Learn about the PRDN
The Duke Research Facilitation & Data Security (RFDS) team supports the evolving computational and data needs of Duke faculty, staff and students using protected data in their research or academic capstone projects. They provide consultations to research teams using protected data and manage the Protected Research Data Network (PRDN). This team was previously housed in the Social Science Research Institute, but now sits within the Office for Research, better reflecting it as an institutional resource.
Protected data is data classified as Sensitive or Restricted by the Duke Data Classification Standard, and includes many types of identifiable or proprietary data, e.g., health records, internal business records, longitudinal studies, educational records, and data regulated by various laws and standards such as NIST 800-171, GDPR, or Export Controls.
We assist researchers across the institution in developing project documentation and obtaining research approvals (including Data Use Agreements (DUAs), Data Management Plans (DMPs), and IRB protocols), to verify that the administrative and technical requirements of both the university and data providers are met. In order to receive support, projects in the PRDN must meet Duke requirements. To work in the PRDN, researchers must have written approval to use or collect protected data. Data descriptions in each project approval must match. RDS will review approval documentation and work with researchers, data providers, and Duke offices to ensure compliance with Duke requirements before work can begin.
The team also manages and supports the technical environment (the Protected Research Data Network, or PRDN) to ensure that the security controls in place are sufficient, appropriate, and consistent, and to monitor for unauthorized activity. Researchers securely access and analyze their data in the PRDN. Our administrative and technical security controls are based on Duke’s Data Classification and University IT Security Office standards and can meet a variety of security requirements including those for HIPAA, export controls, and NIST 800-171. We regularly consult and coordinate with the Duke entities that are involved in research governance and institutional approvals to provide up-to-date guidance to those we support.
Consider using the services of the Protected Research Data Network when you will be working with data (primary and/or secondary) that are classified as Sensitive or Restricted according to the Duke standard (such as data protected by HIPAA, FERPA, or other regulations, human subjects research data, controlled unclassified information, and data protected under a data use agreement or similar contract). The PRDN can be used for both primary and secondary data analysis and storage.
The RDS team provides both technical and administrative support and can customize features specific to the user and data provider requirements. The RDS team sets up and manages this secure enclave in which you can store and analyze your sensitive or restricted project data. We can also help you with your documentation needs, including IRB protocol drafts, data use or data security agreements, and educational project agreements.
We support students, faculty, and academic program staff from departments, schools, and institutes across the Duke campus, including Economics, Political Science, Psychology & Neuroscience, Statistics, the Fuqua School of Business, the School of Law, the Sanford School of Public Policy, and the Duke Institute for Brain Sciences. We also support Duke Health staff and students working with third party data that is not from Duke Health.
Students in programs such as Data+, MIDS (Master in Interdisciplinary Data Science), and MQM (Master of Quantitative Management) also make use of the Research Data Security team services and the PRDN.
We provide and support Windows and Linux virtual machines (VMs) in various sizes averaging 4-8 CPUs and 16-32 GB RAM. We offer GPU and high performance computing, and a wide assortment of quantitative and qualitative analytical tools. Custom sizes and configurations are also available. Storage is hosted on the OIT’s storage space and is expandable to your needs from megabytes to terabytes.
We maintain a Linux cluster environment utilizing SLURM that is suitable for sensitive data. Nodes can be purchased for this environment and a common partition spanning the entire cluster is available.
The most efficient way to get started is to first tell us about your project using our survey. (You may also email us, call us, or even stop by any of our offices in Gross Hall). You don't need to have all the details of your project worked out, just fill in what you can and we will contact you to set up an initial planning meeting.
It is important to understand and keep track of the various documents related to your data both before and after you begin working in the PRDN.
If you are analyzing existing (secondary) data about human subjects: The Campus or Health System IRB must review your research before it begins. Only the IRBs can determine if your project meets the requirements for conducting research with human subjects, approve your study activities, or declare them to be exempt from ongoing review. In general, use of secondary identifiable data will require a data use agreement with the data provider sufficient to comply with both Duke’s and the data provider’s requirements for protecting the data. That agreement will be reviewed as part of the IRB approval process.
If you are analyzing existing data that is not about human subjects but is Sensitive or Restricted by Duke's standard: Proprietary corporate data or government data are the most common examples of this data type. Various types of documentation and/or contracts may be required by the data providers. In general, use of these types of data will also require a data use agreement that is sufficient to comply with both Duke's and the data provider's requirements for protecting the data. The agreement will be signed by a Duke official (not by a PI, program manager, or other researcher).
If you are collecting your own identifiable data: The request for protocol approval requires different forms and informed consent, but the rules above still apply.
If you are using Duke Health data: While the PRDN can be used for all kinds of protected identifiable data, including PHI, Duke Health allows only de-identified Duke Health data to be transferred to the PRDN.
In all cases:
- Changes to your study or data: The project approval documentation defines the purposes for which the data can be used by approved study team members. Changes to study team membership require IRB approval and may require the approval of the data provider as well. If both the DUA and IRB protocol need to be amended, the IRB should be amended first. Before adding new research questions or new data (even data that is publicly available), you also need to obtain appropriate approvals from the IRB and secondary data provider. Data use approval is study specific, so you must obtain approval to reuse the data from your data provider for another study or to change the research questions (or add additional data) in an existing study.
- Keeping documents up to date: Data stored and analyzed in the PRDN must have current approvals. DUAs may be approved for a fixed period of time or for the duration of the project. IRB approval is for one year. Protocol renewals should be submitted 30-60 days before expiration. In order to maintain access to PRDN resources, send us copies of your renewals before the previous documents expire.
Actively Manage Collaboration and Dissemination
How you as the PI manage collaboration on papers and presentations depends on study requirements, team structure, your own preferences, and other factors. Establishing a required research flow process to support replication and dissemination of your results is an essential early step. For example, you might provide a controlled location (such as a Box folder) for research team members to deposit their work for your review. Configure it so that only you or select team members can remove items from that location. However you approach collaboration and dissemination, make sure that it allows you to identify and address any problems with the materials before they are submitted or presented.