VCU branded angle-motif letterhead

Research Data Ownership, Retention, Access, and Security

  • Responsible Office: Research Administration and Compliance, Research and Innovation
  • Current Approved Version: 11/16/2017
  • Policy Type: Administrative

Policy Statement and Purpose

This policy asserts and protects the rights of Virginia Commonwealth University with regard to ownership and retention of research data and related records. It also outlines the university’s treatment of research data security that includes stipulations on access to university research data. This policy aims to establish a consistent and efficient management of university research data that is consistent with applicable federal regulations and with the Library of Virginia Public Records Act.

In cases involving allegations of misconduct in research and scholarly activities, the threat of imminent loss of data custody, maintenance of intellectual property records, incapacity of the principal investigator (PI) or for other justifiable causes, the university, acting through the vice president for research or designee, may take immediate custody of research data in its entirety or by allowing investigator access after a forensically sound copy is made.

Noncompliance with this policy may result in disciplinary action up to and including termination. VCU supports an environment free from retaliation. Retaliation against any employee who brings forth a good faith concern, asks a clarifying question, or participates in an investigation is prohibited.

Principal Investigator’s General Responsibilities:

The use of Research Data gathered or created within a group of Investigators is subject to the reasonable control of the PI. Principal Investigators are subject to university commitments and university policies when using information or data gathered or created through research. The Office of Science and Technology Policy issued a Memorandum in February 2013 that seeks to increase access to the results of federally funded research by mandating certain funding agencies to maintain a database of research data and results. Investigators must be aware of, and comply with, sponsor requirements for data management plans, data sharing, and data preservation. Investigators are obligated to discuss and be aware of responsible data handling, university policies, and university commitments with other members of their research team.

Custody of Research Data:

The Principal Investigator is considered to be a Data Custodian under the VCU Information Technology Policy Framework, Data Classification Standard and is therefore charged with the creation, integrity, preservation and security of Research Data, as well as appropriate marking and reporting of all university intellectual property that may be included in, or derived from, the Research Data.

Retention of Research Data:

The Principal Investigator of each Research program must ensure that Research Data documentation is retained according to the standards of the Virginia Public Records Act, the requirements of the sponsor, and according to VCU policy.

If an investigation, legal action or official inquiry concerning a Research activity is ongoing; all Research Data related to the project must be retained and made accessible until all issues are resolved.

Research Data should be kept for as long as may be required to protect any patents or other intellectual properties resulting from this work.

If a student or trainee is involved in research, that research data must be retained at least until the degree is awarded to the student, the training period is complete, or it is clear that the student has abandoned the work.

This policy does not create an obligation to retain Research Data ensuing from an abandoned or unfunded project, unless it results in a Report in which the investigator is identified as a University Member, constitutes a record of university intellectual property, or involves the use of animal or human subjects.

Access to Research Data:

The university has the right to access Research Data for all Research that is either performed at the university, supported by university administered funds, or conducted using university facilities, provided such access shall be for reasonable cause, at reasonable times and after reasonable notice, except in the event of a bona fide emergency. The university's right of access shall continue regardless of the location of the Principal Investigator or of the Research Data.

The university and appropriate external officials shall have access to Research Data concerning matters of compliance with human or animal research subject laws, regulations and policies.

Subject to provisions of law, individual human research participants may be allowed to access Research Data that pertains to them but not to access Research Data pertaining to others.

When an Investigator separates from the university, a written Agreement on Disposition of Research Data shall be negotiated between the Investigator and the Investigator's department chair or dean. These agreements will serve to ensure appropriate access to the transferred Research Data in fulfillment of the university's obligations to funding sources and other supporting entities, and for research compliance purposes. When required by law, regulation or contract, or to fulfill other obligations, the university may transfer title or custody of Research Data and records at its discretion.

Sponsor requirements for public access and/or data sharing must be met.

Security Requirements for Stored Research Data:

The VCU Information Technology Policy Framework contains VCU Information Technology policies, standards and baseline requirements which must be followed in conjunction with this policy in addition to abiding by all grant related regulations.

Who Should Know This Policy

All University Members involved in the conduct of research are responsible for knowing this policy and familiarizing themselves with its contents and provisions.



“Ensuring timely and reliable access to and use of information…” [44 U.S.C., SEC. 3542] A loss of availability is the disruption of access to or use of information or an information system.


“Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542] A loss of confidentiality is the unauthorized disclosure of information.


A database is an organization or collection of data. The definition is intentionally broad, and is intended to include but is not limited to spreadsheets or Word documents used to store data and saved on a laptop or desktop, space partitioned on VCU owned servers for data storage, and any data stored on third party or “cloud” servers owned by an entity other than VCU. (Examples of third party or “cloud” storage: Dropbox, VCU Wiki, or other web based file repositories.) The degree of data sensitivity may determine whether use of third party storage entities is permitted.

