According to OU's Information Security Policy (policy 860), confidential research data includes (but is not limited to) "information related to a forthcoming or pending patent application, grant applications and proposals, information related to human subjects." If you are working with human subjects, your data is confidential and needs to be stored more securely to protect the privacy and confidentiality of your study participants.
Digital confidential data
- GrizzFiles (https://grizzfiles.oakland.edu/) is the only approved storage location for confidential data (other than local storage such as a desktop computer). GrizzFiles provides both at-rest and in-transit encryption. Cloud services (Dropbox, Box, etc.) should not be used for confidential data.
- You can access GrizzFiles by following these instructions. This will allow you to easily access and save documents in GrizzFiles.
- Password protect files and use a password manager to generate strong passwords
- Don't put confidential data on the internet or in email
- Encrypt all files and devices that access confidential data
Physical confidential data
- Store data in a locked building, office and/or filing cabinet/drawer
- Create a log system to track who accesses the data
- Limit transportation to only essential circumstances
Sharing confidential data
Confidential data must be de-identified prior to sharing publicly (i.e. both direct and indirect identifiers need to be removed).
ICPSR (Inter-university Consortium for Political and Social Research) is an excellent option for sharing confidential data that both has and has not been de-identified.
- De-identified datasets are reviewed by ICPSR data processors prior to being made publicly available to ensure that they have been fully de-identified.
- Some datasets can not be de-identified without significantly reducing their research potential. In this case, ICPSR accepts confidential data but does not make it publicly available online. They have several levels of access that restrict how the data can be accessed.
Preserving and destroying confidential data
After a research project, take steps to preserve confidential data in a secure, controlled-access environment. De-identified data can be preserved in a data repository. To destroy confidential data, work with your departmental IT to ensure that these files are deleted from your storage media.