Managing Sensitive Data

What is Sensitive Data?

Research can involve many types of data that are sensitive.  Some data are legally protected and have restrictions, such as Family Educational Rights and Privacy Act (FERPA) and Health Information Portability Accountability Act (HIPAA).  Other data can involve disclosure of individuals, such as direct and indirect identifiers, or information in a dataset that can be linked with other information to identify an individual.  Sensitive data can include information that can harm an individual or their reputation, including information about health, criminal record, or behaviors.

Address Sensitive Data in Your DMP

Gather the minimal amount of sensitive data you need.  If possible, don’t collect sensitive data.  If you need to collect sensitive data, clearly identify how you will protect this information, both physically and digitally.  Funders expect you to share your research and data.  Having sensitive data will not excuse you from sharing your data.  You will need to clearly explain in your data management plan how you will prepare your data for sharing through anonymizing and/or de-identifying your data.

The Department of Health and Human Services provides detailed information about the de-identification of protected health information in their guide.

Including Statements About Sensitive Data in DMPs

If your research will produce sensitive data, you need to address this in you data management plan. You must not release any data that contains confidential or proprietary information. Data must be properly de-identified or anonymized prior to sharing.

The Office of Research and Graduate Studies has approved a statement regarding the sharing of confidential and proprietary information:

USU agrees with the principles that "data should be made as widely and freely available as possible while safeguarding the privacy of participants, and protecting confidential and proprietary data." In keeping with this guidance, USU follows policies and procedures which safeguard individuals, enhance national security, and appropriately protect confidential and proprietary information. Providing these protections may affect the timing or scope of data sharing. However, USU is committed to providing access to data related to its research outcomes as required under agency data sharing policies, generally no later than the time of final publication.

Extra Help

There are online resources to help you learn about sensitive data, direct and indirect identifiers, and how to prepare your data for sharing: