Skip to main content

Research Data Management: Data Classification & Handling

 

NTU Research Data Classification (Draft)
  Level 1 Level 2 Level 3 Level 4
Level of sensitivity Low or no sensitivity Moderate Moderate high High
Definition of data type 1. Applies to data/information that can be distributed to the public or published on the internet.

1. Applies to data/information that if disclosed would NOT cause adverse impact to the institution, but may result in inconvenience and inability to make some decisions, with minimal disruption to operations.

2. Generally accessible to all staff of university, but not accessible by the public.

1. Applies to data/information that is sensitive in nature.

2. Access must be restricted to authorised persons on a 'need-to-know' basis.

1. Applies to any data/information that if disclosed would cause significant impact and legal liability to individuals or to the University.

2. Loss or modification of information will result in loss of confidence, credibility and may result in legal actions.

Examples of research data includes (but not limited to)

1. Public domain information available to general public.

2. Published research data available in open-access journals etc.

3. Study recruitment posters for public viewing and consumption.

4. Published intellectual property (IP) and IP related documents/ information

1. Research related documents such as research protocols/ SOPs.

1. Unpublished intellectual property (IP) and IP related documents/ information.

2. Research-in-progress data.

3. Unpublished data from completed research.

4. Drafts of research paper.

1. Identifiable personal data[1], e.g., NRIC, name, address, date of birth and postcode, collected from trials/studies.

2. Identifiable genetic data[1].

3. Biomarker/ Assessment/ Health and medical info/ Bank or financial records/ Biometric data[1].

4. De-identified data which can be made identifiable through various means

5. Research data governed by research contracts or Data use agreements by which the data provider requires high-level security measures

[1] Management of these research data must comply with the applicable regulations in PDPA and HBRA, as well as all data management and IRB policies of NTU.

 

Handling of digital research data (Draft)
  Level 1 Level 2 Level 3 Level 4
Level of sensitivity Low or no sensitivity Moderate Moderate high High
Storage & Access

1. No specific security requirement.

2. Duplication or reproduction is allowed.

1. Access to files storing the data should be password-protected.
(e.g. individual’s windows account, One-Drive, NTU network servers, etc)

2. Duplication or reproduction is allowed for internal circulation or within boundary of distribution list.

1. Files must be password-protected and data in files, when necessary, must be encrypted.

2. Access rights should be used to protect the data from unauthorised access internally. Access should be regulated by available authorization matrixes.

3. Staff to sign undertaking to protect and secure information.

1. Files must be password-protected and data in files must be encrypted.

2. Access rights must be used to protect the data from unauthorised access internally. Access must be logged and regulated by available authorization matrixes.

3. Unauthorised duplication or reproduction of data to any other form is strictly not allowed.

4. Staff to sign undertaking to protect and secure information. 

Transmission 1. No specific security requirement.

1. No specific security requirement but data protection is recommended.

1. Must not be sent out of NTU without the permission of the 'Information Owner’ or ‘Information Custodian’.

2. If data needs to be sent out of NTU, data must be transmitted in a secured network environment. The sensitivity of the data and its handling requirements must be communicated to the external party. An RCA with NDA clauses should be signed by the external parties.  

3. Transmission of data in portable media should be done via encrypted portable devices, e.g., IronKey or after consultation with IT on latest encrypted portable media.

4. Data should not be shared on any social media platforms without the permission of the ‘data owner/ custodian’. 

1. Must not be sent out of NTU without the permission of the 'Information Owner’ or ‘Information Custodian’.

2. If data needs to be sent out, data must be encrypted and transmitted in a secured network environment. The sensitivity of the data and its handling requirements must be communicated to the external party. An RCA with NDA clauses should be signed by the external parties. 

3. Transmission of data in portable media must be done via encrypted portable devices, e.g., IronKey or after consultation with IT on latest encrypted portable media.

4. Data must not be shared on any social media platforms under any circumstance.
Disposal 1. No specific security requirement. 1. Data should be deleted minimally using file deletion. 1. Data should be deleted in consultation with IT team for recommended wiping programme. 

1. Data should be deleted completely without possibility of reconstruction, in consultation with IT team for recommended wiping programme. 

2. Independent verification of data deletion should be obtained. 

 

Handling of non-digital research data (Draft)
  Level 1 Level 2 Level 3 Level 4
Level of sensitivity Low or no sensitivity Moderate Moderate high High
Storage & Access

1. No specific security requirement.

2. Data access and usage is up to individual responsibility.

1. Stored in a locked drawer or filing cabinet.

2. Access should be regulated by available authorization matrixes.

1. Stored in a locker or safe.

2. Access should be regulated by available authorization matrixes.

1. Stored in a locker or safe within an access-controlled facility.

2. Access should be regulated by available authorization matrixes.

Transmission 1. No specific security requirement.

1. Send in a sealed envelope.

1. Must not be sent out of NTU without the permission of the 'Information Owner’ or ‘Information Custodian’.

2. If there is a need the data sent out of NTU, it should be sent to addressee with instructions for the item to be opened by the addressee only via courier service, e.g., FedEX, DHL via their secured, tracked, ‘signed’ pick-up and delivered service. The sensitivity of the data and its handling requirements must be communicated to the external party. An RCA with NDA clauses should be signed by the external parties.  

1. Must not be sent out of NTU without the permission of the 'Information Owner’ or ‘Information Custodian’.

2. If there is a need the data sent out of NTU, it must be sent to addressee with instructions for the item to be opened by the addressee only via courier service, e.g., FedEX, DHL via their secured, tracked, ‘signed’ pick-up and delivered service. The sensitivity of the data and its handling requirements must be communicated to the external party. An RCA with NDA clauses should be signed by the external parties.  

Disposal 1. No specific security requirement. 1. Materials should be shredded. 1. Materials must be shredded, preferably with a crosscut shredder

1. Materials must be shredded personally with a crosscut shredder. Contractors shall not be used to destroy confidential documents.