Recommended Practices for Safeguarding Access to Confidential Data#
OSHPD has additional requirements to the CPHS requirements. These requirements apply to all researchers, their contractors and subcontractors.
If the researcher demonstrates that he or she is unable to comply with any of the requirements below, the researcher may request an exception from these requirements. An exception will only be granted if the researcher can demonstrate that adequate alternative measures have been taken to minimize risks so as to justify the exception.
- Researchers must state whether data/samples will be destroyed or returned as soon as it is no longer needed for the research
- Researchers must provide proof of destruction to OSHPD certifying data has been destroyed or returned.
- The researcher must provide a plan sufficient to protect personal information from improper use and disclosures, including sufficient administrative, physical, and technical safeguards to protect personal information from reasonable anticipated threats to the security or confidentiality of the information.
- The researcher must provide a sufficient plan to destroy or return all personal information as soon as it is no longer needed for the research project, unless the researcher has demonstrated an ongoing need for the personal information for the research project and has provided a long-term plan sufficient to protect the confidentiality of that information.
- The researcher must provide sufficient written assurances that the personal information will not be reused or disclosed to any other person or entity, or used in any manner, not approved in the research protocol, except as required by law or for authorized oversight of the research project.
- All research staff with access to data shall have training on Privacy and Data Security. Research teams shall hold any confidentiality statements related to general use, security, and privacy for the full term of the research project.
- Researchers should have proper vetting either through reference checks or background checks for any person who has access to data.
- Researchers should ensure that data will not be provided to any unauthorized person or reused for any other purposes other than what is originally approved.
- Researchers shall take appropriate precautions to ensure that data cannot be used to personally identify individuals.
- Researchers must request an alternative to SSN for unique identifiers.
- All data requested shall only be the minimum data needed to complete the study.
- Access to the data will be limited to those with a need for evaluation or implementation of the data.
- OSHPD requires that no cell (and no statistic based on a cell of) 15 or less may be used reporting aggregate data.
- If the data set is to be linked with any other data sets, identify all data sets and each of the variables to be linked, with justification for each If there is an extensive list, include the list as an attachment, in the Attachment Section.
- If an approved third party is being used to perform data matching, provide evidence of the third parties’ ability to protect data, including the third parties’ ability to comply with all the OSHPD data security
- Indicate that research records and physical samples will be protected through the use of locked cabinets and locked rooms; data in paper form will not be left unattended unless locked in a file cabinet, file room, desk, or
- Sample data sets are not allowed to be retained from OSHPD.
- Describe how the data in paper form is disposed of through confidential means, such as cross-cut shredding or Reference NIST Guidelines for Media Sanitization NIST Special Publication 800-88 Revision 1.
- Describe how faxes with OSHPD data are secured in secure or non-secure areas.
- Describe how facilities which store data in paper or electronic form, have controlled access procedures, and 24-hour guard or monitored alarm
- Indicate whether identifiers will be stored separately from analysis
- Describe how all computers that contain data will have full disc encryption that uses FIPS 140-2 certified products.
- All data on removable media devices (e.g. USB thumb drives, CD/DVD, smartphones, backup tapes) will be encrypted with software which is a FIPS 140-2 certified product.
- Indicate how all workstations, laptops and other systems that process and/or store data have security patches applied in a reasonable time What is the schedule?
- Explain how all transmissions of electronic data outside the secure internal network (e.g., emails, website access, and file transfer) are encrypted using software which is a FIPS 140-2 certified
- Describe how all password controls are in place to protect data stored on workstations, laptops, servers, and removable media and should follow a minimum of 14 characters with at least one capital letter, one small letter, one number and one special character.
- Provide what security antivirus controls are in place by product name and current version.
- Indicate method of secure wiping, degaussing, or physical destruction to be used when disposing of electronic data in accordance with NIST Guidelines for Media Sanitization NIST Special Publication 800-88 Revision 1.
- OSHPD provided data is not allowed to be published or accessible to the Internet.