Workshop: How to Protect Sensitive Data: Tools for Researchers and Programs
(Tools of Analysis: Methods, Data, Informatics and Empirical Design)

Thursday, November 6, 2014: 2:45 PM-4:15 PM
Laguna (Convention Center)

*Names in bold indicate Presenter

Workshop Organizers:  Teresa Doksum, Abt Associates, Inc.
Presenters:  Sean Owen, Abt Associates, Inc.

In order to address increasingly complex public policy challenges, researchers and evaluators need to collect a broader range of sensitive information about program participants such as medical conditions, mental health status, disabilities, substance abuse, sexual risk behaviors, family planning, criminal behavior, finances, and sexual orientation. Protecting sensitive information requires strong partnerships amongst a multi-disciplinary team of researchers, program managers, federal agencies/funders, and information security experts. These partners need to build feasible processes to 1) assess the sensitivity of the data, 2) identify applicable regulatory requirements such as the Federal Information Security Management Act (FISMA), the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA), and 3) develop security procedures needed to protect the data from the beginning to end of the study. Our institution has developed a multi-disciplinary team consisting of researchers, the Institutional Review Board, information security, information technology, contracts management, and legal counsel. With this team, we developed study data security procedures that are implemented, not just supported, by the researchers themselves. This has increased both the protection of sensitive data and the acceptance of security as necessary to sound public policy research. The purpose of this interactive workshop is to demonstrate how to use our data security plan template to develop a plan to protect data at all phases of a study. The example we will use with participant input will be a mixed methods study that includes primary data collection (quantitative and qualitative) and administrative data obtained from programs and public agencies via data use agreements. Major steps in the data security plan that will be covered include: 1) Identifying minimum data needed to address the research questions, 2) Identifying which partners (e.g., researchers, program staff) will need to handle sensitive data, 3) Identifying requirements for the data (e.g., FISMA, HIPAA, FERPA, etc.) 4) Training and monitoring needed of partners handling data, 5) Data transfer and storage options, 6) Closeout procedures, such as destruction, secure archiving, minimizing disclosure risk in datasets that will be shared (i.e. public use/restricted use datasets); 7) Monitoring and incident response/remediation. In addition to the data security plan template, participants will receive a guidebook that includes basic data security principles distilled from security regulations, and a list of technologies for secure data transfer and storage. These resources are relevant for large and small teams of researchers in the U.S. and overseas. Researchers, program staff, and policy-makers/federal agencies can adapt the data security plan template and process based on their roles re: program evaluation/research to protect the sensitive information of program participants and maintain their trust.