Managing data | Research | University of Waterloo

INFORMATION SECURITY

Mandatory/key compliance obligations	When registering a device (with a static IP address) on the campus network: Notify Information Systems & Technology (IST) of the information security classification of data stored on the device Ensure contact information of an individual able to resolve technical problems with the device is registered with IST and kept up-to-date Familiarize yourself with the roles and responsibilities of information stewards and custodians
Waterloo policy, procedure or guideline	This policy serves the following purposes: Provides a security classification scheme for university information that can be referenced in other policies, guidelines, standards and procedures relating to information Outlines the responsibilities that members of the university community have with respect to information security Policy 46 - Information Management
External policy/requirements	IST is better able to prioritize an appropriate level of security response if you clearly detail to them the security classification involved IST may find it necessary to disconnect a device without notice. This will only happen when either: A serious security incident has been discovered; OR In the case of a less serious incident, technical contact information is missing or out-of-date
Who can help?	Security Operations Centre (SOC) in Information Systems & Technology (IST): soc@uwaterloo.ca Director, Information Security Service, IST
Mandatory/key compliance obligations	Notify IST in the event of a security breach of a device or an information system on the campus network
Waterloo policy, procedure or guideline	An Information Security Breach involves one or more of: a circumvention of information security controls the unauthorized use of information the unintended exposure of information Computer Security Incident Response Procedure
External policy/requirements	Depending on the type of data involved, the University may need to notify a third party of the breach. This often has a negative impact on the entire campus network, resulting in the academic activities of the University being impeded.
Who can help?	IST SOC: soc@uwaterloo.ca Director, Information Security Service, IST
Mandatory/key compliance obligations	If your project will involve hosting an event (e.g., workshop, summit) where credit card payments will be accepted, your method of collecting payment must be compliant with the PCI DSS standard
Waterloo policy, procedure or guideline	Policy 46 - Information Management
External policy/requirements	Payment Card Industry Data Security Standard (PCI DSS)
Who can help?	Associate Director Tax Services, Finance Department
Mandatory/key compliance obligations	Follow the University of Waterloo’s Acceptable Use Policy
Waterloo policy, procedure or guideline	Policy 46 - Information Management
Who can help?	IST SOC: soc@uwaterloo.ca
Mandatory/key compliance obligations	Projects greater than four years in length must, where possible, budget for possible software and hardware refresh (this may not always be allowed by sponsors)
Waterloo policy, procedure or guideline	https://uwaterloo.ca/information-systems-technology/news
External policy/requirements	IST periodically issues directives to prohibit the use of unsupported software platforms. Unsupported software with serious security vulnerabilities present a significant risk without effective security controls to mitigate that risk. In some cases, risk mitigation may not be possible.
Who can help?	IST SOC: soc@uwaterloo.ca
Mandatory/key compliance obligations	Data encryption: all research data may need to be encrypted when “at rest”
External policy/requirements	Varies, depending on the research contract. The contract will stipulate this requirement either directly, or through an Appendix if applicable.
Who can help?	IST SOC: soc@uwaterloo.ca Director, Information Security Service, IST
Mandatory/key compliance obligations	Securely dispose of electronic media, including failed hardware
Waterloo policy, procedure or guideline	https://uwaterloo.ca/information-systems-technology/services/electronic-media-disposal/disposing-specific-electronic-media
External policy/requirements	Depending on the source of the data, there may be requirements for secure destruction. Health data, and data from certain sponsors may have specific requirements (e.g. CIHI, FISMA, FDA).
Who can help?	IST SOC: soc@uwaterloo.ca Director, Information Security Service, IST
Best practices	Make use of professional systems administrators, if at all possible, to ensure continuity of service
Who can help?	IST SOC: soc@uwaterloo.ca
Best practices	Perform regular back-ups of data. Test your backup system periodically by doing a data restore.
Who can help?	IST SOC: soc@uwaterloo.ca
Best practices	Apply software updates on a regular basis
Who can help?	IST SOC: soc@uwaterloo.ca

