Re: rules for dealing with human subjects data

[Michael Sinatra <michael () RANCID BERKELEY EDU>]

Scott Bradner wrote:
> do any of you know of any specific rules for university-based researchers
> protecting data that involves personally identifiable info?
> I know that some data sources include security instriuctions with their
> data but not all do and that does not cover data generated by the
> researcher him/herself.
>
> e.g. "no computer that contains names matched with social security
> numbers can be connected to the Internet"  (so as to avoid things like
> http://www.aunty-spam.com/california-notifies-over-1-million-that-they-may-have-been-hacked/
> )

Hi Scott:

As we're the campus where the above-referenced hacking actually occurred
(the researcher and the data were from two different places, making
lines of responsibility even fuzzer :( ), the Human Subjects Committee
has drafted a policy to this end.  The policy draft isn't available, but
an excellent response by Prof. Dave Messerschmitt has been posted
publicly on the Academic Senate's Computing Committee web page
(http://www.eecs.berkeley.edu/~messer/Campus/COMP/).  Since it's readily
accessible and searchable via Google, I don't think it will be a problem
to post it here:

http://www.eecs.berkeley.edu/~messer/Campus/COMP/Docs/CPHS-policy-response.pdf

On the administrative side, we have a Data Stewardship Council
(http://dataintegration.vcbf.berkeley.edu/) and they have recently
publicly published a provisional policy regarding sensitive data on the
administrative side.  (This effort preceded the compromise you refer to,
but it was more geared toward administrative data rather than research.)

The full policy is here:

http://dataintegration.vcbf.berkeley.edu/documents/ProvisionalDMUP1.1.pdf


michael
Speaking for myself, not my institution.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.