Middlebury faculty, staff, and students are afforded opportunities to pursue research projects involving data collected from human subjects.

This data must be managed and protected to ensure the privacy and confidentiality of research subjects.

The Data Security Levels and Data Security Guidelines detailed below and defined by Middlebury’s IRB have been established to help protect research data.

Researchers should begin by understanding their responsibilities and creating a Data Protection Plan, also explained below, for their research project.

Data Security Levels

Middlebury’s Institutional Review Board, or IRB, has defined three Data Security Levels, describing the potential impact of unauthorized data disclosure to research subjects.

  • Data Security Level 1: Information that if disclosed would not harm subjects. Examples: benign research information, research data that has been de-identified in accordance with applicable rules/laws, published research, etc.

  • Data Security Level 2: Information that if disclosed could cause risk of material harm to individuals if disclosed. Examples: personnel records, financial information, etc.

  • Data Security Level 3: Information that would likely cause serious social, psychological, reputational, financial or legal harm to individuals if disclosed; high-risk confidential information. Examples: individually identifiable medical information, genetic information, information on legal/immigration status, social security number, etc.

Researcher Responsibilities

Researchers are responsible for ensuring that research data is appropriately protected during the entire lifecycle of a research project. At the conclusion of a project, researchers are responsible for the secure archival, deletion, and/or destruction of research data.

Researchers are required to review and understand the Data Security Guidelines listed below, any associated Federal regulations, and any contractual or binding-agreements pertaining to the use of specific data sets.

Researchers are also required to review, understand, and be able to explain the data protection mechanisms designed to preserve the confidentiality of the data their research projects generate. The best way to do this is to create a Data Protection Plan for the project and submit that to the IRB.

Data Protection Plans

Researchers are required to create a Data Protection Plan for their project. The IRB coordinator is available to assist researchers in developing their plans. In some cases, ITS may assist with the implementation, operation, and management of such plans.

Data Security Guidelines

The following is intended to present a simplified view of the different types of security protections that should be ensured for research projects, according to their IRB-determined data security level.







Data Protection Plan

Create a Data Protection Plan that describes the security protections that the research project will use. Vendors providing application, computing, and storage services to support a research project must have security controls in place matching or exceeding these guidelines.

After the IRB determines the Data Security Level of the proposed project, the researcher works with the IRB Coordinator to create an appropriate Data Protection Plan.

Access Controls

Electronic and physical access controls are required to ensure that only authorized individuals can access research project systems and data.

The researcher uses strong, unique passwords to access the research project’s electronic systems and data. The researcher ensures that any physical research project data is secured by lock and key.

Data Encryption


Encrypt research data using industry-standard tools and technologies. Keep the encryption keys separate from the systems that contain the data.

The researcher encrypts their research data and keeps the encryption keys, or passwords, on a different system.

Windows users may use EFS to encrypt files and folders.

Mac users may use Disk Utility to encrypt files and folders

Data Isolation


Computing and storage services supporting the research project must be isolated from the Internet and the campus network. Research data may NOT be moved from these systems.

The researcher uses a computer that does not have a network connection when working with decrypted research data.

Dedicated Systems



NO shared systems and/or storage. Computing and storage services supporting the research project must be dedicated to the purpose of supporting research projects with highly sensitive data. 

The researcher uses a dedicated computer to work with the decrypted research data. The computer must not be used for any other purpose.

Security Monitoring



Create and conduct security operations processes to monitor for unauthorized access attempts.

The researcher must be able to document all instances of access to the research data, whether authorized or unauthorized. This could be accomplished via an automated access log report.