FAQ

Information Security · Teachers College

Research Security — Frequently Asked Questions

Answers to the most common research security questions from TC faculty, students, and staff — covering data security, AI tools, IRB compliance, and more.

Can't find what you're looking for? Contact the TCIT Information Security team directly — we're happy to help with any research security question, no matter how small it seems.

New to research security at TC? Start with the Secure My Research page or follow the Researcher Pathway for a step-by-step guide based on your role and situation.
Getting Started

The TCIT Information Security team partners with TC researchers to help protect research data, meet compliance requirements, and build security into every stage of a research project. We can:

  • Review and co-develop the data security section of your IRB protocol or grant proposal
  • Advise on which tools and storage platforms are appropriate for your data type
  • Help you interpret cybersecurity requirements in grant awards and data use agreements
  • Review AI tools you want to use with research data
  • Lead incident response if a security event involving research data occurs

We are not the "department of no" — our goal is to help you do your research securely. Schedule a consultation to get started.

It depends on your situation:

  • Starting a new project with human subjects? Contact the IRB first, then bring in InfoSec to help with the data security section of your protocol.
  • Received a data use agreement or contract? Contact OGC first, then InfoSec to review the cybersecurity requirements.
  • Not sure what data you'll be working with or which tools to use? Start with InfoSec — we can help you figure out your obligations and point you in the right direction.

The Researcher Pathway walks you through the right sequence for the most common research scenarios.

Yes — if you are working with research data as part of a faculty project or your own independent research, TC's data security requirements apply to you. This includes using only approved tools and storage, protecting any devices you use for research, and completing any required training before accessing data.

Your faculty advisor is responsible for the overall security of the project, but you are responsible for following the data handling practices your advisor establishes. If you're ever unsure whether something is allowed, ask your advisor or contact InfoSec directly.

Submit a request through the TCIT Service Desk and we'll schedule a time to meet. Consultations are confidential and free. We respond to all research security consultation requests.

Schedule a consultation →

Data Security & Storage

Research data must be stored in TCIT-approved platforms appropriate for the sensitivity level of the data:

  • Public data: TC Google Drive (using your TC account), SharePoint, or other approved platforms
  • Internal data: TC Google Drive or SharePoint with access controls applied
  • Confidential data: Requires InfoSec consultation to confirm the appropriate platform
  • Restricted data (HIPAA, FERPA, CUI): Requires explicit InfoSec and/or sponsor approval before storing anywhere

Do not store research data in personal Google accounts, personal Dropbox, personal email, or on unapproved devices. Check the Applications Approved for Research list for current approved options.

TC classifies data into four levels: Public, Internal, Confidential, and Restricted. For research data, ask yourself:

  • Does the data include names or identifiers linked to participants? → At least Confidential
  • Does the data include health information covered by HIPAA? → Restricted
  • Does the data include student records covered by FERPA? → Restricted
  • Does your grant sponsor require specific security controls (CUI, FISMA, CMMC)? → Restricted
  • Is the data completely de-identified and not regulated? → May be Internal or Public

When in doubt, treat data as the most sensitive category that could apply and contact InfoSec for guidance.

Laptops used for research must be TC-managed and encrypted. All internet-connected devices used to access research data must meet TCIT's data security standards. If you are using a personal device, contact the TCIT Service Desk to understand what requirements apply.

If a device containing research data is ever lost or stolen, report it to the TCIT Service Desk immediately: 212-678-3300.

The minimum retention period is three years after project completion per IRB requirements. Longer periods may apply depending on your sponsor, IRB conditions, applicable law, or publication requirements.

When the retention period ends, data must be securely destroyed — not simply deleted. Use our End-of-Study Data Checklist to guide the process.

Yes, but a formal agreement is required before any data leaves TC. Contact OGC to initiate the agreement and InfoSec to confirm the approved transfer method. Do not share restricted data via personal email, Dropbox, or unapproved tools.

See our Research Security Templates page for relevant agreement templates, and the Researcher Pathway for the step-by-step process.

IRB & Compliance

At minimum, your IRB protocol's data security section should describe:

  • Where data will be stored and what security controls are in place
  • Who will have access and how access is managed
  • How identifiable data will be de-identified or separated
  • How data will be transmitted securely
  • Your data retention plan
  • Any AI tools used in data collection or analysis

Download our IRB Confidentiality of Data — Sample Language template for InfoSec-reviewed language you can adapt for your protocol.

