



Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
A list of questions to help investigators assess the adequacy of data protection mechanisms in place for a given study. It also identifies security issues and institutional policy requirements or recommendations. designed to assist investigators in ensuring the confidentiality and security of sensitive data. It provides definitions of terms such as device, sensitive data, protected health information, and personally owned devices. The document also provides guidance on how to handle on-boarding and off-boarding of study team members.
Typology: Study notes
1 / 6
This page cannot be seen from the preview
Don't miss anything!
Background This document is designed to assist investigators in assessing the adequacy of data protection mechanisms in place for a given study. Each department, or school, at the university has a Security Unit Liaison (SUL) that may be able to assist investigators with this guidance. A list of SUL's by department is available at: safecomputing.IT Unit Security Liaison List (this link requires a U-M log-in). If you have any questions or concerns regarding data protection mechanisms, please contact your IT Unit Security Liaison.
Data Security/Confidentiality Screening Questions The following questions are designed to help investigators compare their study practices with best practices. Additional questions identify security issues and institutional policy requirements or recommendations. ORCR reviews study precautions with the IRB approved data security and confidentiality precautions in Section 11 of eResearch.
Term Definition Device Per SPG 601.33, a device is defined as an object with the ability to engage in computational operations, including the accessing or storing of electronic data.
Sensitive Data Per SPG 601.33, Sensitive data is information whose unauthorized disclosure may have serious adverse effect on the University’s reputation, resources, services, or individuals. It includes information protected under federal or state regulations or subject to proprietary, ethical, or privacy considerations. (SPG) 601.33, Security of Personally Owned Devices That Access or Maintain Sensitive Protected Health Information (PHI)
Per Michigan Medicine Policy 01- 04 - 300, PHI is individually identifiable information about a patient that:
Personally Owned Devices
Per SPG 601.33, personally owned includes devices for which a user receives a university subsidy or stipend as well as those wholly owned by the employee
Data Collection Question Answer Policy/Guidance
Yes
No
Safe Computing: Examples of Sensitive Data by Classification Level
Direct MiChart access
Through Data Office
Other, please specify:
Safe Computing: Commonly Used Data Types in Research
Direct identification
Indirect identification
Anonymized
Other
It is a best practice to separate identifiable information from the research data. If research data will be maintained separately, the key or code should be stored separately from both the identifiable information and the research data.
Yes
No
If Yes, indicate the service and device used to capture data electronically:
devices or removable media, is it encrypted?
Yes
No
Policies: Michigan Medicine Policy 01- 04 - 50 requires all devices that store sensitive data to be encrypted. How to encrypt: U-M Safe Computing: Encrypt Your Data File encryption with USB Drives
devices, such as laptops, thumb drives or other mobile devices?
Yes
No
If yes, describe what procedures are in place to ensure compliance with University policies and procedures on the management of sensitive data:
Policies:
regular basis?
Yes
No
Data Access Question Answer Policy/Guidance
Access to data and files should be restricted to members of the study team.
On-boarding and off-boarding checklists and other research compliance resources are available on the Compliance and Integrity webpage.
Transferring files and/or exchanging study files (and emailing subjects) Question Answer Policy/Guidance
Policies: Michigan Medicine Policy 01 - 04 - 357: Email Communications Containing Protected Health Information (PHI) SPG.601.07. Proper Use of Information Resources, Information Technology, and Networks SPG 601.12: Institutional Data Resource Management Policy Guidance: MiShare: Secure transfer of files that contain sensitive data, including those that contain (PHI) UMHS Compliance Office: HIPAA FAQ-Email, Fax, Text Messaging, and Web
Yes
No
NOTE: You are not required to have unit- specific policies or SOPs on computer security. See links that can assist you in
Policies: SPG 601.25. Information security incident reporting policy Michigan Medicine Policy 01- 04 - 385: Receiving and Resolving Privacy Complaints Guidance: Report an IT Security Incident