The handling of sensitive data requires not only secure storage but also requires that hardware be properly secured through device encryption. The level and type of safeguards recommended for sensitive data is determined by the type of data collected for research purposes. The UCSD office of Research Affaires Information Technology provides guidance for research using sensitive data on the Guidelines for Handling Sensitive Data blink page. Sensitive data can include protected health information (PHI) and personal identifiable information (PII). As there can sometimes be uncertainty in determining what information is considered sensitive data, the UC San Diego Human Research Protections Program provides a listing of elements considered to be person identifiable as outline in their UCSD HRPP De-identified Health Information Factsheet.
We've outlined a few best practice guidelines for your consideration when using sensitive data stored on local and portable devices below.
- Devices used for data collection should be protected by a password or pin.
- Each user with access to the device should have a unique password/pin.
- Device usage should be restricted to data collection via the HIPAA compliant app/tool.
- Passwords and pins used for device access should never be shared.
- Device should be kept with the owner/assigned user at all times.
- When not in use, the device should be stored in a secured location with limited access.
For UC San Diego Health Sciences researchers, we advice you to reach out to Health Sciences Information Services (IS) to ensure that all devices are in compliance with the established protocol with Health Sciences. Their Service Desk team is available to provide expertise regarding tools for integrating security tools and device encryption - Contact them at 3help@ucsd.edu or 619-543-4357.