Protecting Research Data
Both the Common Rule and FDA regulations require attention to the privacy of research subjects, including the confidentiality of data about them. HIPAA adds its appropriate safeguards requirements for most research data derived from health care records.
Data confidentiality requires a secure computing environment. If you keep your research data on a personal computer, it is essential to follow basic security steps like keeping it physically secured, updating your software to keep it current, using access protections such as individual passwords, and generally following secure computing practices.
Any data containing confidential, personal information related to business, financial, or medical transactions must be protected from loss, misuse, modification, and/or unauthorized access. This includes name, birth date, address, telephone number, social security number, personal photograph, amounts paid or charged in financial transactions or account numbers.
A caveat to this definition is the release of student “directory” information which includes a student’s name, address, telephone number, place and date of birth, honors and awards, and dates of attendance. Students can request non-disclosure of this information, and then it is not allowed.
Each department should have someone designated to be in charge of the protection of sensitive or confidential data. All employees who have access to sensitive or confidential data should be informed and trained about the protection of the data and should sign the Employee Confidentiality Statement.
For more information please read OP-F-7 Policy on Safeguarding of Confidential Financial and Personal Information
National Institute of Standards and Technology - Computer Security Resource Center (CSRC)
A good overall resource for information security materials
United States Computer Emergency Readiness Team (US-CERT)
Another good overall resource for information security materials
Educational course about conducting responsible data management