Data Management and Security Questionnaire
Collecting Sensitive and Identifiable Data
- What is the nature of the data?
- Electronic (text, audio, video, binary), hardcopy files, or biological specimens?
- Do the data contain protected health information, personal identifying information or other sensitive information? If yes, please precisely describe what these are.
- Are identifiers retained and linked to the data? Who will have access to the data? Who will have access to the identifiers?
- Are the data stripped of identifiers and the identifiers destroyed (anonymized data)? When will this take place?
- Are identifiers de-linked from the data and managed by use of a code? How are the identifiers, data files and key managed and secured? Who will have access to the identifiers, data files and key?
- Where and how will the data be stored and what security measures will be used for each?
- Personal computer or laptop? University computer or laptop; location? Office file cabinet? Thumb/jump drive? Departmental or other U-M server; name and/or location?
- What security measures will be used with each (password protected; encryption; locked file cabinet in locked office, 128 bit encryption, etc.)?
- Who will have access to the computer/laptop/server/or files?
- How will data be transmitted or transported?
- How will electronic files be transmitted? What measures are in place for secure transmission of data?
- How will hardcopy files be transported?
- How are the files and data protected while in transmission or when transported?
- When and how will data or records be deleted or destroyed?
- Will cloud-computing resources be used?
- is the resource and what is the privacy policy for the resource?
- Will online data collection services be used?
- What is the service/host? How is the survey accessed? How are data accessed by the study team? Will any non-secure services be used to access, collect, or transmit data (e.g., public portals, administrator logins, public WIFI networks, or public computers)?
- How are data moved/transmitted from the online host to the local storage device (computer, laptop, server, thumb drive, etc.)?
- Will the data be purged from the online host once downloaded to the local device? How and when?
- If the data are identifiable and sensitive, are confidentiality agreements in place with outside consultants or vendors?