Data Security Protocol - PowerPoint PPT Presentation

About This Presentation

Title:

Data Security Protocol

Description:

Data Security Protocol * Why is data security important? Compliance with Institutional Review Board (IRB) guidelines An IRB is a group designated by an institution to ... – PowerPoint PPT presentation

Number of Views:73

Avg rating:3.0/5.0

Slides: 18

Provided by: Russe55

Category:

more less

Transcript and Presenter's Notes

Title: Data Security Protocol

1
Data Security Protocol
2
Why is data security important?

Compliance with Institutional Review Board (IRB)
guidelines
An IRB is a group designated by an institution to
approve, monitor, and review research involving
human subjects to assure appropriate steps are
taken to protect the rights and welfare of those
subjects. It is a federally registered body.
Non-compliance can jeopardize
Funding
Research progress
Organizations reputation
This protocol aims to follow Harvards guidelines
for security of personally identifiable data in
research http//www.security.harvard.edu/research-
data-security-policy
Protection of human subjects
Field projects often collect personally
identifiable information (PII) from respondents
PII other sensitive information (e.g.,
financial or medical data) RISK

3
Overall principles for data security

Use Cold-room computers, passwords and
encryption PII should only be viewed on
cold-room computers that are password-protected
and are equipped with TrueCrypt
Pick strong passwords for files and computers.
Rule of thumb more than 10 characters, alpha,
numeric, caps and non-caps, and symbols should be
included (all). No dictionary words. Share
verbally and keep record of passwords in a secure
location.
Ensure physical security Keep data in a
physically secure location
Store, transmit, and use PII separately as much
as possible Separate personally identifiable
information from the dataset as soon as possible
(while maintaining respondent id link). Store and
transmit PII separately from rest of data and use
only de-identified data for analysis as much as
possible.
Obtain confidentiality agreements
Confidentiality agreements should be signed and
kept on record for anyone who handles PII
(surveyors, data entry operations, project staff)

4
Data security for new projects Stage 0
Stage 5 Making data public
Stage 4 Field wrap-up
Stage 3 Environment for analysis
Stage 2 Secure data storage and transmission
Stage 1 Data protection in the field
Stage 0 Before data collection

All Research Assistants/Associates and anyone
else who will have access to data with PII
should
Take the course (Citi or NIH) on human subjects
research and send the certificate of completion
to your IRB coordinator
Read JPAL/IPA human subjects manual and Data
security checklist
Read the IRB requirements for the project
Protect data on computers
Use cold room computer with Password protection
and TrueCrypt
Use secure file transfer and encryption for
sending PII

5
Data security for new projects Stage 1a
Stage 5 Making data public
Stage 4 Field wrap-up
Stage 3 Environment for analysis
Stage 2 Secure data transmission
Stage 1 Data protection in the field
Stage 0 Before data collection
Rest of survey Unique ID
PII and Consent Unique ID
PII and Consent Unique ID

Structure the physical survey packet into the
PII-Consent section and the Questionnaire
section, so they can be separated
Ensure that you have a field for the Unique ID
Code on every page of the survey packet. It is
CRITICAL that each page of the survey has the
CORRECT unique ID code so that you can match up
the questionnaire to PII if it is necessary later
Ensure you have a secure location to keep hard
copies of surveys, with the identifying
information separate from the rest of the survey

6
Data security for new projects Stage 1b
Stage 5 Making data public
Stage 4 Field wrap-up
Stage 3 Environment for analysis
Stage 2 Secure data storage and transmission
Stage 1 Data protection in the field
Stage 0 Before data collection
PII
Survey

Paper surveys received from surveyors should be
physically separated into PII-Consent section and
the rest of the questionnaire. These two sections
should be stored and transported separately
Ensure that data entry operators have signed a
Confidentiality Agreement
Once data has been double-entered, receive
datasets on disc (NOT email). PII and rest of
data should be stored in separate discs.
Confirm that data entry operators have removed
the data from their computers

7
Data security for new projects Stage 2
Stage 5 Making data public
Stage 4 Field wrap-up
Stage 3 Environment for analysis
Stage 2 Secure data storage and transmission
Stage 1 Data protection in the field
Stage 0 Before data collection

Transfer data from data entry to disc to password
protected cold room computer and encrypt
immediately
Make 3-5 encrypted copies of the original data
and store on at least 2 secured servers or
computers
Send encrypted data through a secure file
transfer protocol (SFTP) such as Accellion (HKS)
or WinSCP (NBER)
Sending data containing PII over email or
Dropbox needs to be avoided

8
Data security for new projects Stage 3
Stage 5 Making data public
Stage 4 Field wrap-up
Stage 3 Environment for analysis
Stage 2 Secure data storage and transmission
Stage 1 Data protection in the field
Stage 0 Before data collection
Data analysis does NOT require PII (e.g. no need
for names, addresses, etc in analysis)
Data analysis does NOT require PII (e.g. no need
for names, addresses, etc in analysis)
Data analysis does NOT require PII (e.g. no need
for names, addresses, etc in analysis)

Maintain two separate datasets first which
contains PII and the unique id code and a second
which contains the unique id code and the rest of
the data (make sure both contain the respondent
id code)
Keep the dataset containing personally
identifiable information encrypted
Decrypt and download only the second dataset (the
one without personally identifiable information)
for cleaning and analysis onto your computer
If you need to view the PII, then you should use
a cold room computer.

