How to Work with Sensitive Data

• Develop: A clear informed consent form, and workflow for how you will work with sensitive data.
• Collect: Only what you need.
• Encrypt: Encrypt sensitive data to protect against unauthorized access.
• Access control: Implement role-based permissions to ensure that only authorized personnel can access sensitive information.
• Anonymize data: For datasets containing personal or sensitive information, use anonymization or de-identification techniques to protect individual identities.
• Aggregate data: In situations where anonymization doesn't make sense, aggregation may conceal individual data.
• Conduct audits: Conduct security audits and assessments to ensure that data handling practices comply with current regulations and best practices.
• Use secure storage: Know the level of security of Cloud storage and back up locations.

In some fields, reusing existing sensitive data may be a common practice. If you are accessing sensitive data from a third party and storing it either on a local server or a cloud server, you must adhere to any policies set out by that third party. For example, any researcher who wants to access controlled-access NIH data "will attest to NIH that their institution is compliant with NIST SP 800-171."

Other repositories and data platforms may have different sets of policies, terms and conditions, and other regulations that are legally enforcible. For example, the Qualitative Data Repository (QDR) requires potential users to submit a specific request form. For 'medium' sensitivity data, QDR requires that "users submit a data security plan describing how the data will be stored securely locally, how access will be regulated, and how the data will be destroyed once analysis is complete. Further, an agreement signed by both the user and an Authorized Institutional Officer from the user’s home institution, as well as approval from the Institutional Review Board at the user’s home institution, are required before the restricted data can be downloaded."

The University of Texas at Austin Research Data Center (UT Austin RDC) is part of the Federal Statistical Research Data Center program run by the U.S. Census Bureau. The UT Austin RDC is a branch of the Texas A&M RDC. The UT Austin RDC provides qualified researchers the opportunity to perform statistical analysis on non-public microdata from the Census Bureau, National Center for Health Statistics (NCHS), Agency for Healthcare Research and Quality (AHRQ), Bureau of Labor Statistics (BLS), and Bureau of Economic Analysis (BEA). Learn more about what RDCs offer here. This is restricted data, so you must propose a research project, before being able to access it. You also must fill out multiple forms, provide fingerprints and go through a background check. Then, you must do your work at the RDC, which provides a secure computing environment. 

Sensitive research data cannot be stored just anywhere, regardless of whether that location is secured through means such as private access, passwords, or physical locks and regardless of whether anyone else has access to it. For example, researchers should not be storing physical copies of sensitive data in their personal residence, regardless of what home security measures are in place. As data are increasingly created in digital formats and often stored in the cloud, the Information Security Office has created a set of resources to provide guidance to researchers on appropriate and inappropriate cloud storage platforms for storing sensitive data. Researchers should always strive to use university resources (e.g., UT Google Drive instead of personal Google Drive) and avoid use of broader commercial solutions (e.g., iCloud, Dropbox).