Are you thinking about undertaking research that requires special handling of sensitive or restricted data? Data of all types — including research data — is categorized according to a “data classification standard” and how researchers manage the data follows in large part from the classification. By default, data at Duke is considered “restricted” — the “middle” classification in the scheme.

Some examples of projects using data classified as “sensitive” — the data classification requiring the most vigilance and protection — might include research involving medical data (even if not officially “PHI”) or other highly personal data; studies that involve, even tangentially, human subjects or data that must be protected to meet proprietary (i.e., “intellectual property”), contractual, or compliance obligations; or data that can “become” sensitive or individually identifiable when associated with other, sometimes even publicly available, data.

But don’t despair about using sensitive data for research. Duke researchers can make use of the “Protected Network” to help meet requirements that are attached to sensitive data of many types.  It can be particularly valuable for projects that involve third party data (for which researcher must adhere to a Data Use Agreement), human subjects (for which complete de-identification may be difficult or impossible), and/or data governed by certain regulatory or compliance frameworks (such as “FERPA”, or “export controlled.”)  Many of the technical controls required for sensitive data are covered in the Protected Network, and so managing the data gets a bit easier — though not effortless.

Staff from Duke Research Computing and SSRI, in close collaboration with the IT Security Office and the Office for Research Support, are available to assist researchers at any stage of the planning and implementation process.  Just remember that earlier consultation is always better! Research Computing office hours are posted for quick consultation, and no appointment is necessary.

While the provisioning of storage and compute resources can be an almost entirely “self-service” process, questions often call for consultation (especially the first time or two) with local IT support from your department and/or Duke Research Computing staff.  Some useful things to consider as you begin the consultative process include:

  • where the data will come from (e.g., direct collection that you do or from a third party),
  • whether any known compliance frameworks must be adhered to (be on the look out for keywords like “FERPA”, “export-controlled,” etc,),
  • whether the research involves human subjects,
  • whether the funding agency (if applicable) stipulates the need for a “Data Management Plan” or other ancillary documentation,
  • whether the data use stipulates a need for a specific operating system, software packages, and computational resources (CPU, RAM, or maybe GPU), and
  • how much data storage will be needed along with how you envision data flowing to and from that storage.

A chat with Duke Research Computing staff can help get specifics on costs and might be very useful for strategies in data management. Duke has a broad array of virtual machine and storage options, and so finding the right one for your project can sometimes be bewildering.

Visit the Protected Network Service (requires NetID authentication) document for more information.

In short: OIT has an environment that can improve the security posture of your research projects and contact rescomputing@duke.edu at any time with any questions related to this secure environment.


Andy Ingham is a member of the Duke Research Computing staff, and he specializes in data management, information security, and research computing using sensitive data. He regularly holds court on the second floor of Gross Hall on Duke’s Gothic West Campus.