Data Security Protocol

Slides:



Advertisements
Similar presentations
Protect Our Students Protect Ourselves
Advertisements

Tips to a Successful Monitoring Visit
A Guide to Compliant Data Management
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
Privacy and Information Security Training ( ) VUMC Privacy Website
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Research Involving Human Subjects All research involving the participation of human subjects must be submitted for review by the IRB (Institutional Review.
UTHSC IRB Donna Hollaway, RN, CCRC 11/30/2011 Authority to Audit 45 CFR (e) An IRB shall conduct continuing review of research covered by this.
CREATED BY: HMIS Security Awareness Approved 1/10/2012 Revised 1/29/2013 Revised 3/15/2013.
Common Errors to avoid in IRB- 03 (VA) Applications.
Service Point 5 ReportWriter How to create and run reports in ReportWriter.
Critical Data Management Indiana University HR Summit April 24, 2014.
1 GRAND VALLEY STATE UNIVERSITY FAMILY EDUCATIONAL RIGHTS & PRIVACY ACT (FERPA) TRAINING OFFICES OF THE REGISTRAR AND UNIVERSITY COUNSEL JANUARY 20, 2009.
KATE SASAMOTO EDUCATION COORDINATOR IRBMED SEMINAR SERIES MAY 21, 2014 IRBMED Quick Tips.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
Security and Confidentiality Practices - Houston Dept. of Health and Human Services Jerald Harms, MPH, CART and Jeff Meyer, MD, MPH HIV/AIDS Surveillance.
Cover Letters for Survey Research Studies
SECURITY: Personal Health Information Protection Act, 2004 this 5 min. course covers: changing landscape of electronic health records security threats.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Protecting Sensitive Information PA Turnpike Commission.
Data Access and Data Sharing KDE Employee Training Data Security Video Series 2 of 3 October 2014.
IRB, Human Subjects and Data Security Vipin Awatramani Staff Training, Mahabalipuram 2012.
Authorization and Inspection of Cyclotron Facilities Inspections.
HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.
Data management in the field Ari Haukijärvi 2nd EHES training seminar.
Institutional Review Board (IRB) Human Subject Dr. John N. Austin, Director and Ms. Renee S. Jones, Associate Director Delaware State University Office.
Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Joint Research & Enterprise Office Training The team, the procedures, the monitor and the Sponsor Lucy H H Parker Clinical Research Governance Manager.
Privacy and Information Management ICT Guidelines.
Discussion Peggy Beeley, MD 2/11/14 Mitigating Medical Malpractice Risks Through Documentation.
On-line data submission training California Partnership for Achieving Student Success.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
Privacy and Confidentiality. Definitions n Privacy - having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally,
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
SCHOOLS FINANCE OFFICERS MEETINGS Records Management, “Paper-Lite” Environments and Procedures when a school closes Elizabeth Barber.
Paul Kelly Facility Research Compliance Officer for the Ralph H. Johnson VA Medical Center.
Personal data protection in research projects
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
Scientific data storage: How are computers involved in the following?
Protection of Minors Program Coordinators Information Session November 2015 Carolyn Brownawell Melisa Giraldo Dietrich Warner.
Slide 1 Standard Operating Procedures. Slide 2 Goal To review the standard operating procedures Creating the informed consent document Obtaining informed.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
Protect Our Students Protect Ourselves
Stephanie Oppenheimer, MS SUCCESS Center Erica Ellington, CRA, CHRC
HIPAA Privacy & Security
Dining with Diabetes IRB Training 2017.
Red Flags Rule An Introduction County College of Morris
Disability Services Agencies Briefing On HIPAA
The new data protection rules
GDPR Quiz Today’s trainer: Click here to use Kahoot! 1
Dr. Sarah Quinton, UREC Chair,
HIPAA Privacy & Security
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
HQ Expectations of DOE Site IRBs
Introduction to the PACS Security
TRACE INITIATIVE: Confidentiality, Data Security, and Procedures for Protocol Violation or Adverse Event.
Protecting Student Data
Presentation transcript:

Data Security Protocol

Why is data security important? Compliance with Institutional Review Board (IRB) guidelines An IRB is a group designated by an institution to approve, monitor, and review research involving human subjects to assure appropriate steps are taken to protect the rights and welfare of those subjects. It is a federally registered body. Non-compliance can jeopardize: Funding Research progress Organization’s reputation This protocol aims to follow Harvard’s guidelines for security of personally identifiable data in research http://www.security.harvard.edu/research-data-security-policy Protection of human subjects Field projects often collect personally identifiable information (PII) from respondents PII + other sensitive information (e.g., financial or medical data) = RISK PII

