Using Duke Box with Sensitive Research Data
About Box.com
Box is a cloud content management and collaboration platform:
🔗 https://box.duke.edu/
Key Features
- File sharing
- Collaboration tools
- Version control
- Security & compliance
- Integration with third-party tools
- Access control and permissions
- Mobile app availability
Security & Usage at Duke
- Data encryption
- NetID login with Duo MFA
- Access controls
- Collaborator password policy
What You Can Do with Duke Box
- 50 GB of cloud storage
- Upload large files
- Assign tasks and track changes
- Set expiration dates for links and file access
- Set files/folders to autodelete
What Data is Permitted in Duke Box
| Data Type | Permitted |
|---|---|
| Non-confidential or general business | ✅ YES |
| De-identified human subject research | ✅ YES |
| Sensitive identifiable human subject research | Contact Security Office: security@duke.edu |
| Export controlled research (ITAR, EAR) | ❌ NO, Contact Security Office: security@duke.edu |
| Student educational records (FERPA) | ✅ YES |
| Medical Record Numbers (MRN) | Contact Security Office: security@duke.edu |
| Protected health information (ePHI-HIPAA) | Contact Security Office: security@duke.edu |
| FISMA data | Contact Security Office: security@duke.edu |
| Social Security Numbers | Contact Security Office: security@duke.edu |
| Gramm Leach Bliley (GLBA) student loan application information | Contact Security Office: security@duke.edu |
| Payment card information (PCI) | ❌ NEVER Permitted |
| Controlled Unclassified Information (CUI) | ❌ NO, Contact Security Office: security@duke.edu |
| Genotypes and Phenotypes (dbGaP) | ❌ NO, Contact Security Office: security@duke.edu |
Using Duke Kits to Create Duke Box Folders for IRB Protocols
When storing files related to IRB protocols, it's important to avoid creating Box folders within personal Duke Box accounts. If an individual leaves Duke or changes roles, it can result in loss of access to critical research data, posing institutional risk.
🔐 Why Use Duke Kits?
Using Duke Kits to create Box folders: - Ensures the folder is owned by a Duke service account, not a personal Box account - Prevents loss of access if the original creator leaves Duke - Storage does not count against your personal file quota - Provides a secure, Duke-managed collaboration space
✅ Kits allows you to add Duke Box as an “App” inside a project folder, making it easy to manage access and visibility.
🛠️ Steps to Create a Duke Box Folder via Kits
In Duke Kits
- Visit kits.duke.edu and log in via Shibboleth.
- Click the My KITS menu (upper-right corner) and select Create Kit.
- Fill in the Kit details:
- Category: Choose
Project - Kit ID: Use your IRB Protocol Number (or other unique ID)
- Display Name: Choose a descriptive name for your project
- Click Save and wait for the Kit to be created.
- Once your Kit is ready, click Add App.
- Select Box and click Add App to Kit.
- Display Name: e.g., your IRB Protocol title
- Who can view in Kits?: Select Just me
- Click Save & Add to Kit
In Duke Box
- Log in to box.duke.edu
- Locate the new folder created by Kits — it will start with
Kits Project: - (Optional) Rename the folder to something informative for collaborators
- Use Box’s built-in collaborator sharing tools to add team members
- ⚠️ Do not remove the Toolkits ServiceAccount from the folder — this account is required to manage content and will not be used without prior consent
📌 Best Practices
- Use meaningful folder names to help collaborators understand the content
- Avoid personal Box folders for university-owned research data
- Manage collaborator permissions directly in Box (not through Kits visibility)
- Ensure that all project members understand the importance of preserving Duke-managed ownership of IRB data
Editing Files Securely in the Browser
To keep sensitive or restricted data protected, always edit documents within the Box environment using Word Online, Excel Online, or Box Notes. Avoid downloading files to local devices.
