Section II: Securing and Protecting Sensitive Materials

It is expected that you will not divulge any information regarding the data or the research unless it is specifically related to professional work. While a piece of information may not seem to outright indicate a particular case or individual, all individual case information should be treated as confidential.

IRP uses the SSCC Silo environment for sensitive and restricted data. The Silo server helps to keep data secure by blocking access to the internet and local computer drives, and not allowing printing.

Any IRP individual-level data or resulting work files must remain on the IRP project spaces on Silo. This is limited to the following project directories: irp, irp1, irp2, irp3, and irp4. The Data Security Officer will perform periodic checks to ensure compliance with this rule.

Access to specific WADC directories and files will be granted using file permissions and group settings. Such group permissions are extended only by the direction of the PI and are implemented by SSCC staff at IRP’s request.

You are expected to keep confidential all passwords related to the legitimate access to data. This means you will adhere to the SSCC password guidelines.

Additionally:

• For Silo access, SSCC account passwords must be a minimum of fourteen (14) characters in length
• For Silo access, SSCC account passwords will need to be changed every year
• If a password is written down or saved it must be securely stored

While it is acceptable to use the same strong password for both your SSCC account and UW NetID, do not use this same password to gain access to any other personal email programs or web sites.  Similarly, for your SSCC password, avoid using  “remember password” or “save password” features in web browser applications, especially on laptop computers.

To change your password, visit the SSCC Accounts page at https://www.ssc.wisc.edu/accounts/.

While logged-in to the SSCC Silo environment, you are expected to be aware of who would potentially have the ability to view your files if you stepped away from your computer even momentarily. An alternative to logging off is to lock your screen. If you are logged-in to Silo, always lock your screen when unattended.

Further, a Silo session will automatically lock after 15 minutes of idle time.

For IRP data housed on Silo: the only allowable option to transport or share individual-level data files between two or more people authorized to access them is to use specially designated directories within Silo.

It is prohibited for individual-level IRP admin data housed on Silo, even if deidentified, to be downloaded/written to removable media or local hard drives.

Do not take photos or make images (like screenshots) of IRP data while in a Silo session.

If you must use “screen sharing” during a virtual project meeting to share a view of IRP data files from a Silo Session:

1. Make sure meeting participants are limited to project personnel who are authorized to view your project’s Silo data files, and
2. Use only UW-licensed versions of either Webex or Teams (these platforms are HIPAA-compliant). Standard UW Zoom is not. If you prefer to use Zoom you can request a special Secure Zoom account from the UW.

 

Although removing individual-level IRP admin data from SILO is not permitted, you may have need to transfer other confidential research data. Please remain aware of the following general methods to protect the confidentiality of subjects, which may apply to your research activities:

• To securely transport files, use SFTP or other secure transfer method. Use file encryption in these cases.
• Sensitive or individual-level data should NEVER be transported through e-mail, which can be an insecure environment.
• Removable media with sensitive materials must NEVER be left in an IRP mailbox or other unlocked area.
• Any removable media or paper materials containing confidential information must be securely stored. Paper materials must be shredded rather than recycled when destroyed.

It is stipulated in most of IRP’s data sharing agreements with Data Owners that the owner may, at any time, audit the data security procedures in effect at IRP. By signing the IRP Confidentiality and Data Security Agreement you are assuming responsibility for the policies and procedures required within.  PIs are also assuming responsibility for ensuring compliance by all project employees on their project with access to sensitive or restricted data.