Data Security Protocol

Comprehensive guidelines for protecting both hardcopy and softcopy data throughout research projects, including protocols for personally identifiable information (PII), encryption standards, password security, and device management.

Key Takeaways
  • Protecting sensitive data and PII is essential to maintain respondent confidentiality and comply with ethical standards.
  • Implementing robust encryption, password security, and backup practices ensures data integrity and prevents unauthorized access.

What is the Data Security Protocol?

The data security protocol is a set of guidelines and practices designed to protect data from unauthorized access, corruption, or loss.

Importance of Data Security

  • Compliance: Required by Institutional Review Boards and donors.
  • Prevention of Data Loss: Avoid costly data breaches or losses.
  • Respect for Respondents: Protect respondents’ privacy and confidentiality.
  • Data Integrity: Ensure data quality for sharing and publication.

Personally Identifiable Information (PII)

PII refers to any datapoint or combination of datapoints that can identify an individual or household with reasonable certainty. Examples of PII can include:

  • Name
  • GPS coordinates
  • Address
  • Combinations of demographic data, village name, birth date, gender, occupation in small communities
Data Protection Requirements

PII must be protected using the following protocols:

  • Encryption: Apply encryption at every stage of the data lifecycle: collection, transmission, storage.
  • Separation: Separate PII from research data as soon as possible.
  • Ongoing Protection: Protect PII retained after study closure.
  • Exclusion: Exclude PII from microdata publications like the AEA registry.

  • Encryption: Apply encryption at every stage of the data lifecycle: collection, transmission, storage.

  • Separation: Separate PII from research data as soon as possible.

  • Ongoing Protection: Protect PII retained after study closure.

  • Exclusion: Exclude PII from microdata publications like the AEA registry. :::

  • Encryption: Apply encryption at every stage of the data lifecycle: collection, transmission, storage.

  • Separation: Separate PII from research data as soon as possible.

  • Ongoing Protection: Protect PII retained after study closure.

  • Exclusion: Exclude PII from microdata publications like the AEA registry. :::

In terms of sharing PII, this kind of information may only be shared under the following conditions:

  1. The recipient is named or referenced in the informed consent.
  2. The recipient is included in the approved research protocol.
  3. Secure methods are used for sharing.

Sensitive Data

Sensitive data is information where a loss of confidentiality, integrity, or availability could result in serious, severe, or catastrophic consequences.

Sensitivity Levels

  • Level 1: Non-confidential.
  • Level 2: Contains PII, but no material harm.
  • Level 3: Contains PII and could cause material harm.
  • Level 4: High-risk confidential data.

Based on 45 CFR 164.514 HIPAA Standard, some examples of PII may include:

  • Names
  • Geographic subdivisions smaller than a state/province
  • Dates directly related to an individual (e.g., birth date, graduation date, marriage date)
  • Telephone numbers, fax numbers, email addresses
  • Social security numbers, medical record numbers, health plan beneficiary numbers
  • Account numbers, certificate or license numbers, vehicle identifiers, device identifiers
  • Web URLs, IP addresses, biometric identifiers like fingerprints
  • Full-face photos or any other unique identifying number, characteristic, or code

Access to PII

  • Only individuals approved in the IRB submission can access PII.
  • Approved individuals must complete human subjects protection training like CITI Program certification.

Password Security

Creating a Strong Password

  • At least 10 characters.
  • Use a mix of numbers, symbols, uppercase, and lowercase letters.
  • Avoid repetition, dictionary words, usernames, pronouns, IDs, and predefined sequences.

Password Best Practices

  • Never share passwords through email.
  • Use a secure password manager.
  • Use a complex password consistently across the project.

Example: The New Hampshire training was awesome because of the data security presentation in 2024TnhtwabotDSPi2024!

This creates a 17-character password with uppercase, lowercase, numbers, and symbols while being memorable through the sentence structure.

Data Protection Summary

Ensure your data is always:

  • Produced through a clear step in your data flow.
  • Saved to a logical and secure location.
  • Password-protected with a strong password.
  • Encrypted if it contains PII or sensitive data.
  • Backed up in multiple locations.

Data Flow FAQ

When to Keep Data Secure

Secure data whenever sensitive information is linked to PII. Raw data containing PII must be encrypted and stored securely.

When and How to Remove PII

  • Remove PII as soon as possible.
  • Collaborate with your team to determine who will remove PII and when.
  • Stata Tip: Use the lookfor command to identify PII.

Device Security

General Device Security

  • Consult the Data Coordinator for recommended devices.
  • Encrypt all sensitive data.
  • Password-protect devices.
  • Physically secure and label devices.

Field Device Management

  • Implement check-in/out systems for devices.
  • Train staff not to broadcast locations or activities.
  • Ensure signed device liability forms.
  • Maintain charging schedules and fire safety precautions.
  • Assign responsibility for nightly device checks.
  • Label devices with QR code stickers.
  • Store netbooks in protective casings.

Laptop and Personal Device Security

  • Use IPA’s encryption software for PII.
  • Avoid unapproved programs.
  • Run antivirus scans frequently.
  • Backup data securely using tools like Box.
  • Work computers only: No personal files.

Laptop/Netbook Security in the Field

User Accounts

  • Create two accounts:
  • Admin account: Full rights.
  • Enumerator account: Limited access.

Functionality Restrictions

  • Set accurate date and time.
  • Disable internet access if unnecessary.
  • Disable audio, video, and USB ports unless required for data extraction.

Software and Protection

  • Install antivirus software.
  • Encrypt sensitive survey data using tools like Cryptomator.
  • Update and back up data regularly.

Data Backup and Storage

  • Use central/supervisor computer backups.
  • Local backups: External hard drives with automated backup software like CrashPlan.
  • Cloud backups: IPA’s encrypted cloud storage through Box with additional encryption using Cryptomator.

Conclusion

By adhering to these data security protocols, we ensure compliance, safeguard respondent privacy, and maintain the integrity of research data.

By adhering to these data security protocols, organizations ensure compliance, safeguard respondent privacy, and maintain the integrity of research data.

Back to top