Hi, We are Teresa Doksum and Sean Owen, from the Abt Associates Institutional Review Board (IRB). Teresa is a health services researcher and IRB Chair. Sean is an information security expert and Director of Abt’s Client Cybersecurity Center. We review large-scale evaluations of government programs in the fields of health, education, social policy, housing, and criminal justice.
We know how much sensitive data (e.g. personally identifiable information, medical records, school records) is often collected and how many steps it travels before reaching its final destination. We use our combined expertise to help Abt evaluation teams understand how easy it is to comply with data security laws and regulations, which increasingly include penalties for lost or stolen data. But a more important incentive for protecting sensitive data is to maintain the trust between evaluators and participants.
Hot Tips:
These tips serve as a starting point for evaluators handling sensitive data. To learn more, come to our AEA Conference Workshop: “Data Security Survival Skills for 21st Century Evaluators”.
- Evaluation Design
- “Minimum necessary:” Plan to collect only the data needed to address the evaluation questions; if identifiers are not needed, don’t collect them.
- “Need to know:” Share only the data that your colleagues, inside and outside your institution, need to do their job.
- “Ounce of prevention…:” Map out, in the form of a data security plan, who will have which data, how it will get to them, and where/how it will be stored.
- Data Collection
- “Keep ‘em separated:” Use study ID numbers and keepreal identifiers separate from sensitive data while in transit and in storage.
- “Encrypt it:” Encryption addresses lots of security challenges so use it for laptops, smartphones, thumb drives. However, it’s not a silver bullet, so still use our other tips.
- “Email oopses:” Avoid email to transmit sensitive data—use alternatives such as a secure file transfer portal.
- Reporting and Close Out
- “Protect your sources:” Ensure evaluation reports do not include information identifiable to an individual and minimize risk of re-identification.
- “Avoid data sprawl:” Collect all data from all evaluation team members and securely archive it in one place.
- “Don’t need it? Destroy it:” Once identifiers are no longer needed, destroy them.
Rad Resources: For evaluations that collect health or school records, check out these sites for summaries of HIPAA (http://privacyruleandresearch.nih.gov/healthservicesprivacy.asp) and
FERPA (Family Education Rights and Privacy Act): http://www2.ed.gov/policy/gen/guid/fpco/index.html). They summarize the regulatory requirements for consent and data security and include training slides.
This contribution is from the aea365 Tip-a-Day Alerts, by and for evaluators, from theAmerican Evaluation Association. Please consider contributing – send a note of interest to aea365@eval.org. Want to learn more from Teresa and Sean? They’ll be presenting as part of the Evaluation 2013 Conference Program, October 14-19 in Washington D.C.
I would add that a data security educational materials and training curriculum should be developed for staff handling sensitive data. Everyone handling data should know what is sensitive and what is not sensitive and how to handle it.