RDM Wise Practices Guidelines

• Standard Sheridan systems (SharePoint, Teams) should be used for members of the project team to access and work on files.
• Access should be limited to only those that need it. It is recommended to share documents/folders with specific people (vs anyone with the link), and use restricted view i.e. view without download (vs edit access)
• The Principal Investigator must make sure that all student researchers are made aware of their obligations for data management.

• May include access to project data and/or files containing deliverables from the research.
• Wherever possible, standard Sheridan systems (i.e. SharePoint) should be used for Partners to access and download files.
• Access should be limited. For example, shared with specific people (vs anyone with the link), restricted view, or view without download (vs edit access). Typically, access to external users will expire after 30 days.
• Files should not be sent by email, due to lack of security and end-to-end protection. The only exception may be for low-risk data files, where there is no concern in potential access by the public.
• Emails with links to encrypted and access controlled files (vs the files themselves) are permissible.

Depending on the specific project needs, the following should also be considered, in consultation with Sheridan IT Services:

• Does the Partner have a preferred site for storing and sharing files? This may be required in some cases, e.g. if a Partner has a specific need, or if Sheridan is collaborating in a multi-Partner grant with the lead organization specifying the file sharing process. It should be noted that the Partner becomes responsible for decisions regarding data access and storage on these sites. The Principal Investigator(s) should consult IT Services to ensure that the site has adequate security provisions, particularly encryption during the transfer process, and minimum privacy requirements (e.g. FIPPA) are met.
• Is there an ongoing need for file transfers? An automated script that can transfer files on a regular basis (e.g. through SFTP) may be preferable.
• Is the file size very large? SharePoint has a 1 TB size limit. If multiple large files need to be kept for an extended period of time, storage may become an issue. Options to expand storage (at a cost, depending on frequency of access) can be considered. For large file sizes, general internet may not be optimal, as the time to access and download these may vary. Other options e.g. site-to-site VPN could be considered if the effort is warranted (e.g. if there is a long-term relationship with the Partner).
• Will the Partner need ongoing access? While SharePoint has a default time limit on external access, there are means to change this on a case-by-case basis.

If the project has specific needs including the ones listed above, the Principal Investigator(s) should contact IT Services for assistance.

• Ensure you have permissions to share. For projects involving human participants, you must have patient/participant consent to share data. Refer to the Informed Consent Template from the Sheridan Research Ethics Board (SREB). Access to participant data should be described in the informed consent form.
• Restrict access to authorized individuals. For high-risk data, access should be restricted to the fewest number of individuals possible.
• Limit access to transcriptions and any audio or visual data.
• Avoid sharing data by email. Files may be shared using links to properly encrypted, access-controlled and expiring links on Standard Sheridan systems (i.e. SharePoint, Teams).
• Ensure that security features like encryption and MFA are enabled.
• Restricted data should be shared hand-to-hand on a password-protected and encrypted data storage device. If geography is a barrier, researchers could consider other options such as joining a partner’s Virtual Private Network (VPN).