How to Implement Data Security Protocols

Step-by-step guide to implement essential data security measures for research projects, including quick setup procedures, role-specific checklists, and emergency protocols.

This hands-on guide walks you through implementing data security protocols for research projects. Start with the 30-minute Quick Start for immediate protection, then use role-specific checklists for comprehensive implementation. Includes emergency procedures for when things go wrong.

Before You Begin

This guide implements the standards outlined in the Data Security Protocol. Review that document first to understand the principles behind these procedures.

Prerequisites:

• Admin access to your devices
• Approved password manager account
• Cloud storage access (Box or similar)
• Basic computer skills

---

Quick Start: Essential Security (30 minutes)

New to data security? Complete these essential steps before collecting any sensitive data.

Step 1: Create Strong Project Passwords (5 minutes)

Skill level: Basic computer skills You’ll need: Pen and paper, password manager access

1. Create your main project password:
   • Think of a memorable sentence about your project
   • Example: “The Ghana education study started in January 2025”
   • Transform to: “TGessiJ2025!”
   • Alternative method: “The data security protocol in 2024 is stupendous!” → “tDSPi2k14i_S!”
   • Must be ≥10 characters with numbers, symbols, upper/lowercase
2. Verify password strength: Test at your organization’s password checker
3. Store securely: Add to approved password manager such as Keeper, LastPass, or 1Password
4. Share with team: Only through encrypted channels, never email

✓ Success check: Can you recreate your password from memory?

Step 2: Secure Your Primary Device (10 minutes)

Skill level: Basic computer skills Required: Laptop/desktop with admin access

1. Enable full-disk encryption:
   • Windows: BitLocker (Settings → Update & Security → Device Encryption)
   • Mac: FileVault (System Preferences → Security & Privacy → FileVault)
   • Restart required: Plan accordingly
2. Set automatic screen lock: 10 minutes maximum idle time
3. Enable remote wipe: Link device to Google/Microsoft account with remote access

✓ Success check: Screen locks automatically, encryption shows as “On”

Step 3: Set Up Emergency Backup (15 minutes)

Skill level: Intermediate You’ll need: External drive or cloud storage access

1. Choose backup method:
   • Recommended: Encrypted cloud folder (Box + Cryptomator)
   • Alternative: Encrypted external drive
2. Install Cryptomator (if using cloud):
   • Download from cryptomator.org
   • Create vault named “ProjectName_Backup”
   • Use your project password (≥10 characters, mixed types)
   • Critical: Generate and save recovery key securely
   • Test complete unlock/lock cycle before proceeding
3. Schedule automatic backups: Daily at minimum

✓ Success check: Can you access backup location and verify files are encrypted?

If You Get Stuck

• Password issues: Contact your data coordinator
• Encryption fails: Try restarting device, check admin permissions
• Backup problems: Verify internet connection, check storage space

Next steps: Once Quick Start is complete, review the role-specific checklists below for your project type.

---

Security Checklists by Role

Research Manager or Research Associate

Time needed: 3 hours initial setup, 30 minutes weekly maintenance

Before Data Collection Starts (2 hours total):

• Complete IRB data security plan submission
• Designate data security coordinator for project
• Purchase/license required software (Cryptomator, password managers)
• Create master project password and share with approved team members
• Set up encrypted cloud storage folder structure
• Schedule team training session (1 hour minimum)

During Data Collection (Weekly, 30 minutes):

• Review weekly security incident reports (if any)
• Verify backup systems are functioning
• Check team compliance with device check-in/out procedures
• Monitor PII removal timeline adherence

After Data Collection (1 hour):

• Verify all PII deleted per IRB timeline
• Archive de-identified data in approved repository
• Document lessons learned for future projects
• Deactivate temporary accounts and device access

Field Coordinator

Time needed: 30 minutes daily, 2 hours initial setup

Daily Setup (10 minutes each morning):

• Unlock device storage area
• Check overnight charging completed successfully
• Verify each device shows “encrypted” status
• Prepare device checkout logbook
• Test backup internet connection (if applicable)

Device Distribution (2 minutes per device):

• Verify enumerator identity before device checkout
• Record device serial number and checkout time in logbook
• Confirm device protective case is attached
• Remind enumerator of return time and location

Daily Collection (End of day, 15 minutes):

• Check in all devices, verify none missing
• Backup data from each device to secure location
• Plug devices into charging stations
• Lock storage area and record completion time
• Report any issues to Project Manager within 24 hours

Enumerator, Field Officer, or Interviewer

Time needed: 10 minutes daily preparation, 5 minutes per interview

Before Leaving Base (5 minutes):

• Check device battery level (≥80%)
• Verify protective case is secure
• Confirm device screen lock password works
• Disable location services unless required for survey
• Clear any personal data from previous use

