Sensitive Data Practices and Storage: FAQ

Researchers must be aware of the risks of handling, storing sensitive data 

Research at WVU often involves “sensitive data,” but what qualifies goes beyond private medical or educational records. Information Technology Services offers clear and unambiguous guidance through the new Sensitive Data Protection Policy and Social Security Number Protection Policy, and in the recently updated Acceptable Use of Data and Technology Resources Policy. All three policies are now posted on our website. Additional details are offered in the Frequently Asked Questions (FAQ) below. 

Q: What are current best practices for keeping information secure? 

Start with these few rules: 

  • Never keep your password written down or stored near a computer. 
  • Don’t step away from a computer or other device without locking your screen. 
  • Never share your Login username and password or any other identity-authentication credentials with anyone. That includes members of your research team. 

Q: What exactly does “sensitive” mean? 

Any data that is subject to federal laws, including but not limited to, the Health Insurance Portability and Accountability Act (HIPAA) or the Family Educational Rights and Privacy Act (FERPA) is considered sensitive. Confidentiality MUST be protected. 

Personally identifiable information such as birthdates and Social Security Numbers (SSN) are also considered sensitive and should be treated as confidential data to be protected. The release of this kind of information creates vulnerability to identity theft and fraud. 

Credit card and banking information also should be secured. 

Q: Am I responsible for making sure that kind of information is secure? 

Yes, securing sensitive digital data is part of being a responsible researcher. Those who conduct human subject research whether it be biomedical or social/behavioral sciences, should be proactive in ensuring that the privacy of individual subjects is protected. 

Q: Is my data sensitive? 

Research data considered confidential and sensitive includes: human subject information; proprietary digital research data; export controlled information; information regarding design and creation of a controlled item or product; classified information relating to defense articles and services; information covered by an invention secrecy order; or software directly related to a controlled item. 

Survey results are also considered sensitive if they include any of the following: SSNs; dates of birth; personal financial information; insurance benefit information; access device numbers; biometric identifiers or family information; data referring to illegal behaviors; drug/alcohol abuse; sexual behavior; mental health information; and genetic information. 

Any data collected under a National Institutes of Health (NIH) Certificate of Confidentiality is considered sensitive. 

Note: These are only examples of sensitive data and is not an exhaustive list of what qualifies as sensitive data. If you have any questions about securing your research data, contact Information Security at infosec@mail.wvu.edu

Q: Can you give an example of what is NOT sensitive? 

Scientific, mathematical or engineering principles that are commonly taught are not considered sensitive. Nor is basic marketing information on the function or purpose of a system, or a general description of an article or product. 

Q: What can I do to protect my data on campus? 

  • Always store data only on a laptop/desktop with whole disk encryption to protect the data if the machine is stolen or lost. 
  • Back up data regularly to a file server that is protected and backed up regularly. 
  • Work with your IT support staff to ensure your machine has the most current anti-virus protection and operating system security patches. 
  • Limit access to the data to only those people with a legitimate need. 
  • If you have determined that your data is sensitive and should be protected, work with your college IT department or ITS Information Security to develop a plan. 

Q: What should I do when traveling? 

Best practices when traveling would be to take a loaner laptop that does not contain any sensitive or proprietary information on it.

However, if decide to travel with your laptop and have files that contains sensitive or proprietary information, including unpublished research, article drafts, data sets or third-party proprietary information, you should: 

  • Back up your data and store files in a secure location. 
  • Ensure your computer and the files on it are password-protected. 
  • Turn off file/print-sharing. 
  • Apply all software patches and updates, and ensure that anti-virus is up to date. 

Note: If traveling internationally, you may be subject to U.S. export control laws, so you must confirm that the information and software on your laptop can safely and legally be transported to another country. In general, laptops can be taken overseas if they do not contain any work or data with foreign national restrictions, publication restrictions, technology control plans or proprietary information. For more information about export control, contact the WVU Export Control office

Q: How can I get help with these issues? 

Contact your college IT staff or the Information Security team in ITS at infosec@mail.wvu.edu with help assessing whether your data is sensitive and with developing a plan to secure it.