Overall principles for data security Use Cold-room computers, passwords and encryption: PII should only be viewed on cold-room computers that are password-protected and are equipped with TrueCrypt Pick strong passwords for files and computers. Rule of thumb: more than 10 characters, alpha, numeric, caps and non- caps, and symbols should be included (all). No dictionary words. Share verbally and keep record of passwords in a secure location. Ensure physical security: Keep data in a physically secure location Store, transmit, and use PII separately as much as possible: Separate personally identifiable information from the dataset as soon as possible (while maintaining respondent id link). Store and transmit PII separately from rest of data and use only de-identified data for analysis as much as possible. Obtain confidentiality agreements: Confidentiality agreements should be signed and kept on record for anyone who handles PII (surveyors, data entry operations, project staff) Data entry operations Many want to use a mnemonic device that will made passwords easier to remember.

Data security for new projects: Stage 0 Before data collection Stage 1: Data protection in the field Stage 2: Secure data storage and transmission Stage 3: Environment for analysis Stage 4: Field wrap-up Stage 5: Making data public All Research Assistants/Associates and anyone else who will have access to data with PII should: Take the course (Citi or NIH) on human subjects research and send the certificate of completion to your IRB coordinator Read JPAL/IPA human subjects manual and Data security checklist Read the IRB requirements for the project Protect data on computers: Use cold room computer with Password protection and TrueCrypt Use secure file transfer and encryption for sending PII

Data security for new projects: Stage 1a Before data collection Stage 1: Data protection in the field Stage 2: Secure data transmission Stage 3: Environment for analysis Stage 4: Field wrap-up Stage 5: Making data public Rest of survey Unique ID PII and Consent Unique ID PII and Consent Unique ID Structure the physical survey packet into the “PII-Consent section” and the “Questionnaire section”, so they can be separated Ensure that you have a field for the Unique ID Code on every page of the survey packet. It is CRITICAL that each page of the survey has the CORRECT unique ID code so that you can match up the questionnaire to PII if it is necessary later Ensure you have a secure location to keep hard copies of surveys, with the identifying information separate from the rest of the survey Consider pre-printing all the surveys with the Unique ID Code on each page to avoid risking mistakes by surveyors Examples of insecure locations: cardboard boxes on the floor of the office (vulnerable to pests, spills, theft) Examples of secure locations: Locked metal file cabinet that only the research assistants and project manager have access to

Data security for new projects: Stage 1b Before data collection Stage 1: Data protection in the field Stage 2: Secure data storage and transmission Stage 3: Environment for analysis Stage 4: Field wrap-up Stage 5: Making data public PII Survey Paper surveys received from surveyors should be physically separated into PII-Consent section and the rest of the questionnaire. These two sections should be stored and transported separately Ensure that data entry operators have signed a Confidentiality Agreement Once data has been double-entered, receive datasets on disc (NOT email). PII and rest of data should be stored in separate discs. Confirm that data entry operators have removed the data from their computers

Data security for new projects: Stage 2 Before data collection Stage 1: Data protection in the field Stage 2: Secure data storage and transmission Stage 3: Environment for analysis Stage 4: Field wrap-up Stage 5: Making data public Transfer data from data entry to disc to password protected cold room computer and encrypt immediately Make 3-5 encrypted copies of the original data and store on at least 2 secured servers or computers Send encrypted data through a secure file transfer protocol (SFTP) such as Accellion (HKS) or WinSCP (NBER) Sending data containing PII over email or Dropbox needs to be avoided

Data security for new projects: Stage 3 Before data collection Stage 1: Data protection in the field Stage 2: Secure data storage and transmission Stage 3: Environment for analysis Stage 4: Field wrap-up Stage 5: Making data public Data analysis does NOT require PII (e.g. no need for names, addresses, etc in analysis) Data analysis does NOT require PII (e.g. no need for names, addresses, etc in analysis) Data analysis does NOT require PII (e.g. no need for names, addresses, etc in analysis) Maintain two separate datasets: first which contains PII and the unique id code and a second which contains the unique id code and the rest of the data (make sure both contain the respondent id code) Keep the dataset containing personally identifiable information encrypted Decrypt and download only the second dataset (the one without personally identifiable information) for cleaning and analysis onto your computer If you need to view the PII, then you should use a cold room computer.

Data security for new projects: Stage 3 Before data collection Stage 1: Data protection in the field Stage 2: Secure data storage and transmission Stage 3: Environment for analysis Stage 4: Field wrap-up Stage 5: Making data public Data analysis DOES require PII Download the encrypted file onto a password-protected USB key or other storage device. Transfer the file in encrypted form to a password-protected cold room computer As long as the data you are working with directly uses PII, you will need to work on a cold-room computer that is password-protected. You may not transfer the data containing PII to other computers. There may be ways to de-identify the data and retain the elements needed for analysis, giving you more flexibility on where you clean and analyze data.