✅ Recommended Tools
| File Type | Recommended Editor | Why It’s Secure |
|---|---|---|
.docx |
Word Online | Edits saved directly in Box; no local download |
.xlsx |
Excel Online | Real-time collaboration with auto-save to Box |
| Notes/Planning | Box Notes | Built-in secure notes tool for quick collaboration |
📌 How to Edit Securely
- Go to box.duke.edu and find your file.
- Click the file to open the preview.
- Select Open → Word Online, Excel Online, or Create/Edit with Box Notes.
- Work securely in your browser—no download required.
🔒 Security Tip: Never download or copy sensitive content outside of Box unless explicitly approved.
⚠️ Box Drive or other Desktop Integration Tools
It is best practice NOT to install Box Drive on a computer used to access Sensitive data via Duke Box.
Due to the well-integrated Duke Box/Box Drive environment, the risk of Sensitive data being inadvertently stored on a local machine is high.
- If working with Sensitive data in Duke Box, do not open these files locally using Box Drive.
- Box Drive caches (stores) any file that you open locally.
If a Sensitive file is opened using Box Drive:
- Immediately log out of Box Drive after use
- This will remove automatically cached data from the device
- See Box Drive logout instructions to manually log out
Researchers working with human subject research or other protected research should ensure that the IRB or external grant providers have approved the use of Duke Box for their research protocols.
Those working with Sensitive Data are responsible for managing folder access to ensure the principle of least privilege
(See Duke University Standard: Least Priviledge | Information Security).
Principle of Least Privilege
Least Privilege is a cybersecurity principle stating that any user, program, or system process should be granted only the minimum access rights necessary to perform its tasks.
This helps reduce the risk of accidental or intentional misuse of systems and data.
A user should only have access to the data and systems absolutely necessary for their legitimate purpose—no more, no less.
Collaborator Permission Levels
The PI or Data Steward of the project should determine the appropriate level of permissions when granting collaborators access to sensitive data.
| Role | Description |
|---|---|
| Co-owner | Full rights, including managing users and settings |
| Editor | View, upload, edit, delete, share |
| Viewer | Read-only |
| Viewer Uploader | View and upload only |
| Previewer Uploader | Preview and upload, no downloads or editing |
| Previewer | Can preview files but not download |
| Uploader | Can upload only |
Sharing Data with Collaborators
Sensitive data should be shared with individually named collaborators, not through a shared link.
External collaborators are required to: - Use passwords of at least 12 characters - Enable Multi-Factor Authentication (MFA)
File Retention and Expiration
Users should exercise care by removing files containing Sensitive information from their Duke Box account once those files are no longer being actively used or shared.
In particular, expiration dates can and should be set by users to automatically remove sharing links after collaboration ends.
Time-limited Sharing Options
Shared Links
- Use for quick, temporary file access
- Avoid sharing public links
- Set expiration dates:
- Click “Share”
- Choose “Invited people only”
- In “Link Settings,” set expiration
- Save changes
Folder Expiration
- Use permission limits on folders for controlled collaboration
- To set an expiration:
- Go to folder Settings → Automated Actions
- Enable “Unshare on selected date”
- Choose date, Save changes
Auto-Delete Feature (Folders)
- Navigate to Settings → Automated Actions
- Enable “Auto-delete this folder on a selected date”
- Choose a date and Save changes
Box File Request
Use case: allow research participants to upload documents, surveys, audio/video recordings, etc., without needing a Box account.
Functionality: Upload access only—users cannot view other submissions (mail slot analogy).
📘 See also: Using File Request to get Content from Anyone
To Create a Box File Request:
- Create a folder
- Set permissions to Uploader
- Select File Request
IT Staff
If you are helping a research team to provision a Duke Box folder which will be used with Sensitive Data:
Do NOT retain access to the folder once provisioning is complete.
Sensitive Data Archive
Duke University expects research personnel to retain data and outputs for at least six years after project completion - Duke Research Data Policy
- For sensitive research data archive please see: About the Protected Network for Research (PNR) and Archiving (PNR) Duke patient PHI (Protected Health Information) is not permitted in the PNR.