data that is not generally available to the general public. Loss of confidentiality, integrity, or availability of this data or the systems on which it is stored and used could have an adverse impact on the University or UVM Health's mission, operations, finances, safety, reputation, or on patients' rights or welfare.
Examples
- Identifiable non-sensitive human subject data
- Coded sensitive human subject data
- PHI without direct identifiers (Limited Data Set)
- Some Exempt determinations
- Some research under Expedited categories
High Risk/Restricted Data
Data that must be protected by law, regulation, or organizational policy. Loss of confidentiality, integrity, or availability of this data or systems on which it is stored and used could have a severe adverse impact on the University or UVM Health's mission, operations, finances, safety, reputation, or on patients' rights or welfare.
Examples
Identifiable sensitive human participant data
Regulated human participant data (federally funded or supported, FDA, HIPAA, Part 2, FERPA, PPRA, GDPR, etc.)
Exempt 2iii, 3iC, and 4iii determinations
Some research under Expedited categories
More than minimal risk research
Clinical Trials
| Legend | ||
|---|---|---|
| ✅ = Allowed | ⚠️ = Talk to your IRB analyst | ❌ = Not Allowed |
UVM & LCOM Research Data Guidance | |||||||
|---|---|---|---|---|---|---|---|
| Common Rule | Unregulated | HIPPA | GDPR | FERPA/PPRA | |||
| Low Risk data | Moderate Risk data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | |
| DATA COLLECTION & STORAGE1, 2 | |||||||
| Sharepoint | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| UVM or LCOM OneDrive | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| UVM shared drive (S:\) | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| LCOM shared drive (L:\Labs) | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| LCOM Secured shared drive (L:\Secured) 3 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| LCOM Secure Environment for Data and Research Computing (SEDRC) server (Q:\) 3 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| L:/Centers3 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| UVM Netfiles | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| VACC | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| OnCore | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Qualtrics | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| UVM/LCOM-licensed REDCap 4 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Common Rule | Unregulated | HIPPA | GDPR | FERPA/PPRA | |||
| Low Risk data | Moderate Risk data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | |
| UVM-licensed MS Teams | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| UVM-licensed MS Copilot | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| UVM-licensed MS Forms | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| A.I. programs (except MS Copilot) | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ |
| ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | |
| Prolific | ✅ | ✅ | ⚠️ | ⚠️ | ❌ | ⚠️ | ⚠️ |
| Amazon Mturk | ✅ | ✅ | ⚠️ | ⚠️ | ❌ | ⚠️ | ⚠️ |
| Cloud Research | ✅ | ✅ | ⚠️ | ⚠️ | ❌ | ⚠️ | ⚠️ |
| Google (drive, sheets, docs, voice, gmail) | ⚠️ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Dropbox | ⚠️ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Common Rule | Unregulated | HIPPA | GDPR | FERPA/PPRA | |||
| Low Risk data | Moderate Risk data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | |
| Computer hard drive 5 | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ |
| Thumb/USB/external drive or disk (encrypted) 5 | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ |
| Digital or tape audio-recorder 5 | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ |
| Mobile phone 5 | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ |
| Other smart devices 5 | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ |
| Digital or film camera 5 | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ |
| Common Rule | Unregulated | HIPPA | GDPR | FERPA/PPRA | |||
| VIRTUAL CONFERENCING | Low Risk data | Moderate Risk data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data |
| UVM-licensed MS Teams | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| LCOM-licensed Zoom 3 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| FILE TRANSFER | |||||||
| UVM File Transfer | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Globus | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| DATA ANALYSIS | |||||||
| UVM licensed software | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Notes
- If you don't see your technology in this list, please consult your IRB Analyst.
- It is not permitted to store electronic data within UVMHN systems that is generated by an external source (i.e. from UVM, including UVM LCOM, or any entity or system outside of UVMHN); all data stored within UVMHN systems must originate from a UVMHN source or system (respository, Exempt 4iii). Consult your IRB Analyst to discuss options for storage of UVMHN data.
