SEARCH UNIVERSITY LIBRARIES
Data security controls are intended to prevent unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of said data. Failure to implement data security controls could result in increased risk to subjects. As part of the application, the PI must demonstrate that all of the core data security control elements have been met. The core controls are:
Additional Required Data Security Controls (For sensitive data)
Sensitive Data: Protected Health Information, Personal Identifying Information, and Sensitive Information
(Borrowed from Guidance and Procedure: Data Security in Research, UCLA Office of the Human Research Protection Program (OHRPP), February 24, 2011)
An individual’s personal and health information that is created, received, or maintained by a health care provider or health plan and includes at least one of the 18 personal identifiers listed below in association with the health information:
Limited Data Set - a limited data set can include the following identifiers: a unique number code, or characteristic that does not include any of the above listed identifiers, Geographic data (without street address), and/or dates.
Certain categories of sensitive information may require additional considerations due to regulatory or other requirements (e.g., FERPA and student information, GLBA and customer information, employee information, and donor information).
Other Sensitive Information
Note: Identifiers in combination with data about illegal behaviors, physical/mental health information, or other information that poses a risk to subject reputation, insurability, employability, or legal status will heighten the level of sensitivity and require additional corresponding security measures.