Managing Sensitive Data
What is Sensitive Data?
Research can involve many types of data that are sensitive. Some data are legally protected and have restrictions, such as Family Educational Rights and Privacy Act (FERPA) and Health Information Portability Accountability Act (HIPAA). Other data can involve disclosure of individuals, such as direct and indirect identifiers, or information in a dataset that can be linked with other information to identify an individual. Sensitive data can include information that can harm an individual or their reputation, including information about health, criminal record, or behaviors.
Address Sensitive Data in Your DMP
Gather the minimal amount of sensitive data you need. If possible, don’t collect sensitive data. If you need to collect sensitive data, clearly identify how you will protect this information, both physically and digitally. Funders expect you to share your research and data. Having sensitive data will not excuse you from sharing your data. You will need to clearly explain in your data management plan how you will prepare your data for sharing through anonymizing and/or de-identifying your data.
The Department of Health and Human Services provides detailed information about the de-identification of protected health information in their guide.
Including Statements About Sensitive Data in DMPs
If your research will produce sensitive data, you need to address this in you data management plan. You must not release any data that contains confidential or proprietary information. Data must be properly de-identified or anonymized prior to sharing.
The Office of Research and Graduate Studies has approved a statement regarding the sharing of confidential and proprietary information:
USU agrees with the principles that "data should be made as widely and freely available as possible while safeguarding the privacy of participants, and protecting confidential and proprietary data." In keeping with this guidance, USU follows policies and procedures which safeguard individuals, enhance national security, and appropriately protect confidential and proprietary information. Providing these protections may affect the timing or scope of data sharing. However, USU is committed to providing access to data related to its research outcomes as required under agency data sharing policies, generally no later than the time of final publication.
There are online resources to help you learn about sensitive data, direct and indirect identifiers, and how to prepare your data for sharing:
- Chapter 5 of the ICPSR's Guide to Social Science Data Preparation and Archiving
- Data De-identification: An Overview of Basic Terms, an overview by the Privacy Technical Assistance Center of the Department of Education. It includes many links to other resources.
- Chapman, A. D. and O. Grafton. 2008, Guide to Best Practices for Generalizing Primary Species-Occurrence Data, version 1.0. Copenhagen: Global Biodiversity Information Facility, 27 pp. ISBN:87-92020-06-2.
- Identify Data Sensitivity from DataOne
- Providing access to your data: Handling sensitive data Published on ESIP Commons. Provides overview of types of sensitive data (human, habitat, property, etc.) and discusses what should be considered when providing access to data.
- Johns Hopkins University Data Management Services maintains a list of Applications to Assist in De-identification of Human Subjects Research Data.