Procedure for Requesting Access to Network Data for Research
This document contains the following sections:
This procedure outlines the approval process required to obtain network data for research purposes and documents the process for review, approval, management and termination of data sharing arrangements.
This procedure applies to all individuals who want to utilize network data for the purpose of research.
Purpose of the Procedure
The Carnegie Mellon Computing Policy establishes a general policy for the use of computing, telephone and information resources. The purpose of this procedure is to establish acceptable practices that support the policy as it applies to requesting access to network data for research purposes.
Definition / Clarification
– Institutional Review Board that governs the use of human subjects for Research.
Research - A systematic investigation, including development, testing and evaluation, designed to develop or contribute to general knowledge.
Note: Network data requests for the purpose of quality assurance, troubleshooting, and similar needs may not require Institutional Review Board approval but must submit to data protection guidelines.
Note: Non-Research Requests do not require IRB approval. If in doubt, Research Compliance will make the necessary judgment call.
The following steps should be taken to request data for research purposes:
- Researchers will meet with appropriate Computing Services staff to determine scope of project and data requirements. Researchers should submit a finalized list of technical requirements regarding the research data to Computing Services Network Group. The Network Group will review the technical requirements to determine if it’s possible to meet them and fulfill the request.
- Assuming that Computing Services can meet the requirements, the Researcher needs to obtain IRB approval or obtain a waiver from the IRB for all data requests regardless of content.
- Upon IRB approval, the researcher will provide the Information Security Office with a copy of the approval letter or waiver and the final proposal. An email stating that the request is non-research is sufficient for the waiver.
- Since the IRB requires new approval annually, the Information Security Office will need a copy of the updated approval prior to supplying data past the research anniversary date.
- Researchers will also provide written documentation to the Information Security Office enumerating the process for securely disposing of data, access controls in place to protect data, and other security processes in place based on Carnegie Mellon Information Security guidelines and best practices. These are outlined in detail on the ISO pages.
User Responsibilities and Procedures
Security questions and best practices that users should consider include but are not limited to:
- Is access to the data based on a person’s role in regards to the research?
- Internal processes for patching system and/or application that houses data.
- Are there multiple copies of the data requested for research purposes? If so, are these copies managed in terms of access, distribution, and location?
- Are preventive measures in place to protect against unauthorized duplication and distribution of research data?
- Is data stored in encrypted format?
- Is data transmitted in encrypted format?
Relabeled document as a Procedure instead of a Guideline