Protecting Research Data
Both the Common Rule and FDA regulations require attention to the privacy of research subjects, including the confidentiality of their data. HIPAA adds its appropriate safeguards requirements for most research data derived from health care records.
Data confidentiality requires a secure computing environment. If research data is kept on a personal computer, it is essential to follow basic security steps, such as keeping it physically secured, updating software regularly, using access-protections and individual passwords, and following general cyber-security safety practices.
Any data containing confidential, personal information related to business, financial, or medical transactions must be protected from loss, misuse, modification, and/or unauthorized access. This includes: name, date of birth, address, telephone number, social security number, personal photograph, amounts paid or charged in financial transactions, or account numbers.
A caveat to this definition is the release of student “directory” information, which includes a student’s name, address, telephone number, place and date of birth, honors and awards, and dates of attendance. Students can request non-disclosure of this information, which would prevent its use.
Each department should have a designated individual in charge of the protection of sensitive or confidential data. All employees who have access to sensitive or confidential data should be informed and trained about the protection of the data and should sign the Employee Confidentiality Statement.
For more information please read OP-F-7 Policy on Safeguarding of Confidential Financial and Personal Information
National Institute of Standards and Technology - Computer Security Resource Center (CSRC)
This is a good overall resource for information security materials.
United States Computer Emergency Readiness Team (US-CERT)
Another good overall resource for information security materials.
This is an educational course about conducting responsible data management.