Data security for new projects: Stage 4 Before data collection Stage 1: Data protection in the field Stage 2: Secure data storage and transmission Stage 3: Environment for analysis Stage 4: Field wrap-up Stage 5: Making data public Once data analysis is finished, hardcopies of surveys need to be destroyed in a secure manner (e.g., shredded) within 5 years of completion of the study Once all data is received for cleaning and analysis and secure back-up of the files has been confirmed, completely delete the file from any field computers (make sure all data has been transmitted from the field before deleting files) You may consider ‘wiping’ your hard drive of these files using a program such as Eraser (http://eraser.heidi.ie/)

Data security for new projects: Stage 5 Before data collection Stage 1: Data protection in the field Stage 2: Secure data storage transmission Stage 3: Environment for analysis Stage 4: Field wrap-up Stage 5: Making data public Multiple team members need to review the dataset before it is released publicly, preferably ones who are familiar with the survey instruments and data collection The potential negative repercussions of making on mistake and releasing PII on a public database can be huge (imagine leaving a social security number in a public medical procedures database) Always get PI approval before making data public

Data security for existing projects People: Ensure requirements are met for all team members who have access to PII: Read IRB requirements for the project Certification of completion for the IRB training course is on file Protect data on computers with passwords Sign Confidentiality agreements Digital data: Take inventory of all digital data in the project. For the files that contain PII: Separate PII from non-PII data Encrypt datasets with PII Assess if PII is needed for analysis and if so, use cold room computer Hardcopies Ensure that hardcopies are stored in an appropriate and secure place. Once analysis is finished, check with PI to get permission to destroy hardcopies (within 5 years) Using a commercial shredding machine or giving the hardcopies to a reputable office services company Scans Scans of hardcopy surveys should follow the same protocol as Digital Data Scan first page separately from the rest of the survey makes running do-files with hardcoded file paths harder to run but for most projects this should not be an issue since PII is not typically used in analysis

Sample Confidentiality Agreement   As a member of the research team for the Center for Microfinance (CMF),I understand that I may have access to confidential information about individuals participating in surveys conducted by CMF or partner banks, NGOs and institutions. By signing this statement, I am indicating my understanding of my responsibilities to maintain confidentiality and agree to the following: I understand that all information about study participants obtained or accessed by me in the course of my work is confidential. I agree not to divulge, publish, or otherwise make known to unauthorized persons or to the public any information obtained in the course of data collection or data processing that could identify the persons who participated in the study, unless specifically authorized to do so by office protocol or by a supervisor acting in response to applicable law or court order, or public health or clinical need.

Sample Confidentiality Agreement   I understand that I am not to read information or records concerning study participants, or any other confidential documents, nor ask questions of study participants for my own personal information but only to the extent and for the purpose of performing my assigned duties as a staff member, volunteer or employee of CMF. I agree to notify my supervisor immediately should I become aware of an actual breach of confidentiality or a situation which could potentially result in a breach, whether this be on my part or on the part of another person. I agree to return all data in my possession to my supervisor upon terminating work with CMF or upon being requested by a supervisor to do so and I understand that failure to do so may result in legal action. I understand that a breach of confidentiality may be grounds for disciplinary action, and may include termination of employment. Name: ________________________ Signature: ________________________ Date of Signature: ________________________

True Crypt walk-through True Crypt = Box created on your computer used to hide (encrypt) files You can: Send these “boxes” like a normal file Disguise them to look like something else You have to go through True Crypt to both put things inside the box (encrypt) and take things out (de-encrypt)

Encryption and un-encryption in ideal world Cold room computer Encryption and un-encryption in ideal world Networked computer Password- Protected USB Encrypted PII Un-encrypted SFTP Does not need PII in analysis PII stays encrypted Rest of data unencrypted Rest of data Unencrypt PII PII SFTP Needs PII in analysis Rest of data Unencrypt Rest of data

Data Security Checklist   All project staff have take IRB course and sent certifications Survey structured with PII-Consent detachable from Main Questionnaire Field staff sign a confidentiality agreement before working with data/surveys Using IRB approved consent form Unique ID code written on every page PII-Consent separated from Main Questionnaire prior to data entry Hard copies stored in a secure location Only using cold room computer for management and analysis of PII data Make 3-5 backup copies (encrypted) of the original data Transfer encrypted files using file transfer system Store backup copies on a secured server Confirm data entry operators have removed data from their computers Destroy hard copies and PII within 5 years of end of project

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.