PS-08.A.07 - Data Management and Sharing
Effective Date: 7/21/2025
Issue #: 1
President: Dr. Loren J. Blanchard
1. Purpose
1.1. The purpose of this policy is to:
1.1.1. Ensure consistency in the appropriate handling, storage, and dissemination of research data;
1.1.2. Protect the University and research teams by meeting the requirements of funding agencies; and
1.1.3. Provide adequate oversight by the Office of Research and Sponsored Programs to monitor the protection of research data and investigate related concerns.
2. Definitions
2.1. Intellectual Property (IP): inventions, copyrightable works, trademarks, and tangible research property
2.2. Research Data: Recorded factual material commonly accepted in the scientific or scholarly community as necessary to validate research findings, excluding preliminary analyses, drafts of scholarly or scientific work, plans for future research, peer reviews, communications with colleagues and physical objects (e.g., laboratory samples).
3. Policy
3.1. Data Management Roles and Responsibilities
3.1.1. University of Houston-Downtown (UHD): the primary owner of data generated by awards, gifts, or contracts/subcontracts to faculty and staff, as well as IP generated at UHD, whether or not the research is externally funded.
3.1.1.A. This may also apply to students who generate data as part of their employment by UHD and/or whose data collection is supported by an external award. Data related to human subjects research must be retained by UHD in accordance with federal and Institutional Review Board (IRB) requirements. The University also has the right to refuse data coming into the institution, or leaving the institution, on a project-by-project basis.
3.1.2. Principal Investigator (PI): The primary steward of the data.
The PI is responsible for:
3.1.2.A. Identifying an individual as information custodian as defined in SAM 07.A.08, Data Classification and Protection to provide operational support during the project;
3.1.2.B. Identifying the individual from the college/division/university serving as the Information Security Officer (ISO) for the research project with responsibilities for data protection and compliance;
3.1.2.C. Developing a written data management plan that adheres to University requirements and any applicable contracts. For example, in the case of funded research, the plan should include procedures for retaining and sharing data according to sponsor requirements;
3.1.2.D. Reviewing the data management plan at least annually to ensure it remains current;
3.1.2.E. Enacting processes necessary to confirm compliance with the plan, including data security per sponsor and regulatory requirements;
3.1.2.F. Working closely with the College, the UHD Office of Research and Sponsored Programs (ORSP), and collaborating institutions upon leaving UHD to ensure the appropriate transfer and ownership of data and IP; and
3.1.2.G. Producing the plan and associated documentation upon request by the ORSP and/or applicable funding agencies.
3.1.3. The College/Department/Center is responsible for:
3.1.3.A. Providing the necessary resources for data management, addressing related information security issues and ensuring investigator compliance with data management requirements and university policy, such as SAM 07.A.08, Data Classification and Protection;
3.1.3.B. Working with the PI upon their leaving UHD to ensure appropriate transfer and ownership of research data.
3.1.4. ORSP is responsible for:
3.1.4.A. The development of a campus-wide policy for data management and review of compliance concerns related to data management, particularly with regard to compliance with federal grant requirements sponsored project agreements, and data use agreements relating to data received from third parties;
3.1.4.B. Maintaining the right to refuse an award if the University is unable to meet data requirements;
3.1.4.C. Sequestering/taking custody of data as necessary for investigations of noncompliance and/or research misconduct;
3.1.4.D. Upon request, working with the College upon a PI leaving UHD to ensure appropriate transfer and ownership of research data.
3.1.5. UHD Information Technology (IT) is responsible for:
3.1.5.A. The oversight of enterprise level software and systems related to data management;
3.1.5.B. Providing guidance and assisting faculty and staff with completion of a data management plan and grant required documentation related to security requirements.
3.2. Data Management Plan
3.2.1. To ensure the appropriate identification and protection for information research, all university research projects should have a formalized, written data management plan.
3.2.1.A. The PI should determine if the funding agency for a particular research project has specific requirements for a data management plan , and ensure a plan meeting those requirements is submitted to the funding agency as applicable.
3.2.1.B. If there are no formal requirements, a data management plan including, at a minimum, the following information must be documented and shared with all key personnel involved with the project:
i. Type of data being collected and stored (e.g., medical, financial, educational). This should include designation of any data with specific compliance requirements, such as Health Insurance Portability and Accountability Act (HIPAA), Family Education Rights and Privacy Act (FERPA), Federal Information Security Management Act (FISMA), or any project requiring compliance with National Institute of Standards and Technology (NIST) standards;
ii. Description of the appropriate platform for data storage, including security components;
iii. Responsibility for the data from an ownership perspective;
iv. Responsibility for the data from an IT support perspective;
v. Responsibility for the data from an information security perspective, including the identification of the ISO for the College/Department/Center;
vi. Location where the data will be stored (e.g., standalone computer, department share). All data should be stored in accordance with SAM 07.A.08;
vii. How and by whom logical access to the data will be controlled;
viii. How physical access to the system containing the data will be controlled;
ix. Type of anti-virus controls the system containing the data will have;
x. Process for digital data backups for recovery purposes, including the media that will be used for backups, how often the backups will occur and how often backups will be restored for testing; and
xi. Process for securely storing non-digital data (e.g. lab books, consent/data collection forms).
3.3. Data Storage and Archiving
3.3.1. Data must be archived in a controlled, secure environment in a way that safeguards the data (primary, secondary and metadata), observations, or recordings in accordance with SAM 07.A.08.
3.3.2. The archive must be accessible by scholars analyzing the data, and available to collaborators or others who have rights of access as allowed or required by the sponsor.
3.3.3. Research data should be stored securely for sufficient time following publication, analysis, or termination of the project. Research data includes not only the primary information produced through the conduct of the research, but also the corresponding metadata. Research data must be retained in accordance with all applicable sponsor and federal regulatory data retention requirements and profession-specific ethical guidelines/timelines.
3.3.4. If sponsor requirements indicate that data must be destroyed at a given time point, the PI is responsible for ensuring destruction per these requirements.
3.4. Data Sharing
3.4.1. Investigators are expected to share with other researchers data created or gathered in the course of funded research within a reasonable time frame. These requirements may vary, based on funding agency, but in general require that research data be made available to the scientific community for subsequent analysis. In most cases, the PI has the right to first analysis, unless other requirements are in place to warrant immediate release. It is the PI's responsibility to ensure that data sharing plans are developed and provided to the granting agency as required, and to ensure that the plan is executed.
3.4.2. Methods of sharing data may include, but are not limited to, publications, placing data in public archives, and sharing directly with other researchers.
3.4.3. PI's are responsible for working with ORSP to ensure that the intellectual property of the University is protected throughout any data sharing arrangement.
3.4.4. Any data shared must meet all requirements for compliance including privacy and data protection. It is the PI's responsibility to ensure that all compliance requirements for the data are properly identified and satisfied through any data sharing arrangement. This includes requirements identified through IRB and other compliance processes.
4. Procedures
4.1. There are no procedures associated with this P.S.
5. Review Process
Responsible Party (Reviewer): Associate Vice President for Information Technology & CIO (or equivalent position)
Review Period: Every five years on or before September 1, and as necessary.
Signed original on file.
6. Policy History
Issue #1: 07/21/25 (Current issue)
7. References
SAM 07.A.08, Data Classification and Protection
Health Insurance Portability and Accountability Act (HIPAA)
Family Education Rights and Privacy Act (FERPA)
Federal Information Security Management Act (FISMA)
National Institute of Standards and Technology (NIST)
8. Exhibits
There are no exhibits associated with this PS.