Developing Data Protection Plans
Sensitive, individually identifiable data must be protected during collection, transfer, storage, and reporting.
Defining Sensitive, Individually Identifiable Information
Information that if inadvertently released, could place the research subjects at risk of harm. Harms could be to subjects’ relationships, status, employability, or insurability. Subjects could face criminal or civil prosecution, and in some cases, physical harm. The assessment of risk must take into account the culture, age, life experience and any other relevant characteristics of the subjects.
Individually identifiable information:
Data containing direct identifiers, such as subjects’ names and email addresses, or indirect identifiers, which are a combination of characteristics about subjects that would allow others to deduce their identities.
Examples on indirect identifiers:
- Position, gender, and length of service in a named company
- Age, gender, major, ethnicity, and year in school
Institutional risk and data about Duke students:
The University has determined that any research studies that collect or use direct (e.g., names) or indirect (e.g., demographics) data about Duke students meets the "sensitive" data classification, because the data must be protected to mitigate institutional risk.
Categories of information that are always considered sensitive at Duke:
- Any research data about Duke students, if the data include direct or indirect identifiable information
- Any information protected by a Certificate of Confidentiality
- Protected Health Information provided by a hospital or clinic
- Data protected by a Data Use Agreement (DUA)
Some data providers require that a DUA be put in place even when the data are not individually identifiable; nonetheless, the data are considered sensitive.
Reporting Sensitive, Individually Identifiable Information
To reduce the risk of an inadvertent or intentional re-identification of data, the following strategies may be used when reporting identifiable data in your findings:
- Reporting data in aggregate only with cells of a sufficient size to prevent indirect identification
- Depicting identifiers in general terms, for example, age or income ranges
- Using pseudonyms rather than names
- Using broad group identifiers such as “tradesperson” rather than carpenter
Creating misleading or vague identifiers, for example, saying that the research took place in a midsize city in Western Africa rather than identifying the city.
What follows below are some of Duke’s Information Technology Security Office (ITSO) best practices to prevent an inadvertent breach of confidentiality of individually identifiable, sensitive data during the gathering, storing, and transferring of data.
ITSO will review all data protection and plans and will inform researchers and the IRB if any changes need to be made to the data protection procedures described in the protocol.
The online SecureIT tool was designed to help researchers identify approved Duke services they can use to collect, store, transfer, and analyze research data.
ITSO can be contacted directly at firstname.lastname@example.org.
Data collection using online services should be conducted using a secure platform, such as Qualtrics. If carrying out virtual interviews or focus groups, researchers are encouraged to use their Duke sponsored WebEx or Zoom accounts.
The collection of data in the field should be done using encrypted mobile devices, for example, audio computer-assisted self interviewing using a tablet.
All data collected in the field should be transferred as soon as possible to a secure server at Duke.
If limited resources make it necessary to use pen and pencil surveys to collect sensitive data in the field, paper documents should be identified using a unique ID number, not the participants’ names. The key linking names to numbers could be taken into the field on an encrypted device.
When using mobile devices during data collection, the following are ITSO’s best practices.
- Laptops and tablets:
- Must be encrypted, have regular software updates enabled, anti-virus software (Duke supports Symantec), password-protected screensaver, remote wipe and Prey software for anti-theft protection, and other minimum security standard for endpoints
- Recommendation: local IT support should manage laptops involved in research
- Mobile devices:
- Must be passcode-protected or have fingerprint recognition enabled and have regular software updates enabled, encrypted
- Recommendation: use “Find my iPhone,” remote wipe, and Prey software for anti-theft protection
- Enable Duke multi-factor authentication service for Duke Box access
- Recommendation: keep offline and encrypted. (Refer to DUA regarding backup permissions.)
Approved storage for individually identifiable sensitive data:
- Duke Box* with local IT consultation to set up secure data collecting, storing and sharing
- Light: local IT assists, as needed
- Active: local IT sets up (IT sets up project-specific Box account)
- OIT Protected Network with active local (departmental) IT management and support
- Local IT sets up and manages the environment
- Protected Research Data Network (PRDN)
* Box is generally recommended for collection and storing of data rather than ongoing analysis of data
Identifiers, data, and keys should be placed in password-protected or encrypted files, with restricted use, and stored in separate locations.
Identifiable information should be destroyed as soon as possible or in accordance with the terms of a Data Use Agreement.
Please note: ITSO has determined that the use of non-Duke cloud services, like Google Drive, Apple iCloud, and DropBox are not approved for official Duke use.
Files containing sensitive, individually identifiable data should never be sent as email attachments.
ITSO recommends first uploading data to Duke Box and then downloading it to the secure server where the data will be analyzed.
Any file transfer protocols must use encrypted channels, such as secure file transfer protocol (SFTP).
Campus IRB Guides