- COMTS provides tailored guidance in selecting secure storage solutions based on data risk levels unique to medical research. Creation/access to these folders are obtained by submitting a footprint here. HIPAA compliant Zoom access can also be requested via a footprint
- Reach out to the REDCap Administrator if you are using REDCap for an FDA-regulated study for information about Part-11 compliant REDCap access. Use of REDCap licensed by other institutions will be evaluated on a case-by-case basis and is likely subject to terms of Data Use Agreements or contracts.
- This is not a recommended storage option. Choose this only if there is no viable alternative. Digital storage devices and media that contain protected data must be encrypted, and any written records of encryption passwords must be secured in locked storage.
UVM Health Data Handling Guidance
| UVM Health Data Handling Guidance | |||||||
|---|---|---|---|---|---|---|---|
| UVM Health System/Technology1-5 | Low Risk Data | Moderate Risk Data | High Risk/Restricted Data | ||||
| Common Rule | Unregulated | HIPAA | GDPR | FERPA/ PPRA | |||
| DATA COLLECTION & STORAGE | |||||||
| UVM Health SharePoint | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| UVM Health Shared Drive (S: or Q: Drives) | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| UVM Health-licensed Microsoft Teams | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| UVM Health-licensed Microsoft Outlook (Email) | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ❌ | ❌ |
| UVM Health-licensed MS Forms | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ❌ | ❌ |
| UVM Health-licensed Drupal Webforms | ✅ | ⚠️ | ❌ | ❌ | ❌ | ❌ | ❌ |
| UVM Health-licensed Microsoft Copilot | ✅ | ⚠️ | ❌ | ❌ | ❌ | ❌ | ❌ |
| UVM Health-approved A.I. programs (except MS Copilot) | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ❌ | ❌ |
| UVM Health-approved computers | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ❌ | ❌ |
| UVM Health-approved USB/external drive or disk (encrypted) | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ❌ | ❌ |
| UVM Health-approved digital or tape audio-recorder | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ❌ | ❌ |
| UVM Health-approved digital or film camera | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ❌ | ❌ |
| UVM Health-approved smart devices | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ❌ | ❌ |
| VIRTUAL CONFERENCING | |||||||
| UVM Health-licensed MS Teams | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| FILE TRANSFER | |||||||
| Guest Access to MS Teams/SharePoint/OneDrive (ServiceNow) | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| GoAnywhere File Transfer (ServiceNow) | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Third-Party File Sharing Sites (e.g. Google Drive, Dropbox, Box, etc.) | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| SFTP Services from external (non-UVM Health) collaborating institutions | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ❌ | ❌ |
| DATA ANALYSIS | |||||||
| UVM Health-licensed analysis software (e.g. MS Excel, PowerBI) | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| UVM Health-licensed non-cloud based analysis software (e.g. Stata) | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| UVM Health-approved open-sourced analysis software (e.g. R, Rstudio) | ✅ | ⚠️ | ❌ | ❌ | ❌ | ❌ | ❌ |
Notes
1. If you don't see your technology in this list, please consult, DataGovernance@UVMHealth.org
2. It is not permitted to store electronic data within UVM Health systems that is generated by an external source (i.e. from UVM, including UVM LCOM, or any entity or system outside of UVM Health); all data stored within UVM Health systems must originate from a UVM Health source or system (repository, Exempt 4iii).
3. Refer to the UVM Health Information Security User Policy in PolicyStat on the UVM Health Intranet or contact, DataGovernance@UVMHealth.org
4. High Risk/Restricted data should not be sent using email, even if the email is encrypted, unless the communication is urgent and there are no more secure alternative ways to send the information. Any emails containing High Risk/Restricted data must be encrypted using #secure or secure#. Emailing such data outside of UVM Health is prohibited.
5. UVM Health-approved computer hard drive means that UVM Health has either issued the computer (with hard drive) or approved an external one.