Data Security
Data security is important for making sure that your participants are not harmed through breaches in confidentiality or privacy. A data security failure can lead to compromised or lost data, researcher embarrassment and potential penalties (including legal penalties or litigation), as well as unwanted media attention directed at the researcher or Colorado College.
For both paper and electronic/online data, security must be considered during data collection, data transfer, the period that the data are in storage, data use, and data sharing where relevant. It is possible for someone to hack into your computer or other device, to steal a device, to steal data from servers, or to steal unencrypted data while it is being transmitted.
Important aspects of data security include:
- Coding data and removing identifiers, including keeping identifier information separate from the data if you need to maintain it at all; taking any other steps necessary to deidentify data
- Avoiding tracking IP addresses and, where possible, avoiding collecting them at all
- Encrypting data during transmission and transfer, and potentially while data are in storage
- Avoiding sharing or transferring data via email
- Avoiding storing identifiable data on public online services or commercial cloud storage devices (and, if possible, avoiding storing identifiable data on portable storage devices such as flash drives, laptops, or external hard drives, deleting data from such devices as soon as there is a secure backup elsewhere)
- Using a strong, unique password/pin/passcode and password-protecting all data (including changing your password frequently)
- Making sure you have updated anti-virus protection and other security-related upgrades and patches for operating systems on any computers where you store or work with data
- Where appropriate, using a firewall when connected to the internet
- Destroying recordings as soon as transcripts are generated and their accuracy has been verified
- Turning off wifi and Bluetooth when not using them
- For especially sensitive data, finding out whether it is possible to remotely erase data on a device that has been lost or stolen
Because data security so often comes down to issues of identifying information, it is important to specify what that information is. Identifying information for social/behavioral/educational research can include the following, and potentially other identifiers as well:
- Names
- Geographic subdivisions smaller than the state
- Dates
- Telephone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- URLs
- IP address numbers
- Full-face photographic images
- Any other unique identifying number or image
Data that have been deidentified effectively do not necessarily need to be destroyed or removed from devices. Your best security efforts begin with deidentification.