The University of Iowa (UI) has several policies and guidelines in place that govern the use of research data. This includes the Research Data Policy, managed by the Office of the Vice President for Research, and the Data Classification Guide managed by ITS.

These policies are designed to protect sensitive data and ensure compliance with federal rules and regulations, as well as to promote open science, support the UI’s mission to leverage discovery for societal impact, and ensure that the appropriate access to data is available to the UI research community. 

Below are four important things to know for all UI faculty, staff, and students engaged in research, scholarship, and creative activities: 

1. Data that is generated here is owned by the University of Iowa. 

The UI generally owns the research data that is generated from all research, development, and related activities conducted under its oversight. On behalf of the UI, the Principal Investigator (PI) is the custodian of the research data and is ultimately responsible for the collection, management, and retention of research data.

The UI’s ownership of research data is derived in part from its role as a steward of public resources and extends from the UI’s obligation to be legally and financially accountable for issues related to research data.

2. Data must be classified appropriately and stored accordingly. 

ITS hosts a Data Classification Guide designed to help the campus community make informed decisions about where to safely store and share university data. Some examples include:

Public: data that is public, or published with no restrictions.  Examples include published "white pages" directory information, maps, academic course descriptions, news releases.

University/Internal: data that is non-public or internal data.  Examples of institutional data include official university records, financial reports, unofficial student records, de-identified research data. 

Restricted: data that is confidential or restricted due to personal privacy considerations or compliance regulations and laws.  Examples include student transcripts, identifiable human subjects research data, full-face photogenic images or videos, financial aid data.

Critical: data that has the most stringent legal or regulatory requirements and requires special security controls.  Examples include data governed by HIPAA (personal health information), Social Security Numbers credit card information (PCI), personal identifiers (passport/driver's license numbers), data governed by ITAR (export-controlled).  

Researchers are encouraged to contact IT-Security@uiowa.edu or Research-Computing@uiowa.edu with any questions.

3. Data should be stored on UI-owned machines or servers instead of personal devices.

Research data should be stored in the Principal Investigator’s lab or the unit where the records were created. The storage location (physical or electronic) should be owned or managed by the UI, and in accordance with any contractual agreements or applicable laws and regulations. 

Personal computers may be used to conduct research – and access research data via the UI VPN – if the research grant or contract allows. The Division of Sponsored Programs can help investigators determine if research grants or contracts allow for the use of personal computers. Read more in the ITS Guidance on Using Personal Computers for Research. 

4. Prior to leaving the institution with data or sharing data with non-UI investigators, researchers must attain prior approval.  

The University of Iowa owns the primary research results generated from all research, development, and related activities conducted under its jurisdiction. Therefore, if a PI wants to share data with individuals outside the institution, or plans to leave the University and wants to take the data to the new institution, the transfer of the data must proceed according to established guidelines.

Investigators should:

1. Obtain permission from their Department Executive Officer (DEO) or Department Head.
2. If they are conducting human subjects research, submit a Modification to the IRB describing data sharing or departure. In some cases, data sharing may also require review and approval by the UIHC data governance committee
3. Consult with the Division of Sponsored Programs (DSP) about establishing a Data Use Agreement and/or Materials Transfer Agreement.
4.  In cases where a PI is leaving, determine if the project will be closed at the UI by submitting a project closure form or if a new PI will continue research related activities by submitting a modification to name a new PI.