Data Governance and Protection at Duke

Duke’s data governance is a system of institutionally managed and provisioned computing environments coupled with federated decision rights and accountabilities for data collection, storage, access, processing and use. Policies and standards, including a Data Security Policy and Data Classification Standard, have been established to communicate Duke’s data protection expectations and enable accountability. Duke employs an oversight committee structure for information security, technology priorities, privacy, compliance and incident response.  Additionally, Duke’s system of controls for data quality, stewardship, management and compliance includes processes and technology to secure data throughout its lifecycle and addresses: data confidentiality and privacy, data generation and collection, data use and security, data sharing and disclosure, data retention and destruction. Key security guidelines help drive expectations for identity management, endpoint protection, data import/export, data analytics and decision support tools, data storage and third-party risk management. These policies and controls are reinforced through education and awareness.

Categories of data collected, stored and used at Duke include:

• Institutional – (1) any information acquired, created or generated by Duke in support of its mission or business activities, decisions or services; and (2) information collected or generated to meet regulatory, contractual or legal obligations
• Research – any information collected, stored, generated or used in the course of academic, scientific and other non-clinical research activities
• Clinical – personal health information (PHI) and directly related information and images collected, generated, created, stored, accessed or used in the provision of clinical care, patient communications and records, conduct of medical research and clinical trials, and other activities directly related to clinical care
• Publicly Available – information and data that is accessible to the public without restrictions, credentials or compensation payment, but may have usage guidelines imposed (e.g., citations, permission, acknowledgement, etc.)

We are all data stewards and responsible for ensuring we can trust data and have confidence in its reliability to support effective academic, research, patient care and operational decision-making. Data-related work is performed according to policies and procedures, and in compliance with applicable laws and regulations. We use data prudently and ethically. All members of the Duke community are expected to know the classification of the data they’re handling and to understand the associated recommended practices (Data Classification Standard, Duke Services and Data Classification).

Various federal and state laws impose obligations on Duke, including, but not limited to NSPM-33, HIPAA, FERPA, FISMA, the NC Identity Theft Protection Act and PCI-DSS. Grants and contracts may also stipulate requirements for the protection and preservation of associated data. It is important that all data are reasonably and appropriately managed to maintain data integrity, availability, and when required, confidentiality to protect against accidental or unauthorized access, modification, disclosure and destruction.  Duke’s Data Security Policy supports and reinforces our regulatory and contractual obligations.

Duke faculty, staff and students may have access to confidential information. Confidential Information must be safeguarded and treated with respect and care by any workforce member authorized to have access to it.  Duke is committed to fairly and appropriately managing and safeguarding the information collected, used and maintained in support of its employment practices and its academic, research and clinical missions and to transparency regarding our data management practices. Duke respects data integrity and protection for all its stakeholders, including as represented by personally identifying information about each stakeholder, and takes seriously its responsibility to protect individuals’ privacy in balance with meeting its legal, policy and administrative obligations. We seek to minimize the information we collect, limit access to that information and apply appropriate security measures to protect against loss, improper modification and disclosure.

We generate and collect data for legitimate and specified purposes related to our academic, healthcare, research and business activities. This valuable data includes intellectual property, proprietary information and sensitive or private data about students, faculty, staff, patients and research participants. We limit the data collected, used and stored to only that which is needed to meet the intended purpose.

We only use data for its authorized and intended purpose. We employ robust technical and organizational measures to safeguard data against unauthorized access, disclosure, alteration, and destruction. These measures are grounded in trusted frameworks and guidelines, such as CIS Critical Security Controls and NIST 800-171. We are aware of and apply Duke’s security policies and standards related to data access and handling according to its classification (Data Classification Standard), including use of passwords, approved tools, encryption to secure access and storage, and only store data in approved computing environments (Duke Services and Data Classification), such as those designated for research or sensitive data. We take personal responsibility for applying fundamental security practices, such as physically securing laptops and other digital media devices, maintaining the privacy of passwords and not sharing credentials, locking computer screens when not in use, and being aware and taking appropriate action when receiving suspicious emails or other phishing attempts. 

We balance the free exchange of information with the need to protect sensitive or regulated information and to ensure information is available for use. We share data within the Duke community for legitimate purposes, such as academic administration, decision support and healthcare provision. Additionally, we share data with external partners, collaborators, or regulatory bodies as required by law or for research collaboration, always ensuring appropriate safeguards are in place to protect the data, including the use of approved tools based on the classification of the data (Duke Services and Data Classification). Data is shared responsibly according to Duke policy and in compliance with contractual commitments using approved tools and methods.

We only retain data for as long as necessary to fulfill the purposes for which it was collected or as required by applicable laws and regulations. We understand and abide by Duke and contractual data retention and destruction requirements, for data generated in-house and provided by third parties (Records Retention Guidelines).

