Data Security Levels

The security levels address matters of data integrity, availability, and confidentiality.  Each level has corresponding security requirements that are informed by University policy. Additionally, recommendations for a security plan are included and applicable to both paper and electronic records.  Except where there are specific legal requirements, the IRB has the authority to approve a variance of security requirements if the requirements would otherwise inappropriately affect the conduct of the research and if alternate methods will provide adequate protection of confidential information. Depending on your study, there may be other university-level requirements. If you need assistance with meeting security requirements, or have questions or seek clarification, please contact your Departmental Computer Administrator (DCA), or the Office of Information Security.

 Click levels for more information

Breach of confidentiality poses what level of risk?:

No Risk

Minimal Risk*

Greater than Minimal Risk

Data and/or subjects are:

 

De-Identified or Anonymous

 

Level 1

Level 1

Level 2

 

Identifiable or
Coded

 

Level 1

Level 2

Level 3

Depending on the target population, a breach of confidentiality may pose varying levels of risk. Additionally, there is potential for a breach of confidentiality or accidental disclosure of information whenever the identities of the participants are known to the researchers. Breaches of confidentiality may include the following:

  1. The participant being identified as part of the study by someone other than the study team
  2. The participant’s responses being connected to their identity by someone other than the study team
  3. The identity of the group of participants being disclosed despite a plan that the group would not be identified (e.g., a specific tribe, all student athletes at Oregon State, employees of a particular organization)

Examples per Risk Levels:

Greater than minimal risk: A study involving interviews with users of illegal drugs.

Minimal risk*: Interviews and observations of families experiencing food insecurity.

No risk: Surveys of personal opinion about trails available for hikers.

*45 CFR 46.102 (Office for Human Research Protections Regulations)

(i) Minimal risk means that the probability and magnitude of harm or discomfort anticipated in the research are not greater in and of themselves than those ordinarily encountered in daily life or during the performance of routine physical or psychological examinations or tests.

Data Security Decision Tree