Email iuswdataSensitive Data
Data can be considered “sensitive” for many reasons. Human subjects research is often restricted to protect study participants; medical data may be subject to laws such as HIPAA; and research critical to national security might fall under Export Control laws. Below, we provide resources to help manage sensitive data.
General Resources
- “What is sensitive data, and how is it protected by law?”
- Protecting Data: a general guide to sensitive data, which includes considerations of data storage locations, who is granted access to critical data, and how to handle accidental data loss and exposure.
- How to Encrypt e-PHI [sensitive] Data: a guide to encrypting sensitive data at IU, across multiple operating systems. Covers encryption for stored data and data transfers.
- Securely Removing Data
Human Subjects Data
- Data Management Guidelines, Standard Operating Procedures for Research Involving Human Subjects (pp. 46-57): The single most important guide to managing human subjects data at IU. Includes requirements for data safeguards, collection, retention, and destruction. Also outlines data ownership rights and responsibilities.
Human Subjects Policies & Procedures: A more general list that includes statewide policies that affect IU research.
QualAnon: Qualitative Data Anonymizer (QualAnon) is an online tool designed to help strip sensitive information from qualitative data.
- NIH Data Sharing Policy and Implementation: Includes suggestions for storing and sharing sensitive research, as well as data management plan examples that conform to the NIH requirements.
Storing Sensitive Data
A full list of HIPAA-aligned (and therefore considered reliably secure storage for many other types of sensitive data) UITS technologies can be found on the Knowledge Base. See also Section 2.10 (pp. 53) of the SOPs for Research Involving Human Subjects.
Limiting Access to Sensitive Data
Generally, administrative and physical safeguards are the best means of limiting access to sensitive data. Carefully selecting who has the rights to access data and training those who do have access are good basic ways to set administrative safeguards. Physical safeguards such as locked storage and access tracking for physical spaces are important to consider when dealing with physical samples or other kinds of analog data. For more information, consult the IU SOPs for Research Involving Human Subjects (pp. 51-52).
Informed Consent and Data Sharing
Sensitive data may be shared in certain cases, most notably when it has been de-identified or when subjects have given approval to share their data by way of Informed Consent. Note that such sharing must conform to IRB guidelines. Contact the IRB for more information.
Data Subject to Export Control
The export control regulations are designed to prevent the proliferation of technologies that are "dual use" i.e., those that may be used for both civilian and military/terrorism purposes. Research can sometimes fall under these restrictions. As export control regulations are complicated, the university urges you to contact the Office of Research Administration if you have any questions or concerns.
- Indiana University Compliance Services, Export Control: A basic guide to policy and procedure related to export controlled research and products.
- Safeguarding Export Controlled Data (California Institute of Technology): An excellent guide to issues in managing and working with export controlled data.