INSTITUTIONAL RECORDS MANAGEMENT

Mandatory/key compliance obligations	Ensure the University records you are responsible for are accurate, complete, and retained in accordance with the University’s retention schedules
Waterloo policy, procedure or guideline	Policy 46
External policy/requirements	Various statutes and regulations, including: Income Tax Act requirements to keep financial records until the end of six years from the end of the last taxation year to which the records relate Freedom of Information and Protection of Privacy Act requirements for records management program to ensure preservation of records Employment Standards Act requirements to maintain employment records for all employees
Who can help?	University Records Manager
Mandatory/key compliance obligations	The most common cases where PIs are responsible for the university’s official records are: P-card receipts and statements Records of the hiring process for positions which are not regular staff or faculty positions, if the PI is responsible for the hiring Employment files of employees hired to fill these positions, categorized in the retention schedules as “other faculty,” “research/teaching assistants, postdoctoral fellows,” or “temporary/casual staff” Ethics approvals for research proposals and experiments involving animals Ethics clearance certificates for research involving human subjects Records relating to the use or development of controlled goods or technology
Waterloo policy, procedure or guideline	University records retention schedules: Finance Health, Safety, and Security Human Resources Research Management
Who can help?	University Records Manager
Mandatory/key compliance obligations	Authorize and document the destruction of university records at the end of the retention period
Waterloo policy, procedure or guideline	Records Disposal and Destruction
Who can help?	University Records Manager
Best practices	Weed out and dispose of transitory records – information of temporary usefulness, such as copies of documents or records of routine tasks – on a regular basis
Waterloo policy, procedure or guideline	Managing Transitory Records
Who can help?	University Records Manager

OPEN ACCESS PUBLISHING

Best practices	Consider publishing in an Open Access journal. Open access publishing may be required by certain contracts in which case it would be a mandatory funding requirement. However, some granting agencies will specifically fund open access fees separate from the ordinary granting process. PIs should check with their agencies about these two items. Find out if your journal of choice has open access options (SHERPA/ROMEO) Consider using a recommended SPARC Canadian author addendum. Deposit your article in Waterloo’s institutional repository, UWSpace. If you are publishing in a fully Open Access journal, consider making your work available under a Creative Commons license.
External policy/requirements	The following principles guide the approach to promoting open access to research publications: Committing to academic freedom and the right to publish Recognizing the importance of peer review to the scholarly communication ecosystem Maintaining the high standards and quality of research by committing to academic openness and responsible conduct of research Promoting recognized research best practices and standards across disciplines Advancing academic research, science and innovation Effective dissemination of research results Aligning activities and policies between Canadian and international research funding agencies Tri-Agency Open Access Policy
Who can help?	Digital Initiatives department, University Library Your Liaison Librarian Digital Repository Librarian, University Library

Best practices

Consider publishing in an Open Access journal.
Open access publishing may be required by certain contracts in which case it would be a mandatory funding requirement. However, some granting agencies will specifically fund open access fees separate from the ordinary granting process. PIs should check with their agencies about these two items.
Find out if your journal of choice has open access options (SHERPA/ROMEO)
Consider using a recommended SPARC Canadian author addendum.
Deposit your article in Waterloo’s institutional repository, UWSpace.
If you are publishing in a fully Open Access journal, consider making your work available under a Creative Commons license.

External policy/requirements

The following principles guide the approach to promoting open access to research publications:

Committing to academic freedom and the right to publish
Recognizing the importance of peer review to the scholarly communication ecosystem
Maintaining the high standards and quality of research by committing to academic openness and responsible conduct of research
Promoting recognized research best practices and standards across disciplines
Advancing academic research, science and innovation
Effective dissemination of research results
Aligning activities and policies between Canadian and international research funding agencies Tri-Agency Open Access Policy

Who can help?

Digital Initiatives department, University Library

Your Liaison Librarian

Digital Repository Librarian, University Library

RESEARCH DATA RECORDS MANAGEMENT

Mandatory/key compliance obligations	Ensure you are in compliance with funder retention requirements
External policy/requirements	See specific funder requirements
Who can help?	FANS – Office of Research Library: Writing a data management plan or recommending data repositories
Mandatory/key compliance obligations	Ensure you are in compliance with regulatory requirements
External policy/requirements	Health Canada Regulated Clinical Trial data must be retained for a minimum of 15 years
Who can help?	FANS – Office of Research
Mandatory/key compliance obligations	Ensure compliance with intellectual property policy
Waterloo policy, procedure or guideline	Policy 73
Who can help?	WatCo – Office of Research
Mandatory/key compliance obligations	Ensure your retention plan is aligned with the framework for the responsible conduct of research
Waterloo policy, procedure or guideline	If necessary, retain data as long as necessary before and after publication of research results to be able to respond to allegations of research misconduct. Some sponsors or funders may have requirements related to research misconduct (e.g., NIH funded studies require researchers to retain data for six years after the final resolution date of the case)
External policy/requirements	Tri-Agency Framework: Responsible Conduct of Research
Who can help?	Need Help page in Research Integrity
Best practices	Researchers own their data and can retain it for as long as they like, provided it is kept secure
Who can help?	IST SOC: soc@uwaterloo.ca Library: Recommend secure repositories and off-site storage