Sensitive Data Guidance

This article defines sensitive data, provides information on UNC policies for sensitive data, and offers options for data storage, software, and data sharing with regards to sensitive data.

Sensitive Data

Sensitive data is a general term to describe data with a variety of ethical concerns such as:

  • Protected personal health information,

  • Personally identifying information,

  • Protected education and student records,

  • Topic of a sensitive nature

  • Potential risk of harm if participants are identified, and

  • Proprietary or license restrictions.

The sensitive nature of your data will determine the types of measures you need to have in place to protect privacy and intellectual property and reduce risks. This handout is designed to provide considerations for storing and sharing sensitive data at UNC-Chapel Hill.

UNC Policies Related to Sensitive Data

The University already has a set of policies, classification of sensitive information (Tiers I-III), and procedures related to classification tier and data security. We recommend that you review a set of policies related to data that the UNC Data Governance Group has compiled: Policies about Data.

You may request a data review to obtain guidance and consultations on the classification of your sensitive data, appropriate uses, software review, among other information about handling and managing your research data. Request Data Assistance at https://tdx.unc.edu/TDClient/33/Portal/Requests/ServiceDet?ID=34.

Storage and Software Options

UNC ITS and some department IT teams provide storage for certain classifications of sensitive data. For instance, UNC ITS provides Secure Network Attached Storage, also known as SecNAS, for sensitive information. We recommend that you contact your department IT or UNC ITS at support@help.unc.edu to learn more about the storage options available to you.

The University reviews software and platforms and makes recommendations of the classification of sensitive data appropriate for the platform. At the time of writing, OneDrive and Amazon AWS are deemed appropriate for certain types of sensitive information. See the Purchase Guide at https://safecomputing.unc.edu/data/data-guide/

Data Sharing Options

In considering sharing sensitive data, there are methods that may assist you in sharing your sensitive data. Please note that there is no one size fits all. You will need to consider your data needs along with relevant policies, legislation, and best practices in data sharing and archiving.

Informed Consent. Human participants can consent to having their data shared as part of the informed consent process. This will require adding a section on data sharing that will inform participants of what and how you plan to share their data. You may wish to allow participants to opt-in and opt-out of data sharing. We recommend that you consider data sharing as part of all of your IRB study protocols and discuss with the UNC IRB & OHRE.

De-Identification. De-identification is the removal of personally-identifying or personal health information (PII and PHI) from a dataset. HIPAA Safe Harbor de-identification method has a set of 18 identifiers that they recommend be removed from data. However, data may contain potentially identifying information beyond this list of 18 identifiers and/or a combination of demographic variables may make it possible to re-identify a participant. If you plan to de-identify your research data, we recommend that you consult with experts in de-identification and/or privacy.

Access Restrictions. You may find that you cannot fully de-identify your data or still have an ethical concern that the previous options will not address. You may need to restrict access to your research data to only certain groups. For instance, you may want your data only used for academic research and education or you want to vet and approve researchers that plan to use your data. Access restrictions allow you to stipulate whom or what purpose your data may be accessed and used. Access restrictions may not comply with data sharing policies. We recommend that you talk with the funder or journal about policy compliance and data repository staff about access restriction options available. UNC Dataverse does offer the ability to apply access restrictions; however, you cannot deposit data with PHI or PPI in UNC Dataverse.

Use a Trusted Data Repository Capable of Handling Sensitive Data. When the options above do not meet your needs, you may want to consider the use of a trusted data repository designed to handle sensitive data. These repositories will ensure the long-term preservation and access to your research data.

There are repositories that designed to handle certain types of sensitive data and have different security measures in place. For instance, a few examples include Vivli in the medical sciences, ICPSR in the social sciences, Qualitative Data Repository (QDR) for qualitative data, and Zenodo for licensed data. If you are considering one of these repositories, we suggest that you reach out to their repository staff to confirm accepted data types, alignment with your data needs, security measures, and any associated costs.

Resources

 

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

 

RDM Guidance formatting was influenced by The Writing Center, University of North Carolina at Chapel Hill Tips & Tools handouts.