Data Security Protocol - PowerPoint PPT Presentation

About This Presentation
Title:

Data Security Protocol

Description:

Data Security Protocol * Why is data security important? Compliance with Institutional Review Board (IRB) guidelines An IRB is a group designated by an institution to ... – PowerPoint PPT presentation

Number of Views:76
Avg rating:3.0/5.0
Slides: 18
Provided by: Russe55
Category:
Tags: citi | data | protocol | security

less

Transcript and Presenter's Notes

Title: Data Security Protocol


1
Data Security Protocol
2
Why is data security important?
  • Compliance with Institutional Review Board (IRB)
    guidelines
  • An IRB is a group designated by an institution to
    approve, monitor, and review research involving
    human subjects to assure appropriate steps are
    taken to protect the rights and welfare of those
    subjects. It is a federally registered body.
  • Non-compliance can jeopardize
  • Funding
  • Research progress
  • Organizations reputation
  • This protocol aims to follow Harvards guidelines
    for security of personally identifiable data in
    research http//www.security.harvard.edu/research-
    data-security-policy
  • Protection of human subjects
  • Field projects often collect personally
    identifiable information (PII) from respondents
  • PII other sensitive information (e.g.,
    financial or medical data) RISK

3
Overall principles for data security
  • Use Cold-room computers, passwords and
    encryption PII should only be viewed on
    cold-room computers that are password-protected
    and are equipped with TrueCrypt
  • Pick strong passwords for files and computers.
    Rule of thumb more than 10 characters, alpha,
    numeric, caps and non-caps, and symbols should be
    included (all). No dictionary words. Share
    verbally and keep record of passwords in a secure
    location.
  • Ensure physical security Keep data in a
    physically secure location
  • Store, transmit, and use PII separately as much
    as possible Separate personally identifiable
    information from the dataset as soon as possible
    (while maintaining respondent id link). Store and
    transmit PII separately from rest of data and use
    only de-identified data for analysis as much as
    possible.
  • Obtain confidentiality agreements
    Confidentiality agreements should be signed and
    kept on record for anyone who handles PII
    (surveyors, data entry operations, project staff)

4
Data security for new projects Stage 0
Stage 5 Making data public
Stage 4 Field wrap-up
Stage 3 Environment for analysis
Stage 2 Secure data storage and transmission
Stage 1 Data protection in the field
Stage 0 Before data collection
  • All Research Assistants/Associates and anyone
    else who will have access to data with PII
    should
  • Take the course (Citi or NIH) on human subjects
    research and send the certificate of completion
    to your IRB coordinator
  • Read JPAL/IPA human subjects manual and Data
    security checklist
  • Read the IRB requirements for the project
  • Protect data on computers
  • Use cold room computer with Password protection
    and TrueCrypt
  • Use secure file transfer and encryption for
    sending PII

5
Data security for new projects Stage 1a
Stage 5 Making data public
Stage 4 Field wrap-up
Stage 3 Environment for analysis
Stage 2 Secure data transmission
Stage 1 Data protection in the field
Stage 0 Before data collection
Rest of survey Unique ID
PII and Consent Unique ID
PII and Consent Unique ID
  • Structure the physical survey packet into the
    PII-Consent section and the Questionnaire
    section, so they can be separated
  • Ensure that you have a field for the Unique ID
    Code on every page of the survey packet. It is
    CRITICAL that each page of the survey has the
    CORRECT unique ID code so that you can match up
    the questionnaire to PII if it is necessary later
  • Ensure you have a secure location to keep hard
    copies of surveys, with the identifying
    information separate from the rest of the survey

6
Data security for new projects Stage 1b
Stage 5 Making data public
Stage 4 Field wrap-up
Stage 3 Environment for analysis
Stage 2 Secure data storage and transmission
Stage 1 Data protection in the field
Stage 0 Before data collection
PII
Survey
  • Paper surveys received from surveyors should be
    physically separated into PII-Consent section and
    the rest of the questionnaire. These two sections
    should be stored and transported separately
  • Ensure that data entry operators have signed a
    Confidentiality Agreement
  • Once data has been double-entered, receive
    datasets on disc (NOT email). PII and rest of
    data should be stored in separate discs.
  • Confirm that data entry operators have removed
    the data from their computers

7
Data security for new projects Stage 2
Stage 5 Making data public
Stage 4 Field wrap-up
Stage 3 Environment for analysis
Stage 2 Secure data storage and transmission
Stage 1 Data protection in the field
Stage 0 Before data collection
  • Transfer data from data entry to disc to password
    protected cold room computer and encrypt
    immediately
  • Make 3-5 encrypted copies of the original data
    and store on at least 2 secured servers or
    computers
  • Send encrypted data through a secure file
    transfer protocol (SFTP) such as Accellion (HKS)
    or WinSCP (NBER)
  • Sending data containing PII over email or
    Dropbox needs to be avoided

8
Data security for new projects Stage 3
Stage 5 Making data public
Stage 4 Field wrap-up
Stage 3 Environment for analysis
Stage 2 Secure data storage and transmission
Stage 1 Data protection in the field
Stage 0 Before data collection
Data analysis does NOT require PII (e.g. no need
for names, addresses, etc in analysis)
Data analysis does NOT require PII (e.g. no need
for names, addresses, etc in analysis)
Data analysis does NOT require PII (e.g. no need
for names, addresses, etc in analysis)
  • Maintain two separate datasets first which
    contains PII and the unique id code and a second
    which contains the unique id code and the rest of
    the data (make sure both contain the respondent
    id code)
  • Keep the dataset containing personally
    identifiable information encrypted
  • Decrypt and download only the second dataset (the
    one without personally identifiable information)
    for cleaning and analysis onto your computer
  • If you need to view the PII, then you should use
    a cold room computer.