Data Custodian

The Data Custodians can have both a business and/ or technical role, though it is typically considered a business role. The Data custodians are responsible for entering, modifying and maintaining data in the enterprise databases and information systems.

Digital Data

The digital recorded factual material commonly accepted in the scientific community as necessary to validate research findings including data sets used to support scholarly publications.


HIPAA (Health Insurance Portability and Accountability Act) data is data that contains individually identifiable health information. Some examples are; names, social security numbers, birth dates, and other identifiers. HIPAA data is required by the federal government to be retained for six years.


“Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” [44 U.S.C., Sec. 3542] A loss of integrity is the unauthorized modification or destruction of information.


Means any University Member engaged in the conduct of research as either an employee or student of the university or any person using facilities owned or operated by, or resources administered by, the university.

Original Copy

The top copy or document having the actual typed, handwritten, or computer generated print or signature on it. In cases where the original copy has been sent outside of the university, the institutional copy that resides in the originating office is to be treated as the original copy. The requirement for records retention and disposition schedules relates specifically to original/institutional copies.

Principal Investigator (PI)

Has primary stewardship of Research Data on behalf of the university. In this capacity the Principal Investigator (PI) is responsible for data collection, recording, storage, access, and retention in keeping with this policy and best practices in the PI’s discipline.

Public Records

All original copies of written papers, letters, documents, photographs, magnetic tapes, microfiche, microfilm, sound recordings, maps, other documentary materials, or information in any recording medium regardless of physical form or characteristics, including computer generated and electronically recorded materials and information, made or received in connection with the transaction of public business by any agency or employee of state government or its political subdivisions. State law prohibits individuals and departments from destroying or otherwise disposing of public records without proper authorization.


Means any summary, statement or description of Research activities published in the open literature or provided to the public, the university, a sponsor, or other researchers by a University Member.


Means a systematic investigation designed to develop or contribute to knowledge and may include the stages of development, testing, and evaluation.

Research Data

Recorded information, regardless of form or the media on which it may be recorded, which constitute the original observations and methods of a study and the analyses of these original data that are necessary for reconstruction and evaluation of the Report(s) of a study made by one or more Investigators. Research Data also includes all such recorded information gathered in anticipation of a Report. Research Data differ among disciplines. The term may include but is not limited to technical information, computer software, laboratory and other notebooks, printouts, worksheets, other media, survey, memoranda, evaluations, notes, databases, clinical case history records, study protocols, statistics, findings, conclusions, samples, physical collections, other supporting materials created or gathered in the course of the Research, Tangible Research Property, unique Research resources such as synthetic compounds, organisms, cell lines, viruses, cell products, cloned DNA as well as genetic sequences and mapping information, crystallographic coordinates, plants, animals and spectroscopic data, and other compilations formed by selecting and assembling preexisting materials in a unique way. The term does not include information incidental to research administration such as financial, administrative, cost or pricing, or management information.

Research Development Advisory Council (ReDAC):

Inaugurated in 2006, its members are Associate/Assistant Deans for Research or individuals who hold comparable responsibilities for research development within their respective College/School. Council members represent the research interests of each of the Schools and Colleges at the university, and serve as a conduit of information from the Office of Research and Innovation back to their constituencies. The Council meets regularly with the Vice President for Research and Innovation and the Associate Vice President for Research Development to address topics of specific interest to the university research enterprise, and to identify resources and supports necessary for increasing the strength and competitiveness of VCU as a research university.

Tangible Research Property

Products of research that include, but are not limited to, compositions, biologics, materials, illustrations and drawings, prototypes, devices, and equipment.

University Member

Any full- or part-time faculty member, classified employee, administrative staff member, paid student assistant, student, volunteer, fellow or trainee, visiting faculty member or researcher. One is not a University Member when acting in a purely private role that in no way or manner implicates the university, unless the activity results in a Report in which the individual is identified as having a university affiliation.

University Record

Recorded information that documents a transaction or activity by or with any appointed board member, officer, or employee of the university. Regardless of physical form or characteristics, the recorded information is a university record if it is produced, collected, received or retained in pursuance of law or in connection with the transaction of university business. The medium upon which such information is recorded has no bearing on the determination of whether the record is a university record. University records include but are not limited to: personnel records, student records, research records, financial records and administrative records. Record formats/media include but are not limited to: email, electronic databases, electronic files, paper, audio, video and images (photographs).