Your Duke NetID is your unique electronic identity. Your NetID and password should not be shared. Any authentication to services offered to the Duke community or making use of non-public Duke data should require use of an approved single sign-on (SSO) authentication method (Authentication to Duke Services). This helps ensure that Duke’s security offices can help monitor traffic for indicators of compromise and prevent or respond to any security issue as quickly as possible. We adhere to parameters and guidance provided in Duke’s password policy and immediately change our password if it is believed to have become compromised (Secure Access Guide). We should not reveal a password to an IT support technician or any other individual, even though they may claim to work for the IT service (over the phone or in person). If, in our professional judgment, it is necessary to share a password with an IT support technician or any other individual, the password must be changed as soon as possible thereafter. Once shared, a password is considered compromised and must be changed immediately (Duke Acceptable Use Policy).

Security requirements have been defined and applied to all Duke-owned laptops, desktops, and servers, including virtual machines. Guest laptops, desktops, and servers also meet defined endpoint security requirements to connect to the Duke network or store Duke data, including use of antivirus software, a supported operating system and up-to-date patching. We coordinate with support teams to address endpoint security issues, apply updates when notified that they are available, respond promptly to requests from support teams, and turn on devices regularly so that they can receive updates and communicate with security tools (Endpoint Device Security and Quarantining Practices). Any IT administrators with access to endpoint security tools, including the IT Security Office, are required to adhere to the Duke Acceptable Use Policy, particularly those statements regarding the expectation of privacy for the Duke community. IT administrators may not use their access to look at content on the systems they maintain, except when defined conditions are met, and use of the security management tools is audited (Endpoint Management Operational and Privacy Protocols).

We are careful in how we download and transmit data to protect its confidentiality, integrity and our environment. We only share data with authorized individuals who have a valid business need to receive and view it. Approved tools and services are used to facilitate the secure sharing and receiving of data according to the classification of the data (Duke Services and Data Classification). Heightened vigilance is applied when sharing data using medium (e.g., email, web-based portal, file drop, hard copy shipment) that is appropriate for the type of data. Ensure files and data do not contain viruses or other threats prior to introducing them to the Duke environment.  

Duke uses advanced technologies to enhance our data analytics capabilities. Duke encourages the appropriate, responsible and ethical use of legitimate data analytics and decision support tools to support comprehensive research and analysis, including artificial intelligence (AI) technologies such as large language models and generative AI.  Duke’s stance regarding use of decision support and analytical technologies and remain informed of changes to their acceptable use (Use of AI Tools, Generative AI and Teaching at Duke). Avoid using Duke credentials/email address and NetID password to access tools that open data sources and avoid submitting sensitive personal or Duke data to the service, and verify the accuracy and validity of data received from third-party tools prior to entering the data into Duke systems. Only data classified as “Public” per Duke’s Data Classification Standard is submitted to publicly available AI tools. When possible, we use Duke hosted platforms and ensure data entered in public facing systems does not pose privacy, confidentiality or proprietary data risks.

Duke approves authorized third-party applications, services, computing environments (including cloud) and storage solutions that access, use, store, or transmit Duke data based on the sensitivity and classification of the data (Storage, Backups and Hosting). Duke faculty, students and staff should be aware that there may be institutional, legal, regulatory and contractual obligations that require the use of specific storage options. Access to data locations is limited to authorized or approved individuals and immediately removed when no longer needed. Institutional approval is obtained when providing public or broad access to data (Duke Services and Data Classification).

We utilize approved procurement channels and follow existing protocols when engaging third parties, including consultation with the IT Security Office prior to sharing any data with a vendor. A detailed security assessment of the vendor’s environment is performed using industry standard tools prior to sharing data. Vendors receiving Duke data must meet and maintain compliance with Duke’s security requirements, including terms contained in additional contractual provisions, when required. Data use and sharing agreements must be authorized by Duke Office of Counsel prior to sharing Duke data with third parties for research purposes to outline acceptable terms of use and expected safeguards. When a Duke employee or student leaves the University, their account information (such as email electronic files, voice mail, and other data) is not made available to third parties, except in rare cases as defined in the Duke Acceptable Use Policy (Account or Data Access Policy).

Duke’s central IT organizations provide information on data protection best practices and emerging threats. Policies, standards and guidelines are communicated to all new hires. Additional materials and educational requirements have been developed for individuals with access to sensitive data in protected enclaves within Duke’s network (Security Awareness and Training Service Guide). Awareness activities, such as simulated email phishing exercises, are provided throughout the year to maintain security awareness and vigilance. As stewards of sound data protection practices, we understand and apply the teachings communicated within these educational campaigns and take personal responsibility for remaining informed of evolving threats and recommendations.