1.0 Overview
The intent of this document is to reinforce the Pennsylvania State University’s established culture of openness, trust, and integrity. The Institute for Computational and Data Sciences (ICDS) is committed to protecting our employees, partners, and the University from illegal or damaging actions by individuals, either knowingly or unknowingly.
Data that is the property of the Pennsylvania State University must be protected no matter where it resides. In addition, there is a responsibility to protect data acquired from external data providers that is stored, processed, or transmitted on ICDS infrastructure pursuant to the terms of any agreements with the data providers. Effective security is a team effort involving the participation and support of every University employee and affiliate who deals with data and/or data processing systems. It is the responsibility of every resource user to know these requirements and guidelines and to conduct their activities accordingly.
2.0 Scope
This policy applies to any person who utilizes resources that are managed by ICDS and to any person who handles data that is managed by ICDS. This policy supplements applicable Pennsylvania State University policies. When ICDS and PSU policy conflict exists, it will be reviewed and resolved at the time of publication.
3.0 Purpose
Improper handling of data exposes ICDS systems and the University to risks including virus and malware attacks, compromise of network systems and services, data loss or contamination, and numerous potential contractual and legal issues. This policy outlines the protection and retention of data that is stored, processed, or transmitted using ICDS cyberinfrastructure.
4.0 Policy
4.1 Philosophy
University policies regarding data protection and retention as specified here are not exhaustive, but rather serve as a foundation that resource administrators and data stewards will build upon to ensure that data is adequately protected. Some research sponsors have their own requirements for data protection and retention that may exceed the foundational requirements provided for by the University. In these instances, the grantee (PI) must ensure that the sponsor’s requirements are being met and that the associated higher-level protection measures are in place and fully operational. ICDS consultants can work with PIs to help them accomplish these tasks. In these cases, the PI is expected to be aware of the requirements of the funding agency or research sponsor and to provide the ICDS consultant with the necessary information and contacts that will allow them to provide the best possible assistance.
4.2 Responsibilities
It is the responsibility of the University to ensure that research is conducted ethically, and that data associated with the research is properly maintained and is readily available for evaluation and further investigation.
The Principal Investigator (PI) is the steward of the data associated with their research and is responsible for ensuring that the conditions of the grant under which the research is being conducted are being met. The PI is ultimately responsible for retaining research data for a period that meets both University requirements and the requirements of any grant sponsor(s).
Any PI who leaves the University is required to plan for the transfer, archive, and/or deletion all research data in accordance with Federal, sponsor, and university regulations.
ICDS provides a defined level of service when a user commits to use Roar resources to conduct their research per a Service Level Agreement (SLA) Waivers and exceptions to this policy should be coordinated through ICDS exceptions process.
The use of copyrighted material and third-party data sets must comply with Pennsylvania State University’s policies governing copyright clearance. All users of ICDS systems must comply with any legal and policy requirements related to their data.
ICDS-P040: Software Policy describes in detail ICDS policies regarding software, licensing and maintenance.
It is required to report suspected data protection violations per section “Incident Response”.
4.3 IT Security
Penn State requires adherence to policies AD95 Information Assurance and IT Security and AD96 Acceptable Use of University Information Resources (see https://policy.psu.edu) in order to ensure the confidentiality, integrity, and availability of the University’s information assets. ICDS supports the teaching, research, and service missions of the University while also enabling open but secure information sharing and collaboration.
4.4 Data Retention
AD35 University Archives and Records Management references the General Retention Schedule (previously Appendix 18), which in turn contains a table specific to “Grant and Contract Records.” This table lists “Scientific and Technical Data” as having a retention policy of “3 years in Office; Transfer to Archives for PERMANENT file.” The data retention information in this section is specific only to ICDS storage resources provided as part of our operating environment. PIs are responsible for ensuring that their research data that is resident on ICDS resources is stored in a manner that meets the requirements of the University and the sponsor(s) of their research.
ICDS provides the following common storage locations for system users. The table below identifies each of these locations and their respective data retention periods. ICDS will notify the owner of the data at least 30 days prior to any data deletion.
| Storage Location | Retention |
|---|---|
| Home Directory | One year after ICDS account termination. |
| Work Directory | One year after ICDS account termination. |
| Scratch Directory | Max 30 days; may be purged in extraordinary circumstances. |
| SLA Storage Allocation | One year after termination of SLA. |
Data Expiration Process (Post-SLA Termination):
- Data remains in read-only mode for 30 days after SLA termination.
- After 30 days, data is secured and becomes inaccessible.
- Data is permanently deleted one year after SLA termination.
Data Recovery Fee:
To recover data within one year of SLA termination, a new SLA is required. A recovery fee will be applied based on the time the data remained unsecured by an active SLA.
4.4.1 Data Backups
Snapshots (read-only, point-in-time copies of the filesystem state) are taken of the entire storage array nightly and weekly. Snapshots are done on the storage array which is resilient, but not redundant. Data is not copied to any secondary storage device by default. Daily snapshots are kept for 14 days and weekly snapshots are kept for 3 months. Users may also be able to restore an earlier version of a file within the recovery window of 14 days or 3 months. Recovery of that data requires assistance from ICDS staff and the submission of a support request through the ICDS Client Support Service Center.
4.4.2 Scratch File System Data
Data in “Scratch” locations is NOT BACKED UP and cannot be recovered if purged. Files not accessed within the past 30 days are automatically purged. In certain situations, files may need to be purged due to maintenance actions or other extraordinary circumstances regardless of date. Attempts to circumvent the automatic 30-day file purge for Scratch files (including but not limited to the use of “touch” commands and other trivial file manipulations such as renaming and moving files for the purpose of altering file timestamps) is considered a violation of User policy.
4.4.3 Transfer
PIs that are transferring outside of the University may request that a duplicate set of their data be transferred with them. ICDS will work with PIs regarding the mechanism for transfer. Note that additional costs may apply (e.g., if data is provided on physical hard drives). Penn State’s Intellectual Property Policies and Guidelines must be followed before any transfers can occur (see Intellectual Property Policies https://policy.psu.edu).
ICDS personnel cannot transfer data that resides in a Home folder to anyone other than the owner of that Home folder. If a request is received for data from a Home folder that is not owned by the requestor, ICDS personnel will provide a copy of the data to Penn State OIS, who will sanitize the data and work with the requestor to satisfy their request.
The Home folder is not intended for file sharing; it is a container for the personal files and application data of the folder owner. Sharing should occur out of Work and Group folders and Scratch space as required. Users will not change permissions on their Home folders to allow access by other users.
Note that some ICDS system administrators have permission to access any data on ICDS storage devices. ICDS system administrators will only access other users’ data when it is absolutely required as part of their job functions. ICDS personnel are subject to the same sanctions as any other user who misuses ICDS resources.
4.5 Incident Response
Anyone who suspects that any account, data or system compromise may have occurred or has identified a situation that could potentially lead to a data compromise, is responsible for reporting it. Procedures for handling data, account or system compromise is discussed in ICDS-P070: Incident Response
5.0 Enforcement
Any employee, student, or visitor found to have violated this policy may be subject to disciplinary action by their administrative unit, the College, or the University.
6.0 Supporting Documents
ICDS-P030: Authentication and Access Control
ICDS-P040: Software Policy
ICDS-P070: Incident Response