Data security controls are intended to prevent unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of said data. Failure to implement data security controls could result in increased risk to subjects. As part of the application, the PI must demonstrate that all of the core data security control elements have been met. The core controls are:
- All data collection and storage devices must be password protected with a strong password. A strong password is at least 8 characters long, uses 4 out of 4 character groups: UPPERCASE, lowercase, numeric and special characters and does not contain an easily-‐guessable mnemonic string.
- All data/research files must be encrypted.
- Identifiers, data, and keys should be placed in separate, password protected/encrypted files and each file should be stored in a different secure location.
- For secure data transmission, Transport Layer Security (TLS) (a.k.a. SSL), and a minimum key length of 128 bits must be used for any data that is transmitted electronically.
- Identifiers should not be stored on smartphones, laptops, Android and iPad tablets, flash drives or other portable storage devices. If it is necessary to use portable devices for initial collection of identifiers, the data files should be encrypted and the identifiers moved to a secure system as soon as possible. Additionally, the portable device should be locked up in a secure location when it is not in use. The PI should consult with their departmental IT Security Liaison to discuss how to correctly configure desktop computers, laptops, and other external devices for safe use in the collection and storage of research data.
- All communication with subjects or communication about data collected from subjects must be encrypted. This includes but is not limited to email, phone, chat, If using email for communication or to collect data from subjects in cases where such communication is not encrypted, include a statement to the subjects that email is not secure. If email will be used to transmit research data, subjects should be cautioned to respond only from email addresses to which only they have access.
- No protected health information should be transmitted via email.
- If utilizing any cloud-computing services, the PI should ensure that the company offering these services maintain military grade, FIPS 140-2 certified, AES 256-bit encryption for the data it stores. Recommend using Credeon for client-side encryption, to encrypt files prior to storing them in the cloud.
Additional Required Data Security Controls (For sensitive data)
- All data should be downloaded from local devices to a secure server (on premises or Cloud) as soon as possible and immediately encrypted.
- If data is held in on-premises servers, passwords should be built in at multiple levels on each server that is used for the collection and storage of research data (e.g. at BIOS and at login).
- The PI should delete or destroy identifiable information as soon as possible.
Sensitive Data: Protected Health Information, Personal Identifying Information, and Sensitive Information
(Borrowed from Guidance and Procedure: Data Security in Research, UCLA Office of the Human Research Protection Program (OHRPP), February 24, 2011)
An individual’s personal and health information that is created, received, or maintained by a health care provider or health plan and includes at least one of the 18 personal identifiers listed below in association with the health information:
- Name
- Street address
- All elements of dates except year
- Telephone number
- Fax number
- Email address
- URL address
- IP address
- Social security number
- Account numbers
- License numbers
- Medical record number
- Health plan beneficiary #
- Device identifiers and their serial numbers
- Vehicle identifiers and serial number
- Biometric identifiers (finger and voice prints)
- Full face photos and other comparable images
- Any other unique identifying number, code, or characteristic
Limited Data Set - a limited data set can include the following identifiers: a unique number code, or characteristic that does not include any of the above listed identifiers, Geographic data (without street address), and/or dates.
- Information about an individual which includes any of the identifiers below:
- Name
- Street address
- All elements of dates except year
- Telephone number
- Fax number
- Email address
- URL address
- IP address
- Social security number
- Account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account
- Driver’s License numbers or other identification card number
- Device identifiers and their serial numbers
- Vehicle identifiers and serial number
- Biometric identifiers (finger and voice prints)
- Full face photos and other comparable images
- Any other unique identifying number, code, or characteristic (e.g., student identification number)
Certain categories of sensitive information may require additional considerations due to regulatory or other requirements (e.g., FERPA and student information, GLBA and customer information, employee information, and donor information).
Other Sensitive Information
- An individual’s first name (or first initial) and last name in combination with any of the following:
- Social Security Number
- Driver’s License Number or California ID card number
- Financial account information such as a credit card number
- Medical Information
Note: Identifiers in combination with data about illegal behaviors, physical/mental health information, or other information that poses a risk to subject reputation, insurability, employability, or legal status will heighten the level of sensitivity and require additional corresponding security measures.