University of Wisconsin–Madison

IRP Data Security Manual

Access levels to confidential data at IRP

Employees at IRP whose work may authorize them access to IRP sensitive and restricted data belong to one of the following groups:

Programmers

IRP Programmers have the highest level of access to sensitive data at IRP; they provide research data (like the Multi-Sample Person File, MSPF) to Researchers and Research Assistants for which the most sensitive personal identifiers have been removed or masked

Researchers and Research Assistants

Researchers and research assistants analyze the confidential data and produce results in which the data are aggregated; they generally do not require knowledge of individual identifiers.

Data Collectors

Data Collectors collect and update case information from public records maintained at county courthouses. In addition to the IRP Confidentiality and Data Security Agreement, Data Collectors must sign and adhere to an Exception Agreement that outlines specific policies for the protection of collected information while traveling and working at the courthouses.

SSCC maintains the computing resources for IRP

IRP is a member of the Social Science Computing Cooperative (SSCC), which maintains the servers and computer networks used by University departments and Institutes located in the William Sewell Social Science Building.

All confidential data received by IRP is stored on an SSCC-operated secure server, SILO.

The researcher server (WinLDS) has been given specifications that allow for the use of data sets classified as “Limited Data Sets” under HIPAA and other data with similar security requirements. Access to directories where the data are stored is limited by both file and group permissions.

Additionally, certain fully-identified confidential IRP data (e.g., data with person identifiers) on the server (WinRD) are encrypted.

The SSCC server room is protected with a card-swipe entry system, and is limited to SSCC professional staff. Electronic security includes: (1) virus protection; (2) password login; (3) two-factor authentication to access SILO;  (3) password change required at least every 180 days; (4) file encryption; (5) detailed audit record of system access; (6) firewall protection; (7) restricted directory access; and (8) disk-wiping software.

Although IRP takes great care to ensure that electronic security is current and effective, IRP and the Social Science Computing Cooperative (SSCC) understand that it is ultimately up to the user to maintain data confidentiality.

Continue to SECTION I of the manual