Research Data Governance Frequently Asked Questions (FAQs)

1. What is defined as “Research Data”?

Research data includes any records that are necessary for the (re)construction and evaluation of reported results of research and the events and processes leading to those results, regardless of the form of media on which they may be recorded. This data might include lab notebooks, as well as more structured forms of data. Formally, Research Data is a type of Technology assigned to Vanderbilt consistent with the VU Policy on Technology and Literary and Artistic Works.

2. Are published papers/book/articles considered "research data"?

No. These items are covered by the Faculty Manual’s policies on Literary and Artistic Works.

3. Why is there a research data governance framework?

The Framework exists to help Principal Investigators keep their data secure and usable, and to comply with the expectations of funders around data usage. It puts in place several key elements, including data classification, which enable the institution to better support researchers’ needs.
Vanderbilt’s Research Data is a high-value asset. It supports delivery of Vanderbilt’s central mission of scholarly research and related contributions to the community and society at large. Data aggregation and management are key components of a successful research enterprise. Sharing data reinforces open scientific inquiry, encourages diversity of analysis and opinion, and promotes new research. Management of Research Data is thus a necessary part of effective research conduct and administration at Vanderbilt.
In addition, research sponsors increasingly expect data management plans and impose data usage agreements. Research institutions are a target for cyberattacks due to the high value of research data. Therefore, a more structured approach to managing research data is necessary.

4. What does the research data governance framework do?

The Research Data Governance Framework defines institution-wide principles and decision-making structures that will enable Vanderbilt to manage Research Data intentionally and consistently, as well as increasing data security and usability.

It also makes clear the expectations of Principal Investigators (called “Research Data Investigators” in the document) and of Research Data Governors (usually at Associate Dean level) delegated by their school or college to oversee compliance with Research Data governance expectations. It also provides a framework for researchers to engage with VUIT, SPA, OGC, and others in a structured way.

5. What is data classification?

Classification, in the context of information security, is the categorization of data and information according to its risk impact.
At Vanderbilt, there are four levels of data classification:
- Level 1 – Public; Level 1 data can be shared freely and is frequently posted on the web;
- Level 2 – Institutional Use Only; Level 2 data is integral to university operations and its unauthorized disclosure might carry some risk. An example might be an internal email list.
- Level 3 – Restricted; Level 3 data is restricted in use because its unauthorized disclosure carries a significant risk. Personally identifiable data, including Social Security Numbers and grades, is considered Level 3.
- Level 4 - Critical. Level 4 includes data controlled by external governmental actors, such as Controlled Unclassified Information from the Department of Defense. Level 4 data will usually be subject to a data usage agreement.

For more detail please see the Data Classification Policy.

6. Who classifies my data?

Research data classifications will normally be agreed collaboratively by Sponsored Programs Administration, the Principal Investigator, and the relevant Research Data Governor at the college/school level (Dean’s delegee). This process will take into account any applicable data usage agreements or regulatory frameworks, such as National Institute of Standards and Technology (NIST), Cybersecurity Maturity Model Certification (CMMC), FERPA, HIPAA, etc.

7. Where do I store my data?

The answer to this question results from a data classification assessment and is guided by the following levels
- Level 1 data- Anywhere, unless otherwise dictated by the sponsor, collaborators, or Vanderbilt University
- Level 2 data- Behind a password protected portal (e.g., Vanderbilt single sign-on).
- Level 3 data- this will be prescribed through the data use agreement process.
- Level 4 data- this will be prescribed through the data use agreement process.
Certain practices are discouraged for any research data, including maintaining it on a portable USB thumb drive or holding the only copy on a local hard drive. Research data usually represents a significant investment of time and resource and should be held somewhere where is it is backed up at a minimum.
Storage of data about human subjects should be treated as an ethical /IRB consideration, with appropriate security and backup to avoid losing the effort of not only the researchers but the subjects themselves.
Storage of regulated information is usually dictated by regulations and data usage agreements.

8. How long should I be keeping my data?

Unless otherwise dictated by the research sponsor, collaborators, or Vanderbilt University, this is up to the discretion of the PI. Increasingly, there is an expectation by research sponsors and others in the research community that sufficient data be retained and made available following publication to validate research results and enable reuse for research and teaching purposes.

9. Where do I get the language for my data management plan?

A resource is available through the Libraries called Data Management Planning Resources: https://heardlibrary.github.io/digital-scholarship/manage/planning/

10. Where do I go to get a data use agreement?

PIs who need data use agreements can learn more and request assistance here: https://www.vanderbilt.edu/sponsoredprograms/contracts_data_use_agreements.php

11. What about data developed with collaborators at other institutions?

Frequently when data is developed in collaboration, there is some kind of agreement between the institutions or PIs. PIs who intend to share their data with collaborators should reach out to Sponsored Programs Administration (SPA) to put a Data Use Agreement (DUA) in place.

12. How is compliance managed?

Researchers will provide annual attestations designed to ensure that they are familiar with institutional Research Data governance polices in general, data usage requirements (such as data usage agreements, data classification policies, etc.) that are specific to their research efforts, and they are cognizant of how their research collaborators (such as graduate students, post-docs, undergraduate researchers, etc.) are aware of—and abide by—the relevant data usage requirements.

13. What are the consequences if I get this wrong?

The consequences of poor data management or data breaches vary depending on the type of data and especially the data classification level. They may be financial (e.g., fines, loss of income), operational, reputational (for researcher or institution), or compliance/legal in nature. Some negative outcomes, such as data breaches due to ransomware or hacking, might occur despite all appropriate precautions being taken, but complying with the guidelines in the Research Data Governance Framework should reduce risk.

14. Who can I approach for more advice and guidance?

The chair of the research data governance committee (RGDC) (research.it@vanderbilt.edu).

Research and Innovation