9
Data security for new projects Stage 3
Stage 5 Making data public
Stage 4 Field wrap-up
Stage 3 Environment for analysis
Stage 2 Secure data storage and transmission
Stage 1 Data protection in the field
Stage 0 Before data collection
Data analysis DOES require PII
  • Download the encrypted file onto a
    password-protected USB key or other storage
    device. Transfer the file in encrypted form to a
    password-protected cold room computer
  • As long as the data you are working with
    directly uses PII, you will need to work on a
    cold-room computer that is password-protected.
    You may not transfer the data containing PII to
    other computers.
  • There may be ways to de-identify the data and
    retain the elements needed for analysis, giving
    you more flexibility on where you clean and
    analyze data.

10
Data security for new projects Stage 4
Stage 5 Making data public
Stage 4 Field wrap-up
Stage 3 Environment for analysis
Stage 2 Secure data storage and transmission
Stage 1 Data protection in the field
Stage 0 Before data collection
  • Once data analysis is finished, hardcopies of
    surveys need to be destroyed in a secure manner
    (e.g., shredded) within 5 years of completion of
    the study
  • Once all data is received for cleaning and
    analysis and secure back-up of the files has been
    confirmed, completely delete the file from any
    field computers (make sure all data has been
    transmitted from the field before deleting files)
  • You may consider wiping your hard drive of
    these files using a program such as Eraser
    (http//eraser.heidi.ie/)

11
Data security for new projects Stage 5
Stage 5 Making data public
Stage 4 Field wrap-up
Stage 3 Environment for analysis
Stage 2 Secure data storage transmission
Stage 1 Data protection in the field
Stage 0 Before data collection
  • Multiple team members need to review the dataset
    before it is released publicly, preferably ones
    who are familiar with the survey instruments and
    data collection
  • The potential negative repercussions of making on
    mistake and releasing PII on a public database
    can be huge (imagine leaving a social security
    number in a public medical procedures database)
  • Always get PI approval before making data public

12
Data security for existing projects
  • People
  • Ensure requirements are met for all team members
    who have access to PII
  • Read IRB requirements for the project
  • Certification of completion for the IRB training
    course is on file
  • Protect data on computers with passwords
  • Sign Confidentiality agreements
  • Digital data
  • Take inventory of all digital data in the
    project. For the files that contain PII
  • Separate PII from non-PII data
  • Encrypt datasets with PII
  • Assess if PII is needed for analysis and if so,
    use cold room computer
  • Hardcopies
  • Ensure that hardcopies are stored in an
    appropriate and secure place.
  • Once analysis is finished, check with PI to get
    permission to destroy hardcopies (within 5 years)
  • Using a commercial shredding machine or giving
    the hardcopies to a reputable office services
    company
  • Scans
  • Scans of hardcopy surveys should follow the same
    protocol as Digital Data
  • Scan first page separately from the rest of the
    survey

13
Sample Confidentiality Agreement  
As a member of the research team for the Center
for Microfinance (CMF),I understand that I may
have access to confidential information about
individuals participating in surveys conducted by
CMF or partner banks, NGOs and institutions. By
signing this statement, I am indicating my
understanding of my responsibilities to maintain
confidentiality and agree to the following I
understand that all information about study
participants obtained or accessed by me in the
course of my work is confidential. I agree not to
divulge, publish, or otherwise make known to
unauthorized persons or to the public any
information obtained in the course of data
collection or data processing that could identify
the persons who participated in the study, unless
specifically authorized to do so by office
protocol or by a supervisor acting in response to
applicable law or court order, or public health
or clinical need.
14
Sample Confidentiality Agreement  
I understand that I am not to read information or
records concerning study participants, or any
other confidential documents, nor ask questions
of study participants for my own personal
information but only to the extent and for the
purpose of performing my assigned duties as a
staff member, volunteer or employee of CMF. I
agree to notify my supervisor immediately should
I become aware of an actual breach of
confidentiality or a situation which could
potentially result in a breach, whether this be
on my part or on the part of another person. I
agree to return all data in my possession to my
supervisor upon terminating work with CMF or upon
being requested by a supervisor to do so and I
understand that failure to do so may result in
legal action. I understand that a breach of
confidentiality may be grounds for disciplinary
action, and may include termination of
employment. Name ________________________ Sign
ature ________________________ Date of
Signature ________________________
15
True Crypt walk-through
  • True Crypt Box created on your computer used to
    hide (encrypt) files
  • You can
  • Send these boxes like a normal file
  • Disguise them to look like something else
  • You have to go through True Crypt to both put
    things inside the box (encrypt) and take things
    out (de-encrypt)

16
Encryption and un-encryption in ideal world
Cold room computer
Networked computer
Password- Protected USB
Encrypted
PII
Un-encrypted
SFTP
Does not need PII in analysis
PII stays encrypted
Rest of data unencrypted
Rest of data
Unencrypt PII
PII
SFTP
Needs PII in analysis
Rest of data
Unencrypt Rest of data
17
Data Security Checklist  
  • All project staff have take IRB course and sent
    certifications
  • Survey structured with PII-Consent detachable
    from Main Questionnaire
  • Field staff sign a confidentiality agreement
    before working with
  • data/surveys
  • Using IRB approved consent form
  • Unique ID code written on every page
  • PII-Consent separated from Main Questionnaire
    prior to data entry
  • Hard copies stored in a secure location
  • Only using cold room computer for management and
    analysis of PII data
  • Make 3-5 backup copies (encrypted) of the
    original data
  • Transfer encrypted files using file transfer
    system
  • Store backup copies on a secured server
  • Confirm data entry operators have removed data
    from their computers
  • Destroy hard copies and PII within 5 years of end
    of project
Write a Comment
User Comments (0)
About PowerShow.com