Carnegie Mellon University

Procedure for Requesting Access to Network Data for Research

This document contains the following sections:


This procedure outlines the approval process required to obtain network data for research purposes and documents the process for review, approval, management and termination of data sharing arrangements.

Applies to

This procedure applies to all individuals who want to utilize network data for the purpose of research.

Purpose of the Procedure

The Carnegie Mellon University Computing Policy establishes a general policy for the use of computing, telephone and information resources. The purpose of this procedure is to establish acceptable practices that support the policy as it applies to requesting access to network data for research purposes.

Definition / Clarification

IRB – Institutional Review Board that governs the use of human subjects for Research.

Research -  A systematic investigation, including development, testing and evaluation, designed to develop or contribute to general knowledge.

Note: Network data requests for the purpose of quality assurance, troubleshooting, and similar needs may not require Institutional Review Board approval but must submit to data protection guidelines.

Non-Research Requests do not require IRB approval.  If in doubt, Research Compliance will make the necessary judgment call.


The following steps should be taken to request data for research purposes:
  1. Researchers will meet with appropriate Computing Services staff to determine scope of project and data requirements.  Researchers should submit a finalized list of technical requirements regarding the research data to Computing Services Network Group. The Network Group will review the technical requirements to determine if it’s possible to meet them and fulfill the request.
  2. Assuming that Computing Services can meet the requirements, the Researcher needs to obtain IRB approval or obtain a waiver from the IRB for all data requests regardless of content.
  3. Upon IRB approval, the researcher will provide the Information Security Office with a copy of the approval letter or waiver and the final proposal.  An email stating that the request is non-research is sufficient for the waiver.
  4. Since the IRB requires new approval annually, the Information Security Office will need a copy of the updated approval prior to supplying data past the research anniversary date. 
  5. Researchers will also provide written documentation to the Information Security Office enumerating the process for securely disposing of data, access controls in place to protect data, and other security processes in place based on Carnegie Mellon Information Security guidelines and best practices. 

User Responsibilities and Procedures

Security questions and best practices that users should consider include, but are not limited to:

  • Is access to the data based on a person’s role in regards to the research?
  • Internal processes for patching system and/or application that houses data.
  • Are there multiple copies of the data requested for research purposes?  If so, are these copies managed in terms of access, distribution, and location?
  • Are preventive measures in place to protect against unauthorized duplication and distribution of research data?
  • Is data stored in encrypted format?
  • Is data transmitted in encrypted format?

Revision History

Version  Published Author Description
1.0 07/06/2006 Cavicchi Original publication
1.1 09/04/2007 Markiewicz

Relabeled document as a Procedure instead of a Guideline

Status:  Published 
Published:  07/06/2006
Last Reviewed:  03/29/2021
Last Updated:  09/04/2007