Sensitive, individually identifiable data must be protected during collection, transfer, storage, and reporting.
Information that if inadvertently released, could place the research subjects at risk of harm. Harms could be to a subjects’ relationships, status, employability, or insurability. Subjects could face criminal or civil prosecution, and in some cases, physical harm. The assessment of risk must take into account the culture, age, life experience and any other relevant characteristics of the subjects.
Individually identifiable information:
Data containing direct identifiers, such as subjects’ names and email addresses or data containing information about characteristics of the subjects that would allow others to deduce their identities.
- Position, gender, and length of service in a named company
- Age, gender, major, ethnicity, and year in school
Categories of information that are always considered sensitive at Duke:
- Any information protected by a Certificate of Confidentiality
- Protected Health Information provided by a hospital or clinic
- Data protected by a Data Use Agreement (DUA)
Some data providers require that a DUA be put in place even when the data are not individually identifiable; nonetheless, the data are considered sensitive.
Duke’s Information Technology Security Office (ITSO) has identified the following best practices for protecting individually identifiable sensitive data to prevent an inadvertent breach of confidentiality.
ITSO can be contacted directly at email@example.com.
ITSO will review all data protection and plans and will inform researchers and the IRB if any changes need to be made to the data protection procedures described in the protocol.
Data collection using online services should be conducted using a secure platform, such as Qualtrics.
The collection of data in the field should be done using encrypted mobile devices, for example, audio computer-assisted self interviewing using a tablet.
All data collected in the field should be transferred as soon as possible to a secure server at Duke.
If limited resources make it necessary to use pen and pencil surveys to collect sensitive data in the field, paper documents should be identified using a unique ID number, not the participants’ names. The key linking names to numbers could be taken into the field on an encrypted device.
When using mobile devices during data collection, the following are ITSO’s best practices.
- Must be encrypted, have regular software updates enabled, anti-virus software (Duke supports Symantec), password-protected screensaver, remote wipe and Prey software for anti-theft protection (https://security.duke.edu/services/whole-disk-encryption)
- Recommendation: local IT support should manage laptops involved in research
- Mobile devices:
- Must be passcode-protected or have fingerprint recognition enabled and have regular software updates enabled, encrypted
- Recommendation: use “Find my iPhone,” remote wipe, and Prey software for anti-theft protection
- Enable Duke multi-factor authentication service for Duke Box access
- Recommendation: keep offline and encrypted. (Refer to DUA regarding backup permissions.)
Approved storage for individually identifiable sensitive data:
- Protected Research Data Network (PRDN) with active Social Science Research Institute (SSRI) management and support (SSRI sets up and manages the environment)
- OIT Protected Network with active local (departmental) IT management and support
- (local IT sets up and manages the environment)
- Duke Box* with local IT consultation to set up secure data collecting, storing and sharing
- Light: local IT assists, as needed
- Active: local IT sets up (IT sets up project-specific Box account)
* Box is generally recommended for collection of data rather than ongoing analysis of data
Identifiers, data, and keys should be placed in password protected or encrypted files and stored in separate locations.
Identifiable information should be destroyed as soon as possible or in accordance with the terms of a Data Use Agreement
Files containing sensitive, individually identifiable data should never be sent as email attachments.
ITSO recommends first uploading data to Duke Box and then downloading it to the secure server where the data will be analyzed.
Any file transfer protocols must use encrypted channels, such as secure file transfer protocol (SFTP).
To reduce the risk of an inadvertent or intentional re-identification of data, the following strategies may be used:
- Reporting data in aggregate only with cells of a sufficient size to prevent indirect identification
- Depicting identifiers in general terms, for example, age or income ranges
- Using pseudonyms rather than names
- Using broad group identifiers such as “tradesperson” rather than carpenter
Creating misleading or vague identifiers, for example, saying that the research took place in a midsize city in Western Africa rather than identifying the city