Level 2

Type of Data

Individually identifiable information that, if disclosed, could reasonably be expected to be damaging to a person's reputation or to cause embarrassment.

Examples

 Minimal risk/identifiable:

  • The researcher will interview community college employees at one institution in Oregon. The questions will gauge their interest in increasing and supporting diversity across campus employees.
  • A drug rehabilitation clinic posts a flier in their facilities requesting that clients contact the researcher to participate in an interview. The interview will ask questions about how many times the client has started a rehabilitation program, how many times they have completed programs, and their opinion about different counseling styles that they have experienced.

Greater than minimal risk/anonymous:

  • An online Qualtrics survey will be sent out to community college instructors across the country. The survey will include questions regarding the barriers that they face in working with their administration to better serve the student body. Data anonymization is turned on in Qualtrics so that no IP addresses are captured.
  •  A drug rehabilitation clinic sends out a Qualtrics survey to previous clients on behalf of the researcher. The survey includes questions about past illegal drug use and private health information. Data anonymization is turned on in Qualtrics so that no IP addresses are captured. The researchers will not have access to names or email addresses of clients, and the only demographic questions asked are age range, gender, and ethnicity.

Security Requirements

Information should be shared and stored in a manner that provides access only to authorized individuals. Data may not be disclosed to additional parties without prior IRB approval specifically authorizing the disclosure. If information is stored on a computer, the system should have fully patched operating systems and applications, and current antivirus software with current virus definitions. Information may be stored on approved cloud servers. The data security plan must be reviewed by the Information Security Office if the data security category is level 2 and the data are stored in a cloud-based server, unless the server is licensed by OSU. A plan for routine back-ups must be in place.

Security Recommendation

Computers should have firewalls in place.