2Why is data security important? Compliance with Institutional Review Board (IRB) guidelinesAn IRB is a group designated by an institution to approve, monitor, and review research involving human subjects to assure appropriate steps are taken to protect the rights and welfare of those subjects. It is a federally registered body.Non-compliance can jeopardize:FundingResearch progressOrganization’s reputationThis protocol aims to follow Harvard’s guidelines for security of personally identifiable data in researchProtection of human subjectsField projects often collect personally identifiable information (PII) from respondentsPII + other sensitive information (e.g., financial or medical data) = RISKPII
3Overall principles for data security Use Cold-room computers, passwords and encryption: PII should only be viewed on cold-room computers that are password-protected and are equipped with TrueCryptPick strong passwords for files and computers. Rule of thumb: more than 10 characters, alpha, numeric, caps and non- caps, and symbols should be included (all). No dictionary words. Share verbally and keep record of passwords in a secure location.Ensure physical security: Keep data in a physically secure locationStore, transmit, and use PII separately as much as possible: Separate personally identifiable information from the dataset as soon as possible (while maintaining respondent id link). Store and transmit PII separately from rest of data and use only de-identified data for analysis as much as possible.Obtain confidentiality agreements: Confidentiality agreements should be signed and kept on record for anyone who handles PII (surveyors, data entry operations, project staff)Data entry operationsMany want to use a mnemonic device that will made passwords easier to remember.
4Data security for new projects: Stage 0 Before data collectionStage 1:Data protection in the fieldStage 2:Secure data storage andtransmissionStage 3:Environmentfor analysisStage 4:Fieldwrap-upStage 5:Makingdata publicAll Research Assistants/Associates and anyone else who will have access to data with PII should:Take the course (Citi or NIH) on human subjects research and send the certificate of completion to your IRB coordinatorRead JPAL/IPA human subjects manual and Data security checklistRead the IRB requirements for the projectProtect data on computers:Use cold room computer with Password protection and TrueCryptUse secure file transfer and encryption for sending PII
5Data security for new projects: Stage 1a Before data collectionStage 1:Data protection in the fieldStage 2:Secure datatransmissionStage 3:Environmentfor analysisStage 4:Fieldwrap-upStage 5:Makingdata publicRest of surveyUnique IDPII andConsentUnique IDPII andConsentUnique IDStructure the physical survey packet into the “PII-Consent section” and the “Questionnaire section”, so they can be separatedEnsure that you have a field for the Unique ID Code on every page of the survey packet. It is CRITICAL that each page of the survey has the CORRECT unique ID code so that you can match up the questionnaire to PII if it is necessary laterEnsure you have a secure location to keep hard copies of surveys, with the identifying information separate from the rest of the surveyConsider pre-printing all the surveys with the Unique ID Code on each page to avoid risking mistakes by surveyorsExamples of insecure locations: cardboard boxes on the floor of the office (vulnerable to pests, spills, theft)Examples of secure locations: Locked metal file cabinet that only the research assistants and project manager have access to
6Data security for new projects: Stage 1b Before data collectionStage 1:Data protection in the fieldStage 2:Secure data storage andtransmissionStage 3:Environmentfor analysisStage 4:Fieldwrap-upStage 5:Makingdata publicPIISurveyPaper surveys received from surveyors should be physically separated into PII-Consent section and the rest of the questionnaire. These two sections should be stored and transported separatelyEnsure that data entry operators have signed a Confidentiality AgreementOnce data has been double-entered, receive datasets on disc (NOT ). PII and rest of data should be stored in separate discs.Confirm that data entry operators have removed the data from their computers
7Data security for new projects: Stage 2 Before data collectionStage 1:Data protection in the fieldStage 2:Secure data storage andtransmissionStage 3:Environmentfor analysisStage 4:Fieldwrap-upStage 5:Makingdata publicTransfer data from data entry to disc to password protected cold room computer and encrypt immediatelyMake 3-5 encrypted copies of the original data and store on at least 2 secured servers or computersSend encrypted data through a secure file transfer protocol (SFTP) such as Accellion (HKS) or WinSCP (NBER)Sending data containing PII over or Dropbox needs to be avoided
8Data security for new projects: Stage 3 Before data collectionStage 1:Data protection in the fieldStage 2:Secure data storage andtransmissionStage 3:Environmentfor analysisStage 4:Fieldwrap-upStage 5:Makingdata publicData analysis does NOT require PII(e.g. no need for names, addresses, etc in analysis)Data analysis does NOT require PII(e.g. no need for names, addresses, etc in analysis)Data analysis does NOT require PII(e.g. no need for names, addresses, etc in analysis)Maintain two separate datasets: first which contains PII and the unique id code and a second which contains the unique id code and the rest of the data (make sure both contain the respondent id code)Keep the dataset containing personally identifiable information encryptedDecrypt and download only the second dataset (the one without personally identifiable information) for cleaning and analysis onto your computerIf you need to view the PII, then you should use a cold room computer.
