Educause Security Discussion mailing list archives
rules for dealing with human subjects data
From: Karen Eft <kareneft () BERKELEY EDU>
Date: Wed, 23 Mar 2005 10:24:26 -0800
EDUCAUSE Security List, Our Vice Chancellor for Research Office has now issued this new interim policy for comments. -K.Eft
From: "Campus Administrative Memos, Chancellor's Communications & Resource Center" <CalMessages () berkeley edu> To: "Campus Administrative Memos": Subject: New Data Security Policy for Human Subjects Research Date: Thu, 17 Mar 2005 18:00:41 -0800 -------- Deans, Directors, Chairs, and Senior Administrative Officers The Committee for Protection of Human Subjects has just promulgated a new interim policy for the Security of Research Subjects' Personally Identifiable Data. Please find below the cover memo and text of this interim policy which was sent to all faculty on March 17, 2005. It includes the policy document as well as a link to a white paper written in conjunction with the Faculty Senate's Committee on Computing and Communications that provides further background on this issue and suggests possible short and long term solutions. Please feel free to contact my office with any questions you may have about the new policy. Sincerely, Beth Burnside Vice Chancellor for Research ______________________________________________________ To Human Subject Research Investigators: Please send all comments on this policy in writing to: subjects () berkeley edu or anonymous written comments may be sent by mail to the Director, Office for the Protection of Human Subjects, 101 Wheeler Hall #1340, Berkeley, CA, 94720. The interim policy on the Security of Research Subjects' Personally Identifiable Data found below (and available at http://cphs.berkeley.edu/content/datasecurity.htm) is being issued jointly by the VCRO and CPHS in an effort to clarify their expectations of researchers engaged in human subject research. With this interim policy we are providing a 30-day response period for comments and/or concerns prior to revising and issuing a final policy document. A white paper written in conjunction with the Faculty Senate's Committee on Computing and Communications that provides further background on this issue and suggests possible short and long term solutions is available at http://security.berkeley.edu/sec.trng.html. The security of personally identifiable data is a very important issue and researchers are instructed to take immediate and substantial steps to secure sensitive data now. The Committee for Protection of Human Subjects (CPHS) will be requiring all investigators with new protocols or active approved protocols to provide CPHS with more detail about what measures are in place for data security. In particular, the CPHS is concerned about electronic data that may be stored on personal or university owned or maintained machines at the time of initial approval or continuing renewal of those currently approved protocols. We recognize the wide range of identifiable information that may be collected as well as the variation between departments and schools with respect to information technology support, user skills, and knowledge of computer security measures. Thus, your input will help us finalize a policy that helps us reach our goal of better protecting the confidentiality of those individuals who participate as subjects in research without putting too onerous a burden on investigators and departments in terms of time or resources. If you wish to provide feedback on this interim policy, please send written comments on this policy to: subjects () berkeley edu or anonymous written comments may be sent by mail to the Director, Office for the Protection of Human Subjects, 101 Wheeler Hall #1340, Berkeley, CA, 94720. Committee for the Protection of Human Subjects Interim Policy on the Security of Research Subjects' Personally-Identifiable Data Held by Researchers 1. Policy Statement People who volunteer to participate as subjects in research do so with the understanding that the researcher(s) will protect their identity and the information that is obtained from them from inadvertent or inappropriate disclosure. The principle that CPHS upholds in assessing the benefits and risks of the research - which may be reflected in a loss of privacy and confidentiality - is codified in the Belmont Report as Beneficence and integral to the informed consent process. Therefore, all human subject research protocols must have in place an acceptable, effective and documented procedure for the protection of identifiable and/or confidential information before the protocol will be approved; granted continuing approval; or, determined exempt from full review by the Committee for Protection of Human Subjects (CPHS). 2. Purpose This policy exists to re-iterate and clarify existing CPHS requirements for researchers to take appropriate data security measures to protect the identity and/or confidential information that may be obtained from or about living people when they participant as human subjects in research. 3. Scope This policy applies to all human subject research reviewed by CPHS and conducted by or under the auspices of University of California Berkeley (UCB) faculty, graduate students, other affiliated researchers (investigators) or research conducted using UCB resources. The pertinent information or data containing personally identifiable information may be (or has been) collected or stored in any form such as electronic, digital, paper, audio or video tape. This information or data may be stored within computers or equipment that is privately owned, university -owned or -maintained or reside on removable electronic media, in either case located either on university premises or elsewhere. 