Type of Data

Information that could cause harm to an individual if disclosed, including, but not limited to, risk of criminal or civil liability, psychological harm or other injury, loss of insurability or employability, or social harm to an individual or group.

Examples

 Greater than minimal risk/identifiable:

  • Oregon community college instructors will be approached to participate in an in-person interview. The interview will include questions regarding the barriers they face in working with their administration to better serve the student body.
  •  Flyers are posted in a drug rehabilitation clinic requesting that clients contact the researcher if they are interested in participating in an interview. The interview will include questions about illegal drug use and private health information. The researcher has a certificate of confidentiality from the NIH.

Security Requirements

Information should be shared and stored in a manner that provides access only to authorized individuals. Data may not be disclosed to additional parties without prior IRB approval specifically authorizing the disclosure.  If information is stored on a computer, the system should have fully patched operating systems and applications, and current antivirus software with current virus definitions.  When feasible, information should be stored in a local system of record (e.g., local server, approved cloud). All mobile computer systems or portable storage media must be encrypted with at least the 256-bit encryption common in operating systems and encoding devices sold in the United States. If the data are coded, and there is a linked list of codes and identifiers, this list should be stored separately from all coded data.  Identifiable information should not be stored on student researchers’ computers after the study has ended. Data security plans for systems storing Level 3 data must be reviewed by the Information Security Office. Computers must have host-based firewalls enabled in addition to being behind a networked firewall context. A plan for routine back-ups of all data must be in place, with the appropriate security mechanisms for that data, including encryption and physical security addressed.