9Data security for new projects: Stage 3 Before data collectionStage 1:Data protection in the fieldStage 2:Secure data storage andtransmissionStage 3:Environmentfor analysisStage 4:Fieldwrap-upStage 5:Makingdata publicData analysis DOES require PIIDownload the encrypted file onto a password-protected USB key or other storage device. Transfer the file in encrypted form to a password-protected cold room computerAs long as the data you are working with directly uses PII, you will need to work on a cold-room computer that is password-protected. You may not transfer the data containing PII to other computers.There may be ways to de-identify the data and retain the elements needed for analysis, giving you more flexibility on where you clean and analyze data.
10Data security for new projects: Stage 4 Before data collectionStage 1:Data protection in the fieldStage 2:Secure data storage andtransmissionStage 3:Environmentfor analysisStage 4:Fieldwrap-upStage 5:Makingdata publicOnce data analysis is finished, hardcopies of surveys need to be destroyed in a secure manner (e.g., shredded) within 5 years of completion of the studyOnce all data is received for cleaning and analysis and secure back-up of the files has been confirmed, completely delete the file from any field computers (make sure all data has been transmitted from the field before deleting files)You may consider ‘wiping’ your hard drive of these files using a program such as Eraser (http://eraser.heidi.ie/)
11Data security for new projects: Stage 5 Before data collectionStage 1:Data protection in the fieldStage 2:Secure data storagetransmissionStage 3:Environmentfor analysisStage 4:Fieldwrap-upStage 5:Makingdata publicMultiple team members need to review the dataset before it is released publicly, preferably ones who are familiar with the survey instruments and data collectionThe potential negative repercussions of making on mistake and releasing PII on a public database can be huge (imagine leaving a social security number in a public medical procedures database)Always get PI approval before making data public
12Data security for existing projects People:Ensure requirements are met for all team members who have access to PII:Read IRB requirements for the projectCertification of completion for the IRB training course is on fileProtect data on computers with passwordsSign Confidentiality agreementsDigital data:Take inventory of all digital data in the project. For the files that contain PII:Separate PII from non-PII dataEncrypt datasets with PIIAssess if PII is needed for analysis and if so, use cold room computerHardcopiesEnsure that hardcopies are stored in an appropriate and secure place.Once analysis is finished, check with PI to get permission to destroy hardcopies (within 5 years)Using a commercial shredding machine or giving the hardcopies to a reputable office services companyScansScans of hardcopy surveys should follow the same protocol as Digital DataScan first page separately from the rest of the surveymakes running do-files with hardcoded file paths harder to run but for most projects this should not be an issue since PII is not typically used in analysis
13Sample Confidentiality Agreement As a member of the research team for the Center for Microfinance (CMF),I understand that I may have access to confidential information about individuals participating in surveys conducted by CMF or partner banks, NGOs and institutions. By signing this statement, I am indicating my understanding of my responsibilities to maintain confidentiality and agree to the following:I understand that all information about study participants obtained or accessed by me in the course of my work is confidential. I agree not to divulge, publish, or otherwise make known to unauthorized persons or to the public any information obtained in the course of data collection or data processing that could identify the persons who participated in the study, unless specifically authorized to do so by office protocol or by a supervisor acting in response to applicable law or court order, or public health or clinical need.
14Sample Confidentiality Agreement I understand that I am not to read information or records concerning study participants, or any other confidential documents, nor ask questions of study participants for my own personal information but only to the extent and for the purpose of performing my assigned duties as a staff member, volunteer or employee of CMF.I agree to notify my supervisor immediately should I become aware of an actual breach of confidentiality or a situation which could potentially result in a breach, whether this be on my part or on the part of another person.I agree to return all data in my possession to my supervisor upon terminating work with CMF or upon being requested by a supervisor to do so and I understand that failure to do so may result in legal action.I understand that a breach of confidentiality may be grounds for disciplinary action, and may include termination of employment.Name: ________________________Signature: ________________________Date of Signature: ________________________
15True Crypt walk-through True Crypt = Box created on your computer used to hide (encrypt) filesYou can:Send these “boxes” like a normal fileDisguise them to look like something elseYou have to go through True Crypt to both put things inside the box (encrypt) and take things out (de-encrypt)
16Encryption and un-encryption in ideal world Cold roomcomputerEncryption and un-encryption in ideal worldNetworkedcomputerPassword-Protected USBEncryptedPIIUn-encryptedSFTPDoes not need PII in analysisPII stays encryptedRest of data unencryptedRest of dataUnencryptPIIPIISFTPNeeds PII in analysisRest of dataUnencryptRest of data
17Data Security Checklist All project staff have take IRB course and sent certificationsSurvey structured with PII-Consent detachable from Main QuestionnaireField staff sign a confidentiality agreement before working withdata/surveysUsing IRB approved consent formUnique ID code written on every pagePII-Consent separated from Main Questionnaire prior to data entryHard copies stored in a secure locationOnly using cold room computer for management and analysis of PII dataMake 3-5 backup copies (encrypted) of the original dataTransfer encrypted files using file transfer systemStore backup copies on a secured serverConfirm data entry operators have removed data from their computersDestroy hard copies and PII within 5 years of end of project