Data plays a critical role in the strategic goals of Duke University to advance academia and research. Data flow and data security are interconnected aspects of data management that affect how data is accessed, collected, shared, and disposed of. Data at Duke University is classified into three categories: Public, Restricted, and Sensitive data.
Data flow is the process of moving data from one location to another in four stages: data ingestion, data processing, data analysis, and data sharing either within (ingress) or outside (egress) of the Duke network. Ingress is the process of data import (entering) into an organization by downloading, emailing, or loading data from a USB or another device or method to a system. Egress is the process of data export out (leaving) of an organization by emailing, sending to a cloud server, transferring to a USB or any other method. However, data flow can pose a significant risk to the privacy and security of data and entities or individuals it belongs to.
This document will provide guidance for end users and researchers who handle data at Duke and the importance of securing PHI (Protected Health Information), PII (Personally Identifiable Information), Restricted, and Sensitive data through the following:
The common risks associated with data flow and how to mitigate them.
The safeguards and best practices for data egress.
The relevant standards and policies that govern data flow at Duke.
Risks of Data Flow
Data flow can expose data to various threats and vulnerabilities that can compromise its confidentiality, integrity, and availability. Some of the common risks are:
Data Breach: Unauthorized access or theft of data by a threat actor.
Data Loss: Accidental or intentional deletion or destruction of data.
Data Leakage: Deliberate or haphazard exposure of data to unauthorized individuals or entities.
Data Misuse: Improper interpretation of data due to bias, human error, or inaccurate analysis/validation methods.
Safeguarding Data Flow
To protect data from these risks, end users and researchers should follow these safeguards and best practices when egressing data:
Data should be classified using Duke Services and Data Classification document and SecureIt. Data classification helps determine the level of sensitivity and protection required for data. Restricted and Sensitive data require more stringent controls and approvals than data categorized as Public.
Data should be egressed only for authorized and legitimate purposes, to authorized and trustworthy recipients, only through authorized and secure channels, with appropriate safeguards and controls, and proper documentation and audit trails. To egress data a DTA (Data Transfer Agreement) or another document may be needed. In addition, for better understanding of contracts or agreements use the myRESEARCHPath tool.
Data should be encrypted when storing or transmitting sensitive data. Encryption helps prevent unauthorized access or interception of data. End users and researchers should use the encryption tools and methods approved by Duke IT Security Office (ITSO).
Ensure data accuracy and completeness by checking for errors, inconsistencies, or anomalies during data ingress/egress. Develop a Data Management Plan (DMP) when handling research data that outlines the steps taken to document, organize, store, share, and secure data as well as use best practices of your discipline in determining validation.
STANDARDS AND POLICIES FOR DATA FLOW
Data flow at Duke is governed by various standards and policies that establish the responsibilities and expectations for data protection and data governance. End users and researchers should adhere to these standards and policies when transferring data:
In addition to the specific safeguards of data flow, there are some general safeguards that can be applied to enhance the security and privacy of data and users. Some of the general safeguards are:
Use strong and unique passwords for all accounts, devices, and services.
Keep software and systems up to date with the latest security patches.
Be cautious when opening emails or clicking on links from unknown or suspicious sources.
Regularly backup important data to a secure location.
Use the following guide to support Duke functions and ensure data compliance. For any questions, please contact firstname.lastname@example.org
Document Type: Guide