Contact InfoSec as soon as you receive your award or notice of grant. We can review the cybersecurity clauses in your award documents, confirm whether TC's existing systems meet the requirements, and help you document your compliance posture for reporting purposes.

Schedule a consultation →

Yes. Effective October 10, 2025, NSF requires all principal investigators and senior/key personnel submitting new proposals to complete research security training. Additionally, effective May 20, 2024, covered individuals must certify annually that they are not party to a Malign Foreign Talent Recruitment Program (MFTRP). The Department of Energy has similar requirements, and other federal agencies are expected to follow.

If you have an active federal award or are planning to submit a federal proposal, contact InfoSec or your Office of Sponsored Programs for guidance on meeting these requirements. Use our Research Team Security Training Log to document your team's training completion.

Yes — any changes to the technology used in your research must be submitted to the IRB as a protocol amendment before implementation. This includes adding AI tools to a study that didn't originally include them. Contact InfoSec before making changes so we can confirm the new tool is approved and help you document the change for your amendment.

AI Tools in Research

It depends on the tool and the type of data. TC's primary approved AI tool is Google Gemini, available through your TC Google Workspace account — TC's contract with Google ensures your data is not used to train AI models. For other AI tools, check the Applications Approved for Research list before using with research data.

Consumer AI tools (ChatGPT, Claude.ai, personal Gemini accounts, etc.) are not approved for use with Confidential or Restricted research data. See our Securing Research That Utilizes AI page for full guidance.

Yes — if AI tools are used in any part of your research, this should be disclosed in your IRB protocol. IRBs are increasingly scrutinizing AI use, particularly when it involves participant data.

Download our AI Use Disclosure Template for IRB Protocols for InfoSec-reviewed sample language covering the most common AI use scenarios.

Use caution. Zoom AI features should not be used with identifiable participant data without prior InfoSec review. TC policy also requires that AI meeting assistant features have auto-join disabled, and hosts or faculty may prohibit their use during research sessions. Contact InfoSec to discuss approved transcription options for your project.

This is a security incident — report it immediately:

  • Stop using the tool and do not delete any data or accounts (preserve evidence)
  • Contact InfoSec immediately — 212-678-3300, Opt. 2 or submit a report
  • Notify your PI if you are a student or RA

Early reporting significantly limits the impact. You will not be penalized for reporting in good faith. Download our Research Data Security Incident Report to document the incident after making contact.

Temporary Research Affiliates

You can request temporary research affiliate status. Here's how it works:

  • A TC faculty member must sponsor your continued access
  • The request goes to HR first, then to InfoSec for final approval
  • Default access duration is 4 months — extensions up to 12 months require InfoSec approval
  • Either you or your faculty sponsor can initiate — you both retain your TC email address

Submit the Temporary Research Affiliate Request Form to get started, or see the Researcher Pathway for the full process.

Before initiating the request, confirm the scope of work, expected end date, what TC systems are needed, and whether your IRB protocol needs updating to reflect the affiliate's new status. Then submit the Temporary Research Affiliate Request Form.

We also recommend having the affiliate sign a Research Confidentiality Agreement before access is granted.

Incidents & Reporting

A research data security incident is any event — actual or suspected — involving unauthorized access to, disclosure of, or loss of research data. Common examples include:

  • Accidentally submitting participant data to an unapproved AI tool or external platform
  • A lost or stolen device containing research data
  • Unauthorized access to a research account, storage folder, or database
  • A phishing attack resulting in compromised credentials used for research
  • A data breach by a third-party vendor or tool used with research data

When in doubt, report it. Early reporting minimizes harm and is required under TC policy.

Contact TCIT Information Security immediately:

Do not wait until you are certain — report suspected incidents too. Do not delete data or attempt to fix the problem before contacting us. Afterward, use our Research Data Security Incident Report to document what happened.

No — reporting in good faith is always the right thing to do and is protected under TC policy. The sooner an incident is reported, the more we can do to limit its impact. The Information Security team's role is to help you respond, not to assign blame.

Related Resources

Still have a question?

TCIT Information Security · 212-678-3300, Opt. 2 · Submit a request

Schedule a consultation
Back to skip to quick links