Skip to main content

Research Data Classification Form FAQs

What is the purpose of the Research Data Classification Form?

The University’s research endeavors are increasingly requiring access to controlled data (e.g., export controlled technology, Protected Health Information, Personally Identifiable Information, Covered Defense Information, other Controlled Unclassified Information). In an effort to more efficiently understand and protect controlled data the University receives (and reduce administrative burdens for faculty and their college/departmental administrators), several University offices have developed a beta Research Data Classification Form (RDCF) that automatically routes to the correct University stakeholders. Using the form will avoid the need to determine which University offices need to be involved with agreement reviews and information technology controls, etc.

Where is the RDCF located?

The beta version of this new form is now available on Bronco Hub under:

My Organization → Boise State Reporting → Reporting Resources → Research Data Classification Form (Beta)

When should I submit an RDCF?

Each time you are going to receive “controlled data,” whether they’re restricted by statutes/regulations or contractual terms and conditions (including non-disclosure agreements), please submit an RDCF at least three weeks before the date you desire to access the controlled data.  Depending on the type of data, more time may be required to ensure compliance.

This FAQ applies to externally funded research activities and University-sponsored/supported work.  As used in this FAQ, “research activities” are generic and mean traditional research and scholarly activities, as well as services to other parties (e.g., public health, public service, public schools, criminal justice, business services, and other analogous activities).

Can I receive controlled data before the appropriate University officials have approved their receipt?

No.  You cannot access controlled data until their receipt has been approved by the appropriate University officials.  To do otherwise may constitute a breach of contract or a violation of University policy (e.g., Policy 8060, Information Privacy and Data Security) and/or applicable laws/regulations.

Are information technology controls, software, and procedures the same for all controlled data?

No.  Information technology controls, software, and procedures are unique to the type of controlled data to which the University will have access.  Some controlled data may only be available to U.S. citizens or lawful permanent residents of the U.S., while other data may require extensive privacy and/or security controls, such as NIST SP 800-171, 48 CFR 252.204-7012, HIPAA privacy and security rules, Payment Card Industry Data Security Standard, and/or particular contractual obligations.  Finally, some data are much more common at the University (e.g., FERPA) and require fewer additional controls.

Who will pay for privacy and security controls necessary to access, store, and evaluate controlled data?

The University provides cybersecurity technology necessary to support standard University operations.  If requirements for controlled data are in excess of the University’s standard support, you should expect to pay for the additional support from your local, appropriated, or sponsored funds.  In some cases, this may require standalone and locked office space, air gapped computers, and/or external cloud providers’ support (e.g., Sherlock from San Diego Supercomputer Center).

May I access controlled data from my personal computer or mobile device?

As a general rule, controlled data may only be accessed via University-owned/controlled computing devices.  In some cases, merely accessing controlled data from a personal device may be a breach of contract or a violation of applicable laws/regulations.

Why is the University so concerned about ensuring controlled data is adequately protected?

Breaches of the University’s obligations to protect controlled data can lead to (1) reputational and revenue loss, (2) lawsuits and unfavorable judgments, and (3) administrative, civil, and criminal fines and penalties up to $1M per occurrence and 20 years of incarceration.  Individual University employees and students can be personally subject to these penalties.

Who should I contact with questions about controlled data?

Please contact the Chief Information Security Officer at ciso@boisestate.edu or (208) 426-4127.

Back To Top