Using Personal Identifiers

Data Security Measures When Using Personal Identifiers

  1. Avoid copying or downloading sensitive data from any administrative systems to your desktop computer, home computer, laptop, mobile device, portable storage device, etc. unless absolutely required.
  2. If downloading is unavoidable:
    1. Check to see if there are unnecessary confidential data variables included in the data set, such as Social Security Numbers. If so, then delete those data variables.
    2. Ensure that if you delete private information using a “track changes” feature, that you “accept all changes” and save your document in final form, not showing your markup.
    3. When possible, use a random study ID number to identify the data from each subject, and store the code or link in a location that is physically separate from the dataset itself.
    4. Encrypt the data
    5. Password Protect the data
    6. Physically protect devices that can be easily moved such as a laptop
    7. Use remote “Kill” functionality where possible.
  3. Never store your subjects’ personally identifiable information on your laptop, portable storage device, or any other device that can be lost or stolen. Instead, use a secure server.
  4. Never store unencrypted data on a portable device.
  5. If backing up data is required, ensure that backups are encrypted.
  6. Avoid accessing personal information from computers in hotels, business centers, or any other public access locations. Remove temporary files that are created when using the internet, such as those found in browser caches and temp files.
  7. If you need to use the original data collection forms and they contain personal identifiers associated with each subject, lock the originals away and use redacted copies.
  8. If you store hard copies in a file cabinet or desk drawer, you must lock that storage unit. It is also preferable to be able to lock the door of the room in which the data is stored. Since several different standard file cabinets may be opened with the same key, it is advisable to get an external security bars for each of your cabinets.
  9. Do not leave sensitive data unattended on a copier, printer or fax machine.
  10. Dispose of documents and disks securely; use a shredder.
  11. Ensure that your computer is sanitized as part of disposal.
  12. Promptly report lost or stolen devices.

Security Checklist

Data Security Checklist

There are administrative, physical, and technical controls available to help reduce risk and protect the confidentiality, integrity, and availability of research data. Below are some items that, if used, can help protect data and reduce the risk of data leakage.

Administrative Controls

  1. Read and adhere to Institution and School policies (JHU Policy) regarding Information Security.
  2. Document and manage additional data use policies as needed to mitigate risk of data leakage.
  3. Define and classify data in appropriately.
  4. Define Data Management Roles and assign to clients.
  5. Establish and adhere to Data Use Agreements, Confidentiality Agreements and Ethics Statements.
  6. Develop a Data Security Plan, and review and modify as needed during the life-cycle of the data.
  7. Develop Disaster Recovery and Business Continuity Plans. This should include definitions for Recovery Time Objectives (RTO) which is how quickly the data must be restored before the business is adversely affected as well as Recovery Point Objectives (RPO) which is how much data can we afford to lose before the business is adversely affected.  This should help to establish the frequency of backup schedules.
  8. Learn and teach others about the level of sensitivity for the data being handled in your area and which guidelines should be followed as well as which legal regulations apply to this type of data Physical Controls.
  9. Ensure that your electronically stored data is managed and maintained by a professional administrator or staff certified in the latest technologies, industry standards, and best practices.

Physical Controls

  1. Identify data storage location(s)
  2. Provide access controls such as locks & keys, and card swipes, etc.
  3. Address environmental protection (power, cooling, fire)
  4. Identify surveillance (cameras or guards) requirements
  5. Utilize data destruction program when disposing of electronic data storage devices that may have contained restricted data.
  6. Provide secure storage for backups of restricted data in safes or secure offsite storage service providers.
  7. When possible utilize professionally managed and maintained data centers for the housing of restricted data.

Technical Controls

  1. Anti-Virus Software: Ensure the latest version of Anti-Virus Software is installed on all computers that may contain restricted data. Ensure that anti-virus signature updates are applied regularly. Participation in an enterprise managed anti-virus service is encouraged to automate this process where possible.
  2. Personal Firewall: Personal firewalls are capable of basic filtering and tuning to provide additional protection. Some operating systems have native firewall solution (MS Windows Firewall) or third party firewalls can be utilized.
  3. Operating System (OS), Hardware and Application Updates: As new flaws in OS, hardware and application code are discovered, operating system and application vendors develop patches to address the issues. It is crucial that patches be applied to mitigate risks associated with these flaws.  Participation in an enterprise managed update service is encouraged to automate this process where possible.
  4. Account Management: Many operating systems allow for local and administrative accounts to be created. It is recommended that unnecessary accounts be removed and that administrative accounts be modified. For administrative accounts should be renamed (not deleted) and strong passwords should be used.
  5. Enterprise Authentication: All Clients who need access to the data should be managed through an enterprise authentication and authorization System. Clients’ access to the data should coincide with the Data Management Roles defined by the Data Owner.
  6. Services: Computers and Servers that house restricted data should have unnecessary services and applications removed or uninstalled from the system. Unnecessary services and applications may waste computing resources and present addition risk to restricted data.
  7. Vulnerability Scanning: Software tools can be used to detect common security vulnerabilities including missing updates, at risk applications or services, and account information.
  8. Encryption: Install encryption technologies on electronic data storage devices that may contain restricted data.
  9. Remote Tracking & Destruction: Remote tracking or remote data destruction of stolen laptops can be accomplished through the use of remote “kill” technologies.  Logging and Auditing: Monitoring access can be accomplished through the use of Audit collectors.  These tools can monitor, aggregate, and report on security log information.
  10. Backup Data: Copies of restricted data can be made for disaster recovery and business continuity purposes. The frequency of backups is dictated by RTO and RPO values.  Backups may be stored on different electronic media and may be housed onsite or offsite.  Backups to portable data devices must be encrypted.
  11. Screen Saver Timeout: It is recommended that systems that access restricted data have password protected screen savers enabled and set to activate with no less than 15 minutes of inactivity.

Additionally, JHU Data Management Services fosters data management best practices by providing guidance, education and training and offering data archiving and sharing services in support of researcher, institution, and funder goals. Please email a consultant at datamanagement@jhu.edu for help with your research data management needs.