VCU Technology Services Data Security Classifications:

Category I - Highly Sensitive Records
Records containing personal information that can lead to identity theft if exposed, health information that reveals an individual’s health condition and/or history of health services use, export controlled data, and proprietary data.

Category II - Moderately Sensitive Records
Physical records containing data that is not explicitly defined as highly sensitive information or is not intended to be made publically available.

Category III - Public Information (not sensitive) Records
Information that is intentionally made available to the public.


VCU’s Office of Research and Innovation officially interprets this policy. The Office of Research and Innovation is responsible for obtaining approval for any revisions as required by the policy Creating and Maintaining Policies and Procedures through the appropriate governance structures. Please direct policy questions to the Office of Research and Innovation.

Policy Specifics and Procedures

1. Acquisition and Use of Research Data:

Investigators shall record original observations in accordance with the standards of their respective disciplines and the university’s Responsible Conduct in Research and Scholarship policy.

The Investigator who gathers or creates Research Data may use the information as they deem appropriate and may authorize others to make appropriate use thereof, subject to university contractual commitments and university policies.

2. Custody of Research Data:

All Research Data shall be preserved in the custody of the Principal Investigator who is responsible for treating such data in accordance with this policy

In the case of incapacity of the Principal Investigator, that individual's supervisor will take custody of that individual's Research Data until other appropriate arrangements are made for alternative custody.

As required by this policy, investigators on Research teams are obligated to discuss with other members of a Research team the responsibilities of data:

    • Acquisition
    • Use
    • Management
    • Access
    • Retention
    • Security
    • Further access and use of de-identified human subjects data that is acquired via student research projects
    • Dissemination of data and research findings in presentations and manuscripts submitted for publication.

Preservation and security of Research Data is typically an allowable direct cost of conducting research and can be a budgeted item in many sponsored program agreements.

3. Retention of Research Data:

Research Data disclosed or referenced in publications, including the primary experimental results, must be retained for a minimum of five years (or as otherwise defined by state or federal regulations or agreement) to allow analysis and replication by others.

Research Data resulting from sponsored programs are to be retained for a minimum of five years after submission of the final Report on the Research project, unless a longer retention period is specified by the sponsor.

A Final Report for each closed sponsored project must be maintained permanently at VCU according to the Records Retention and Disposition General Schedule No. GS-111 updated 12/12/2013. The Office of Sponsored Programs will comply with this new requirement by tracking all sponsored project closeouts, and will generate a standard “Final Completion Report” for each sponsored project that has been closed. This report will then be uploaded, no less than once per year, and archived permanently in digital format in the system the VCU Library currently maintains for open access storage of digital files.

The most common exception to the five year period required by the Virginia Code is the six year retention required by HIPAA if any personally identifiable health information is included in the data.

Research data collected for product application to the Food & Drug Administration (FDA) may be subject to additional data retention requirements as specified by the sponsor and/or the FDA.

If an investigation, legal action or official inquiry concerning a Research activity is ongoing; all Research Data related to the project must be retained and made accessible until all issues are resolved. In addition to the five year retention requirement above, if a student or trainee is involved, Research Data must be retained at least until the degree is awarded to the student, the training period is complete, or it is clear that the student has abandoned the work.

4. Access to Research Data:

University Members who are an integral part of a Research project have the right and responsibility to review all Research Data that they gathered or created, or which support publications for which they are named authors, even after departure from the university, to the extent that such Research Data continues to exist and can be identified.

Standards of data sharing have been published by national scientific organizations and by federal funding agencies:

University Members are expected to share their published data upon request.

In the case of requests that have commercial implication or those that involve Tangible Research Property which may represent potential or protected intellectual property such materials may be shared under the terms of a university-approved Materials Transfer Agreement.

Shared data resulting from human subjects research shall be de-identified, with the linkage code residing in the custody of the university Principal Investigator.

Research Data Management, VCU Libraries, can assist in writing data management plans for awards, training research teams in the responsibilities of data, and finding publicly accessible data repositories.

University Members should request preparation of a Data Use Agreement via the Data Use / Data Sharing Agreement Request form prior to providing Research Data to a third party.

Sponsor Requirements for Public Accessibility
Some sponsors mandate specific methods for long-term preservation and analysis for digital data. Research Data resulting from sponsored programs must comply with all sponsor-mandated preservation. Long-term preservation methods include deposit of data in a publicly accessible sponsor-approved subject repository, the sponsor’s repository, or the VCU institutional repository, Scholars Compass, managed by VCU Libraries.

Sharing of data as required by sponsors, including the primary data, samples, physical collections and other supporting materials, should occur in a timely manner and involve only necessary costs.

