Research Data Risks
Classifications, Definitions, and Examples
Low Risk
Loss of confidentiality, integrity, or availability of this data would have little to no adverse impact on the University's mission, safety, finance, or reputation, or on human participants' rights or welfare.
Examples
- Human subject data from public databases
- Coded non-sensitive human subject data
- De-identified human subject data
- Some Exempt determinations
Moderate Risk
Data that is not generally available to the general public. Loss of confidentiality, integrity, or availability of this data or the systems on which it is stored and used could have an adverse impact on the University's mission, safety, finance, or reputation or on human participants' rights or welfare.
Examples
- Identifiable non-sensitive human subject data
- Coded sensitive human subject data
- PHI without direct identifiers (Limited Data Set)
- Some Exempt determinations
- Some research under Expedited categories
High Risk/Restricted Data
Data that must be protected by law, regulation, or University policy. Loss of confidentiality, integrity, or availability of this data or systems on which it is stored and used could have a severe adverse impact on the University's mission, safety, finance, or reputation or on human participants' rights or welfare.
Examples
Identifiable sensitive human participant data
Regulated human participant data (federally funded or supported, FDA, HIPAA, Part 2, FERPA, PPRA, GDPR, etc.)
Exempt 2iii, 3iC, and 4iii determinations
Some research under Expedited categories
More than minimal risk research
Clinical Trials
| Legend | ||
|---|---|---|
| ✅ = Allowed | ⚠️ = Talk to your IRB analyst | ❌ = Not Allowed |
| Data Handling Platforms/Technologies1, 2 | |||||||
|---|---|---|---|---|---|---|---|
| Common Rule | Unregulated | HIPPA | GDPR | FERPA/PPRA | |||
| Low Risk data | Moderate Risk data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | |
| DATA COLLECTION & STORAGE | |||||||
| Sharepoint | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| UVM or LCOM OneDrive | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| UVM shared drive (S:\) | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| LCOM shared drive (L:\Labs) | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| LCOM Secured shared drive (L:\Secured) 3 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| LCOM Secure Environment for Data and Research Computing (SEDRC) server (Q:\) 3 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| UVM Netfiles | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| VACC | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| OnCore | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Qualtrics | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| UVM/LCOM-licensed REDCap 4 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Low Risk data | Moderate Risk data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | |
| UVM-licensed MS Teams | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| UVM-licensed MS Copilot | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| UVM-licensed MS Forms | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| A.I. programs (except MS Copilot) | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ |
| ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | |
| Prolific | ✅ | ✅ | ⚠️ | ⚠️ | ❌ | ⚠️ | ⚠️ |
| Amazon Mturk | ✅ | ✅ | ⚠️ | ⚠️ | ❌ | ⚠️ | ⚠️ |
| Cloud Research | ✅ | ✅ | ⚠️ | ⚠️ | ❌ | ⚠️ | ⚠️ |
| Google (drive, sheets, docs, voice, gmail) | ⚠️ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Dropbox | ⚠️ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Low Risk data | Moderate Risk data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | |
| Computer hard drive 5 | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ |
| Thumb/USB/external drive or disk (encrypted) 5 | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ |
| Digital or tape audio-recorder 5 | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ |
| Mobile phone 5 | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ |
| Other smart devices 5 | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ |
| Digital or film camera 5 | ✅ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ⚠️ |
| VIRTUAL CONFERENCING | Low Risk data | Moderate Risk data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data | High Risk/Restricted data |
| UVM-licensed MS Teams | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ |
| LCOM-licensed Zoom 3 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| FILE TRANSFER | |||||||
| UVM File Transfer | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Globus | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| DATA ANALYSIS | |||||||
| Nvivo (generally qualitative research) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| UVM-licensed analysis programs (non cloud-based) | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Notes
- If you don't see your technology in this list, please consult your IRB Analyst.
- It is not permitted to store electronic data within UVMHN systems that is generated by an external source (i.e. from UVM, including UVM LCOM, or any entity or system outside of UVMHN); all data stored within UVMHN systems must originate from a UVMHN source or system (respository, Exempt 4iii). Consult your IRB Analyst to discuss options for storage of UVMHN data.
- Creation/access to these folders are obtained by submitting a footprint here. HIPAA compliant Zoom access can also be requested via a footprint.
- Reach out to the REDCap Administrator if you are using REDCap for an FDA-regulated study for information about Part-11 compliant REDCap access. Use of REDCap licensed by other institutions will be evaluated on a case-by-case basis and is likely subject to terms of Data Use Agreements or contracts.
- This is not a recommended storage option. Choose this only if there is no viable alternative. Digital storage devices and media that contain protected data must be encrypted, and any written records of encryption passwords must be secured in locked storage.