External Hard Drive for Restricted-use Data

Select this plan if you intend to work with restricted-use data on your own personal or institutional computer that may also be used for activity other than the storage and analysis of restricted-use data for the duration of the Restricted Data Use Agreement. Security requirements include a secure, locked location for both storage and access, as well as storing all restricted-use data on an external encrypted hard drive and only connecting that hard drive to a computer when the computer has been disconnected from the internet and all other networks. Further requirements: 

  • Data will be stored directly on an encrypted external hard drive, and will not be copied or moved out of the secured directory on the external hard drive for any reason. FIPS 140-compliant encryption software will be used for full-disk encryption of the local computer used to access the data, as well as for full-disk encryption of the external drive used to store the data. Note: Folder- or file-level encryption is not sufficient. ICPSR recommends the use of Windows BitLocker or Mac OSX Disk Utility. 
  • The local computer used to access the hard drive containing restricted data will be disconnected from the Internet and all other networks during any time that the external drive is physically connected to the machine. 
  • During all backups of the computer(s), the restricted data will be excluded. This also applies to any cloud-based storage and/or backups (e.g., Box, DropBox, OneDrive, iCloud, etc.). 
  • The operating system of the local computer will remain in support by its manufacturer for the duration of the project. As of September 2022, Windows 7 is no longer supported, nor is macOS 10.14 (Mojave). The system should be kept up-to-date with all applicable system and application security patches.
  • Data will remain stored in a secure, locked location and will only be accessed by approved researchers from a private room or office. Computer monitor(s) will be oriented to prevent eavesdropping. The computer screen will be set to auto-lock after 15 minutes (or less) of inactivity and all users agree to manually lock the screen or log off from the desktop when stepping away. All users will utilize all applicable security features available within their local computer’s operating system to prevent unauthorized data access, including password-protected user accounts and NTFS permissions. Login credentials will not be shared with others. 
  • Should any security incidents or breaches of this plan occur, the Investigator will notify ICPSR within the time frame specified in the Restricted Data Use Agreement by contacting icpsr-help@umich.edu
  • The Investigator will either renew their Restricted Data Use Agreement or destroy all data at or prior to the conclusion of the Restricted Data Use Agreement.
  • Restricted data will be completely removed from all storage and backups at or prior to the conclusion of the Restricted Data Use Agreement. Use of secure multi-pass erasure software meeting or exceeding DoD 5220.22 M standards is recommended. 
  • Any printed copies of the data will be destroyed (e.g., shredded rather than recycled or placed intact in a waste receptacle) at or prior to the conclusion of the Restricted Data Use Agreement.