Sensitive Research Data
Data can be considered "sensitive" for several reasons, including, but not limited to, the following.
- Data is personally identifiable and/or reveals sensitive information about a person. Examples include research subjects participating in a psychology study; data that identifies individuals by name; data that Identifies individuals by demographic features such as zip code, age, or profession.
- Data is subject to regulatory requirements. Examples include grade or academic performance data which is subject to FERPA regulations; and medical record data which is subject to HIPAA regulations. Social Security Numbers are also very strictly regulated but are rarely used in research.
- Data is subject to an information security agreement as a condition of its use. Examples include data from national agencies such as the Census Bureau and the Bureau of Labor Statistics, which makes available the National Longitudinal Surveys (NLS).
- Data is a trade secret or may be anticipated to involve a trade secret or a patent or patent application.
Deciding how best to store and use sensitive data depends on a wide variety of factors, Including the kind of analysis you plan to do; the location of research assistants or collaborators; whether data needs to be collected in the field or comes from a data repository, etc. Your LSP can help you reduce the risk of accidental disclosure of sensitive data by taking into consideration best practices in data security and the particular needs of your research project. We want to help you come up with a plan for managing the data you need to carry out your research.
If you are interested in using data that is subject to an information security agreement, please contact your LSP for assistance.
Penn's Office of Privacy provides a website that offers comprehensive coverage of various data security and privacy concerns.
The Institutional Review Board (IRB) helps ensure that research involving human subjects is carried out with information security and privacy as a concern.
Sensitive Data and Third-Party Applications and Tools
Many services offered through the internet can make life much easier for researchers. But care must be taken that any Penn data stored in an Internet application (i.e., the “cloud”) has adequate contractual data protection.
- Penn+Box (see https://www.isc.upenn.edu/pennbox) is approved secure storage for most forms of sensitive information except for HIPAA-regulated data and SSN’s. The initial storage limit of 50 GB can be increased upon request with a budget code. Penn+Box allows researchers to share data with non-Penn colleagues securely.
- Qualtrics is a survey tool specifically designed for social science research. Penn has a contract with Qualtrics that protects our data, and it offers a lot of tools for customizing surveys.
- MyEmma provides email marketing. Our contract provides better protection than MailChimp or ConstantContact for email marketing.
If you are interested in using a third-party service for your research, but you don't see that service here, please contact your LSP. There might be a contract in the works, or a suitable alternative.
Third-Party SPIA Evaluation process
Another option is to request a third-party SPIA evaluation of the service to see if there information security protections are adequate to your needs.
Here are the documents that outline our process for evaluating third-party SPIA requests:
Don't be intimidated — our information security staff can help with this process. Please contact your LSP for more details.