During Data Collection (Each interview):

• Position device screen away from other participants
• Never photograph identifying documents unless specifically required
• Lock device screen between interviews (every time)
• Store device securely during breaks (never leave unattended)

Returning to Base (5 minutes):

• Report any technical issues or unusual events
• Hand device directly to Field Coordinator (never leave unattended)
• Sign device check-in log with any incident notes
• Confirm backup completion before leaving base

Research Data Analyst

Time needed: 1 hour initial setup, 10 minutes daily

First Day on Project (1 hour):

• Complete required human subjects protection training (CITI, NIH, or university program)
• Verify training certification is submitted to IRB if accessing >10% of study PII
• Set up approved password manager with project password
• Install and configure Cryptomator with project vault access
• Test access to de-identified project data repository
• Review project-specific PII identification guidelines

Daily Work Routine:

• Unlock encrypted data vault at start of work session
• Use lookfor command (Stata) or equivalent to scan for PII before analysis
• Save all work outputs to encrypted project folder only
• Lock data vault at end of each work session
• Never share datasets outside approved team members

Before Analysis Output Sharing:

• Run PII scan on all outputs (tables, graphs, datasets)
• Remove any geographical identifiers smaller than state/province
• Verify no combination of variables could identify individuals
• Get supervisor approval before sharing any results externally

---

Common Setup Procedures

Setting Up Cryptomator (20 minutes)

For IPA Staff (Microsoft Entra Access)

1. Access Cryptomator Hub:
   • Navigate to your Microsoft Entra apps dashboard
   • Click the Cryptomator tile
   • Select “IPA Entra” login option (first-time only)
2. Save Account Key:
   • Copy the Account Key displayed on first login
   • Store securely in approved password manager (Keeper, LastPass, 1Password)
   • Check “I stored my account key securely” box
   • Select “Finish Setup”
3. Install Desktop Application:
   • Download from cryptomator.org/downloads
   • Install following on-screen instructions
   • Accept license terms and complete setup

For External Partners (Username/Password Access)

1. Initial Setup:
   • Receive email invitation with temporary credentials
   • Click link and enter username/password
   • Update password and check “Sign out from other devices”
   • Critical: Save Account Key to password manager
2. Install Required Software:
   • Download and install Cryptomator desktop application
   • Install Box Drive for seamless file access
   • Configure Box Drive with provided credentials

Daily Vault Usage

1. Accessing Vaults:
   • Open Cryptomator Hub (web) or desktop application
   • Select vault from available list
   • Click “Unlock” button
   • Security Note: Type password manually (never copy/paste)
   • Check “Remember password” if on secure device
   • Select “Reveal Drive” to access files
2. Working with Files:
   • Access decrypted files through mounted virtual drive
   • Save/edit files normally - encryption is automatic
   • Files sync to Box automatically when connected
3. Ending Session:
   • Complete all file operations
   • Click “Lock” in Cryptomator interface
   • Critical: Always lock before closing laptop or ending day

Advanced: Creating Sub-Vaults for Field Teams

Use Case: Share subset of vault data with non-Salesforce users

1. Create Sub-Vault:
   • Open Cryptomator desktop → “Add” → “New Vault”
   • Name: “ProjectCode_FieldTeam_SecureArea”
   • Choose “Custom location” → navigate to SECURE_AREA folder
   • Generate strong password and recovery key
   • Critical: Store recovery key on USB or secure location
2. Share with Field Team:
   • Right-click vault folder → “View in Box.com”
   • Use Box sharing interface to invite team members
   • Share vault password separately through secure channel
   • Warning: Only copy existing main vault files - never create new files in sub-vault

Troubleshooting Common Issues

Can’t unlock vault: - Try desktop app instead of web interface - Restart device and try again - Verify internet connection for cloud vaults - Contact data coordinator if password forgotten

Authentication errors: - Clear browser cache and retry - Use Account Key to authorize new browser - Dismiss error dialogs and restart process

Sync problems: - Check Box Drive connection status - Verify sufficient storage space - Try locking/unlocking vault - See troubleshooting guide

Adding New Device: - Log in to Cryptomator Hub on new device - Enter Account Key when prompted (retrieve from password manager) - Provide browser name for identification - Select “Finish Setup” to authorize device

Setting Up Paper Survey Security (20 minutes per form type)

Form Design:

1. Create dual ID system:
   • Respondent ID sheet: Contains name, contact info, unique ID
   • Questionnaire ID: Links survey pages, references respondent ID
2. Design perforated separation between PII and survey sections
3. Print respondent ID sheets on different colored paper for easy identification

Physical Setup:

1. Prepare separate lockable storage for:
   • PII sheets (high security)
   • Survey questionnaires (standard security)
   • Completed surveys awaiting data entry
2. Create sign-out log for PII access
3. Set up secure scanning station for electronic backup creation

Team Training:

1. Train enumerators on immediate PII separation procedures
2. Assign specific staff for PII handling (IRB-approved only)
3. Practice separation procedures before fieldwork begins

Creating Field Device Setup (30 minutes per device)

Hardware Setup:

1. Enable full-disk encryption on each device
2. Set strong screen lock password (use project password standard)
3. Install protective case and QR code labels
4. Test charging cable and backup battery if needed

Software Configuration:

1. Install required survey apps (SurveyCTO, etc.)
2. Disable unnecessary features (GPS unless needed, social apps)
3. Set up automatic backup sync if using cloud storage
4. Test all functionality with practice survey

Documentation:

1. Record device serial numbers in master logbook
2. Create device checkout forms with liability agreements
3. Photograph device setup for reference
4. Store backup passwords in secure location

---

Emergency Procedures

Device Lost or Stolen

Immediate Actions (within 2 hours):

1. Stop data collection on all devices immediately
2. Contact Field Coordinator or Project Manager right away
3. Document incident: When, where, how discovered, who had access
4. Activate remote wipe if device was linked to cloud account
5. Report to local authorities if stolen (get police report number)

Contact Information:

• Field Coordinator: [Insert contact info]
• Research Manager or Research Associate: [Insert contact info]
• Data Security Coordinator: [Insert contact info]

Information to Collect:

• Device serial number and checkout time
• Approximate number of survey records on device
• Whether device was password protected and encrypted
• Last known location and circumstances

Suspected Data Breach

Immediate Actions (within 1 hour):

1. Stop all data activities - collection, analysis, sharing
2. Do not delete anything or try to “fix” the problem
3. Contact Project Manager immediately with details:
   • What happened and when you discovered it
   • What data might be affected
   • Who else knows about the incident
   • What steps you’ve already taken
4. Preserve evidence: Screenshot error messages, save log files
5. Document timeline: Write down exactly what happened in chronological order

Common Breach Scenarios:

• PII accidentally shared via email or cloud folder
• Unauthorized person gained access to survey data
• Data uploaded to non-approved cloud service or AI tool
• Encrypted file password shared insecurely

Technical Issues During Data Collection

Device Won’t Start/Charge:

1. Try different charging cable and power outlet
2. Switch to backup device if available
3. Document issue in device logbook with details
4. Continue with paper forms if no backup device available
5. Report to Field Coordinator within 4 hours

Can’t Access Survey/Data:

1. Restart device and try again
2. Check internet connection (if online digital surveys)
3. Switch to backup device or offline mode if available
4. Document all error messages exactly as they appear
5. Contact technical support with error details

Encryption/Password Problems:

1. Do not attempt multiple password guesses
2. Try restarting device once
3. Contact Data Security Coordinator immediately
4. Use backup device if available
5. Document exactly what happened when encryption failed

Communication During Emergencies

Approved Communication Channels:

• Direct phone calls to designated contacts
• Encrypted messaging apps approved by organization
• Secure email to organizational addresses only

Never Use for Emergencies:

• Public social media posts or messages
• Unencrypted email to external addresses
• Group chats with non-project members
• Any AI tools or chatbots for advice

After an Emergency

Required Documentation (within 24 hours):

• Incident report with timeline and actions taken
• Assessment of what data was potentially compromised
• Steps taken to prevent similar incidents
• Recommendations for protocol improvements

Recovery Steps:

• Investigate root cause with technical team
• Update security procedures based on lessons learned
• Retrain team members if necessary
• Review and revise emergency contact information

---

Advanced Implementation

For Multi-Site Projects

Site Coordination:

• Designate security coordinator at each site
• Daily cross-site security check-ins
• Standardized incident reporting across sites
• Shared secure communication channels

Data Flow Management:

• Site-specific encryption keys with master backup
• Regional backup systems with central archive
• Coordinated PII removal timeline across sites
• Cross-site security audit procedures

---

Additional Resources

• Main Reference: Data Security Protocol
• SurveyCTO Encryption: Official Documentation
• Cryptomator Help: Support Documentation
• Password Managers: Contact your IT department for approved options
• CITI Training: Human Subjects Protection Training

---

Summary Checklist

Before starting data collection, ensure:

• Quick Start completed (30 minutes)
• Role-specific procedures reviewed and understood
• Emergency contacts updated with current information
• Team training completed with documentation
• Backup systems tested and functioning
• Incident response plan practiced at least once
• All required software licensed and installed

Remember: Data security is everyone’s responsibility. When in doubt, ask for help rather than risk a breach.