4. Definitions A research data set constitutes a body of data elements collected in the course of research with living human beings. Personal Identifiers within a data set are any data elements that singly or in combination can uniquely identify an individual, such as a social security number, name, address, demographic information (e.g. combining gender, race, job and location), hospital-patient numbers). A de-identified data set refers to data that has subsequently been stripped of all elements (including but not limited to personal identifiers) that might enable a reasonably informed and determined person to deduce the identity of the subject. For research that requires that data elements later be linked to an individual's identity, the original data set may be partitioned into two data sets: a de-identified data set and an identity-only data set. The latter should contain any and all personal identify information absolutely necessary for future conduct of the research. For purposes of later merging the identity information with other research data, a researcher-assigned identity key (typically a randomly generated number) that is associated with and unique to each specific individual may be included in both data sets, and later be used to link identity data elements back to the de-identified data set. This identity key should not offer any clue as to the identity of an individual. Secure location refers to a place (room, file cabinet, etc.) where a removable medium, computer or equipment wherein resides data sets with personal identifiers to which only the Principal (or lead) investigator has access through lock and key (either physical or electronic keys are acceptable). Access may be provided to other parties with a legitimate need, consistent with the policies below and as disclosed in the research protocol. Secure data encryption refers to the algorithmic transformation of a data set to an unrecognizable form from which the original data set or any part thereof can be recovered only with knowledge of a secret decryption key. 5. Specific Policies We recognize that not all research data sets can reasonably be de-identified (for example, an audio recorded interview in which a subject identifies him or herself). In this case, the original research data set must be considered an identity data set and treated accordingly. Identity-only data sets should always be stored in a) a secure location or, b) in secure data encrypted form. 5.1 Collect the minimum identity data needed and describe in the research protocol exactly what personally identifiable data elements will be collected; whether the data set will be de-identified, split into a de-identified data set and an identify data set, or neither. 5.2 De-identify data as soon as possible after collection and/or separate identifiable elements (create identity key, destroy raw data). 5.3 Limit access to identity-only data set and store it in a secure (locked) location separate from data, or store it in encrypted form, or both. Encrypted form is the only acceptable storage for data stored in a computer or removable medium which is not permanently located in a secure location (e.g. laptop computer or a removable disk which is to be carried in a briefcase) or for transmission across the network (for example as an email attachment). 5.4 The Investigator shall develop and disclose to CPHS a plan in writing as to what individuals will have legitimate access to an identity data set, either through access to secure location key or to decryption key. This plan must include provision for recovery of a lost decryption key, to insure that a data set cannot be permanently lost. 5.5 When an identity-only data set is stored in personal or university-owned or -maintained computer, investigators are strongly encouraged to ensure that this computer be professionally administered and managed. If this is not possible, investigators should disclose such, and provide CPHS with a plan for how the sensitive data will otherwise be secured. The opportunity for human error should be reduced through: a) limiting the number of people (both users and administrators) with access to the data and ensuring their expertise and trustworthiness; and/or b) using automatic (embedded) security measures (such as storing data on non-volatile medium only in secure data-encrypted form) that are professionally installed and administered. If this computer is connected to the campus network or to the public Internet, the professional administrator of the computer shall ensure that it complies with all minimum standards for network and data security listed below. 5.6 For existing research data which is not stored in a manner compliant with the above policies the lead investigator must take immediate steps to comply with these policies by April 1, 2005. 5.7 All new protocols and continuing renewals submitted as of April 1, 2005 must include for review and approval by CPHS a detailed plan for data security for all affected CPHS protocols. 6. Related Policies * Minimum Standards for the Security of Networked Devices http://socrates.berkeley.edu:2002/MinStds/AppA.min.htm * Security Standards for Restricted or Sensitive Data http://security.berkeley.edu:2002/DRAFTS/MSRestricted.htm * (Provisional) Data Management, Use and Protection Policy http://dataintegration.vcbf.berkeley.edu * UCOP Records Retention Policies http://controller-fs.vcbf.berkeley.edu/ResponsibilitiesGuide/HTML/RecordsRetention.htm * Public Requests for Research Records http://www.spo.berkeley.edu/Procedures/records.html 7. Summary of the Acceptable Security Measures for Maintaining Personally Identifiable Information for Research Purposes The level of security necessary is relative to the risk posed to the subject should personally identifiable data be inadvertently released or released as a result of malfeasance. In an effort to ensure best practice it is always more desirable to have a higher level of security than to risk operating at a minimal standard. CPHS has the authority to decide if the security plan to protect subjects' confidentiality or anonymity is acceptable. For data that retains identifiers, the protocol must describe adequate administrative, physical and technical safeguards. Investigators are encouraged to consult with appropriate information technology and security experts such as their system administrators to develop appropriate data security plans when working with personally identifiable data. 8. Responsible Administrative Officer Director, Office for the Protection of Human Subjects 101 Wheeler Hall, #1340 Berkeley, CA 94720-1340 510/642-7461 Last Revised: 3-9-05
-- ========================================================= Karen E. Eft Information Technology Policy Manager UC Berkeley (510)642-4095 http://itpolicy.berkeley.edu ========================================================= ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- rules for dealing with human subjects data Scott Bradner (Mar 20)
- <Possible follow-ups>
- Re: rules for dealing with human subjects data Dan Updegrove (Mar 20)
- Re: rules for dealing with human subjects data Michael Sinatra (Mar 20)
- Re: rules for dealing with human subjects data Christopher E. Cramer (Mar 21)
- Re: rules for dealing with human subjects data Chris Allison (Mar 21)
- rules for dealing with human subjects data Karen Eft (Mar 23)