The handling of sensitive data requires not only secure storage and data transfer protocols but also that hardware be properly secured through device encryption.
The level and type of safeguards recommended for sensitive data is determined by the type of data collected for research purposes. The UC San Diego office of Research Affairs Information Technology provides guidance for research using sensitive data on the Guidelines for Handling Sensitive Data Blink page. Sensitive data can include protected health information (PHI) and personal identifiable information (PII). As there can sometimes be uncertainty in determining what information is considered sensitive data, the UC San Diego Human Research Protections Program provides a listing of elements considered to be person identifiable as outlined in their UCSD HRPP De-identified Health Information Factsheet.
Guidelines to consider when sensitive data is stored or collected on local and portable devices:
- Full disk encryption (FDE) is required on all UC San Diego owned laptops and is recommended for personal laptops that are used to access UC San Diego information
- Devices used for data collection should be protected by a strong password, or PIN.
- Each user with access to the device should have a unique password/PIN.
- Passwords and PINs used for device access should never be shared.
- Devices should be kept with the owner/assigned user at all times.
- When not in use, the device should be stored in a secured (locked) location with limited access.
Contact Information:
Health Sciences Information Services (IS): to ensure that all devices are in compliance with the established protocol with Health Sciences.
- Their Service Desk team is available to provide expertise regarding tools for integrating security tools and device encryption - Contact them at 3help@ucsd.edu or 619-543-4357.
Contact the UC San Diego Institutional Review Board (IRB) (Human Research Protection Program (HRPP)) with questions about your specific research.