Introduction
The Institute for Research on Poverty (IRP) receives and analyzes sensitive data about individuals as part of its mission to understand the causes and consequences of poverty and to gauge the efficacy of policies designed to combat poverty. IRP is committed to safeguarding the confidentiality of individuals and ensuring that no data are released to individuals or organizations not entitled to receive them.
This manual describes the precautions, policies, and procedures in place at IRP to maintain the strictest levels of confidentiality.
People at IRP whose research project authorizes them to access sensitive or restricted data are required to adhere to and uphold all of the policies within this manual. Principal Investigators (PIs) who manage people with access to this data are responsible for ensuring compliance with all of the policies within this manual.
Both those who access sensitive and restricted data and PIs whose projects use these data must complete the IRP Data Security and Access orientation process, which includes:
- reading the IRP Data Security Manual,
- completing the IRP Confidentiality and Data Security Agreement,
- completing required training as needed, such as UW CITI human subjects training and HIPAA training, and
- signing the SSCC Silo Access Agreement and reading the SSCC publication(s) on using computing resources, such as Silo and WinStat.
Data access is limited by project. Individual projects must obtain the support and/or approval of the State agency (or agencies) that owns and provides the data.
Access levels to confidential data at IRP
Employees at IRP whose work may authorize them access to IRP sensitive and restricted data belong to one of the following groups:
Data Scientists
IRP Data Scientists have the highest level of access to sensitive data at IRP; they provide research data (like the Wisconsin Administrative Data Core, WADC) to Researchers and Research Assistants for which the most sensitive personal identifiers have been removed or masked
Researchers and Research Assistants
Researchers and research assistants analyze the confidential data and produce results in which the data are aggregated; they generally do not require knowledge of individual identifiers.
CRD Data Collectors
Data Collectors collect and update case information from public records maintained at county courthouses to create the new cohorts of the Court Record Data Collection at IRP.
SSCC maintains the computing resources for IRP
IRP is a member of the Social Science Computing Cooperative (SSCC), which maintains the servers and computer networks used by University departments and Institutes located in the William Sewell Social Science Building.
All confidential data received by IRP is stored on an SSCC-operated secure server, SILO.
Silo servers accessible by researchers have been given specifications that allow for the use of data sets classified as “Limited Data Sets” under HIPAA and other data with similar security requirements. Access to directories where the data are stored is limited by both file and group permissions.
Additionally, certain fully-identified confidential IRP data (e.g., data with person identifiers) on the silo servers accessible to data scientists are encrypted.
The SSCC server room is protected with a card-swipe entry system, and is limited to SSCC professional staff. Electronic security includes: (1) virus protection; (2) password login; (3) two-factor authentication to access SILO; (3) password change required at least every 180 days; (4) file encryption; (5) detailed audit record of system access; (6) firewall protection; (7) restricted directory access; and (8) disk-wiping software.
Although IRP takes great care to ensure that electronic security is current and effective, IRP and the Social Science Computing Cooperative (SSCC) understand that it is ultimately up to the user to maintain data confidentiality.
Continue to SECTION I of the manual