5. Transfer of Research Data:

In most cases, when an Investigator is transferring to another institution, VCU shall allow the Investigator's Research Data (other than personally identifiable clinical Research records) to be transferred with the Investigator. However, in order to ensure the university and appropriate external officials have access to Research Data concerning matters of compliance with human or animal research subject laws, regulations and policies, a copy of all transferred data will remain in the appropriate school or department at VCU

The Investigator and Department Chair shall enter into a written agreement describing the disposition of research data. Under the terms of the agreement, the Investigator shall have the obligation to hold these Research Data in trust for the university. See Forms section for a template “Agreement on Disposition of Research Data.”

In some cases (e.g., Research Data supporting a patent application, Research Data generated and/or used by other university Investigators, some Tangible Research Property, or as required by the terms of extramural funding agreements), it may be necessary for original Research Data to be retained at the university. In such cases, this agreement shall allow the Investigator to access and, where practical, to copy Research Data.

In cases of multi-institutional studies, the institution of the primary study director shall be responsible for arranging appropriate access to, use of, and retention of Research Data.

If the university transfers title or custody of Research Data and records as required by law regulation, contract, or to fulfill other obligations, the university, insofar as possible, will ensure access by Principal Investigators, Investigators and other appropriate individuals to that Research Data.

6. Security Requirements for Digitally Stored Research Data:

All sponsored projects and/or IRB protocols involving Category I data must go through an assessment process. (Data Management System (DMS)). Individuals should use the DMS as their main tool for assessing storage requirements.

This policy is designed to address research projects with standard data security needs that focus on the Integrity and Availability aspects of data/information Security. Please reference the Compliance with United States Export Control Laws for data/information security issues focusing on confidentiality and other highly restricted data/information.

7. Research Data Policy Oversight and Dispute Resolution:

The Vice President for Research and Innovation has responsibility for oversight of, and resolution of, disputes resulting from this policy. If an Investigator desires to contest the decision of the Vice President for Research and Innovation, the Investigator may file a written appeal to be reviewed by a committee of researchers, appointed by VCU Research Development Advisory Council.


  1. Agreement on Disposition of Research Data
  2. Data Use / Data Sharing Agreement Request

Related Documents

Related documents are critical to the development of corresponding policies and procedures. Related documents include federal regulations, state regulations, state policies and VCU policies, procedures and guidelines.

  1. Virginia Public Records Act
  2. Records Retention and Disposition Schedule, GS-111
  3. VCU Policy: Records Management
  4. VCU Policy: Intellectual Property
  5. VCU Policy: Responsible Conduct in Research and Scholarship
  6. VCU Policy: Compliance with United States Export Control Laws
  7. Information Technology Policies, Standards, Baselines and Guidelines
  8. FIPS Publication 199, Standards for Security Categorization of Federal Information and Information System
  9. Expanding Public Access to the Results of Federally Funded Research
  10. VCU Libraries Research Guide Research Data Management
  11. VCU Data Management System

Revision History

This policy supersedes the following archived policies:

Approval/Revision DateTitle
November 05, 2015 Research Data Ownership, Retention, Access, and Security
May 15, 2009 Research Data Ownership, Retention and Access


What if the records I have are not listed in an approved records schedule?

Not all records fit neatly into the categories given in the examples. If you have records that are unique and you cannot locate a time table for retention either in university Policy or in the Library of Virginia approved Research Data Ownership, Retention, Records Retention and Disposition Schedules, you should contact the University Records Officer for assistance.

The current University Records Officer is Barry Lanneau, Jr. (

If I am in possession of or have created an electronic version of a document do I have to keep the paper copy?

No. The Library of Virginia Records Retention and Disposition General Schedule No. GS-111 simply requires that “All records must be accessible throughout their retention period in analog or digital format. Whether the required preservation is through prolongation of appropriate hardware and/or software, reformatting, or migration, it is the obligation of the agency or locality to do so.”

What should I do if I receive a Freedom of Information Act (FOIA) request for documents?

If you receive a FOIA request for documents, do not respond to the requester directly. Promptly visit the VCU News Center FOIA requests page for more information.

What is the VCU Data Management System (DMS) and how can I get more information about it?

The DMS is designed to provide VCU personnel with guidance on the handling, transmission and storage of information; including specific requirements related to the handling of various types of information, IT resources and services offered by the university that can assist in handling of such information, and specific precautions one should take in handling various types of information. Additionally, this system provides a platform for requesters of data and information to interact with designated Data Stewards. The features of this system are designed to help requesters in constructing formal data security plans that can be used as an addendum to project proposals, to help the Data Stewards in communicating expectations, and to provide an understanding for users on how data and information should be properly handled. You can access the VCU Data Management System at