9
Data security for new projects Stage 3
Stage 5 Making data public
Stage 4 Field wrap-up
Stage 3 Environment for analysis
Stage 2 Secure data storage and transmission
Stage 1 Data protection in the field
Stage 0 Before data collection
Data analysis DOES require PII

Download the encrypted file onto a
password-protected USB key or other storage
device. Transfer the file in encrypted form to a
password-protected cold room computer
As long as the data you are working with
directly uses PII, you will need to work on a
cold-room computer that is password-protected.
You may not transfer the data containing PII to
other computers.
There may be ways to de-identify the data and
retain the elements needed for analysis, giving
you more flexibility on where you clean and
analyze data.

10
Data security for new projects Stage 4
Stage 5 Making data public
Stage 4 Field wrap-up
Stage 3 Environment for analysis
Stage 2 Secure data storage and transmission
Stage 1 Data protection in the field
Stage 0 Before data collection

Once data analysis is finished, hardcopies of
surveys need to be destroyed in a secure manner
(e.g., shredded) within 5 years of completion of
the study
Once all data is received for cleaning and
analysis and secure back-up of the files has been
confirmed, completely delete the file from any
field computers (make sure all data has been
transmitted from the field before deleting files)
You may consider wiping your hard drive of
these files using a program such as Eraser
(http//eraser.heidi.ie/)

11
Data security for new projects Stage 5
Stage 5 Making data public
Stage 4 Field wrap-up
Stage 3 Environment for analysis
Stage 2 Secure data storage transmission
Stage 1 Data protection in the field
Stage 0 Before data collection

Multiple team members need to review the dataset
before it is released publicly, preferably ones
who are familiar with the survey instruments and
data collection
The potential negative repercussions of making on
mistake and releasing PII on a public database
can be huge (imagine leaving a social security
number in a public medical procedures database)
Always get PI approval before making data public

12
Data security for existing projects

People
Ensure requirements are met for all team members
who have access to PII
Read IRB requirements for the project
Certification of completion for the IRB training
course is on file
Protect data on computers with passwords
Sign Confidentiality agreements

Digital data
Take inventory of all digital data in the
project. For the files that contain PII
Separate PII from non-PII data
Encrypt datasets with PII
Assess if PII is needed for analysis and if so,
use cold room computer

Hardcopies
Ensure that hardcopies are stored in an
appropriate and secure place.
Once analysis is finished, check with PI to get
permission to destroy hardcopies (within 5 years)
Using a commercial shredding machine or giving
the hardcopies to a reputable office services
company

Scans
Scans of hardcopy surveys should follow the same
protocol as Digital Data
Scan first page separately from the rest of the
survey

13
Sample Confidentiality Agreement
As a member of the research team for the Center
for Microfinance (CMF),I understand that I may
have access to confidential information about
individuals participating in surveys conducted by
CMF or partner banks, NGOs and institutions. By
signing this statement, I am indicating my
understanding of my responsibilities to maintain
confidentiality and agree to the following I
understand that all information about study
participants obtained or accessed by me in the
course of my work is confidential. I agree not to
divulge, publish, or otherwise make known to
unauthorized persons or to the public any
information obtained in the course of data
collection or data processing that could identify
the persons who participated in the study, unless
specifically authorized to do so by office
protocol or by a supervisor acting in response to
applicable law or court order, or public health
or clinical need.
14
Sample Confidentiality Agreement
I understand that I am not to read information or
records concerning study participants, or any
other confidential documents, nor ask questions
of study participants for my own personal
information but only to the extent and for the
purpose of performing my assigned duties as a
staff member, volunteer or employee of CMF. I
agree to notify my supervisor immediately should
I become aware of an actual breach of
confidentiality or a situation which could
potentially result in a breach, whether this be
on my part or on the part of another person. I
agree to return all data in my possession to my
supervisor upon terminating work with CMF or upon
being requested by a supervisor to do so and I
understand that failure to do so may result in
legal action. I understand that a breach of
confidentiality may be grounds for disciplinary
action, and may include termination of
employment. Name ________________________ Sign
ature ________________________ Date of
Signature ________________________
15
True Crypt walk-through

True Crypt Box created on your computer used to
hide (encrypt) files
You can
Send these boxes like a normal file
Disguise them to look like something else
You have to go through True Crypt to both put
things inside the box (encrypt) and take things
out (de-encrypt)

16
Encryption and un-encryption in ideal world
Cold room computer
Networked computer
Password- Protected USB
Encrypted
PII
Un-encrypted
SFTP
Does not need PII in analysis
PII stays encrypted
Rest of data unencrypted
Rest of data
Unencrypt PII
PII
SFTP
Needs PII in analysis
Rest of data
Unencrypt Rest of data
17
Data Security Checklist