University of Wisconsin–Madison

Section II: Securing and Protecting Sensitive Materials

It is expected that you will not divulge any information regarding the data or the research unless it is specifically related to professional work. It is important to understand that although a piece of information may not seem to outright indicate a particular case or individual, all individual case information should be treated as confidential.

IRP uses the SSCC Silo environment for restricted data. The Silo server helps to keep sensitive data secure by blocking access to the internet and local computer drives, and not allowing printing.

Any IRP sensitive data or resulting work files must remain on the IRP project spaces on Silo. This is limited to the following project directories: irp, irp1, irp2, irp3, and irp4. The Data Security Officer will perform periodic checks to ensure compliance with this rule.

Access to specific MSPF directories and files will be granted using file permissions and group settings. Such group permissions are extended only by the direction of the PI and are implemented by SSCC staff.

You are expected to safeguard research materials containing confidential information. This includes, but is not limited to, storing paper materials in locked drawers. Additionally, good judgment should be used when leaving documents in plain sight – are the documents intended for public use or viewing? If not, IRP requires that your work area door be locked when no one is in the office.

Passwords

You are expected to keep confidential all passwords related to the legitimate access to data. This means you will adhere to the SSCC password guidelines.

Additionally:

  • For Silo access, SSCC account passwords must be a minimum of fourteen (14) characters in length
  • For Silo access, SSCC account passwords will need to be changed every year
  • Memorize passwords; if a password is written down it must be securely stored

While it is acceptable to use the same strong password for both your SSCC account and UW NetID, do not use this same password to gain access to any other personal email programs or web sites.  Similarly, for your SSCC password, avoid using  “remember password” or “save password” features in web browser applications, especially on laptop computers.

To change your password, read the SSCC publication, “How to Change Your Passwords,” at http://www.ssc.wisc.edu/sscc/pubs/1-15.htm.

Unattended Computers

While logged-in to the SSCC Silo environment, you are expected to be aware of who would potentially have the ability to view your files if you stepped away from your computer even momentarily. An alternative to logging off is to lock your screen. If you are logged-in to Silo, always lock your screen when unattended.

Further, a Silo session will automatically lock after 15 minutes of idle time.

Destruction of Sensitive Materials and Documents

You are expected to shred all printed and written materials containing confidential information that would normally not be retained for documentation. If you shred documents on a regular basis, make sure to shred them in a timely manner or to create a schedule for regular shredding.

Transporting and Sharing Data

For data housed on Silo: the only allowable option to transport or share individual-level data files between two or more people authorized to access them is to use specially designated directories within Silo.  It is prohibited for individual-level data housed on Silo to be downloaded/written to removable media or local hard drives.

Although transferring individual-level data off of SILO is not permitted, you may have need to transfer other confidential research data. Please remain aware of the following methods to protect the confidentiality of subjects, which may apply to your research activities:

  • To securely transport files, use SFTP or pass physical copies on removable media (floppy disks, CDs, etc.). It is strongly recommended that file encryption is used in these cases.
  • Sensitive or individual-level data should NEVER be transported through e-mail, which can be an insecure environment.
  • Removable media with sensitive materials must NEVER be left in an IRP mailbox or other unlocked area.
  • Any removable media used to provide copies of data (to SSCC or IRP programmers for Silo upload) will be wiped or destroyed once the data have been securely placed on the Silo server.

Possibility of Audit by the Data Owners

You are expected to follow the review procedures specified in the agreement between the Data Owner and IRP regarding release of any research or reports using this data. It is stipulated in most of IRP’s data sharing agreements with Data Owners that the owner may, at any time, audit the data security procedures in effect at IRP. By signing the IRP Confidentiality and Data Security Agreement you are assuming responsibility for the policies and procedures required within.  PIs are also assuming responsibility for ensuring compliance by all project employees on their project with access to sensitive or restricted data.

Please make sure you have read the SSCC password requirements.

Continue to SECTION III of the manual.