Clinical Guides: Data Collection and Storage: Storage & Security

Planning storage

An important part of managing your research data is planning for how you will store your data during the research process, and after your project is completed. Appropriate storage of research data will ensure that it can be accessed into the future -- this is important for verification of results and for the potential for data to be re-used and/or shared with other researchers, subject to ethics approvals.

Careful consideration needs to be given to both short- and long-term storage solutions, including:

The type of media and the future viability of the medium being considered
Back-up schedules
Replication
Regular checking of data integrity
Funder requirements
- If your project is funded by an organisation or grant, they may have particular requirements for storage.
Legal requirements
- Check the relevant legislation to ensure that you comply.
- Know the difference between health data, personal data, sensitive data and what you need to do.
  - Victorian Government (2001). Health Records Act.
  - Australian Government (1998). Privacy Act.

Cloud Storage Solutions

Secure, cloud-based storage solutions should be considered for both short-term and long-term storage. Examples of Australian-based services are:

CloudStor:
- Cloud storage for the research and education sector hosted on the AARNet network within Australia
Nectar Cloud
- Australian Research Data Commons (ARDC) Nectar Research Cloud enables researchers within Australia to store, access and analyse research data.

Remember!

Always check and refer to Monash Health's Prompt for relevant policies and procedures. If your research project is associated with a university, there will be institution-specific requirements that you must also adhere to.

Practices for Data Storage

Store data uncompressed in non-proprietary or open standard formats
Copy or migrate data to new media every 2 - 5 years
Include a copy of the software used to analyse your data
Back-up data in different forms of storage
Store back ups in different locations
Check the data integrity at regular intervals
Consistently name all files according to a naming convention
- Include relevant information for identification and retrieval
- File names should make sense to those that haven't worked on the project
- File names should not rely on folders or folder structure to have meaning
Ensure the storage location is fit for purpose and free from the risk of flood, fire, etc.
- For digital storage, ensure that your vendor has an appropriate data disaster and recovery plan
Create digital versions of paper-based data
Ensure data security for sensitive or personal data

Remember to always check and refer to Monash Health's Prompt policies and procedures when planning your research.

Data Storage Lifespans

Data storage devices and technologies have a limited lifespan, even when taking obsolescence into account. It is important to have multiple and different methods of backing up your data. You must also check that your data is still readable after back up.

The below information provides guidance on how long a data storage device can last if stored in a secure environment, free from dust, humidity, high temperatures, and damage.

External hard disc drives
- 3-5 years before a component failure.
Flash storage (including USB drives, SD cards)
- Dependent upon how many times you add, delete, or change the data.
- Can range between 1-10 years.
Erasable CDs, DVDs, and Blu-Ray
- 5-50 years

Data saved to the cloud is also at risk. Data saved in the cloud is still saved to a physical server. Servers can be at risk of corruption, physical damage, or changing conditions and licencing of service providers.

Security

A researcher is responsible for appropriate use and storage of research data and should ensure the following relating to the security of research data:

Store paper forms securely in locked cabinets, especially consent forms
Data stored on transportable media should be stored in locked cabinets
Protect passwords -- they are confidential data and should never be shared or written down
Restrict use of shared accounts or group login IDs, with each research project member having a unique password that identifies them
Avoid using computers outside the research project domain
Activate lock-out functions for screensavers
Use secure methods of file transfer, ensuring data files are compressed and encrypted during transfer
Use effective data destruction methods when it is determined that data is no longer required to be stored
Servers & hosting services should be compliant with AS ISO/IEC 27002:2015/Amdt 1:2016 Standard for Code of practice for information security controls
Ensure that collection devices are not automatically sending or saving data to another location.

Reformatting your device or deleting files does not permanently destroy your data. It is not a security measure as data may still be recoverable. See Data Disposal for more information on destroying data appropriately.

Remember to always check and refer to Monash Health's Prompt policies and procedures as part of the overall process when conducting this research.