Data Security

Attachment 12. Data Security
Implementation of data security systems and processes will occur as part of the SCV data
collection task. Data security provisions for the field test will involve the following:
•

•

•
•
•
•
•
•

•

•

All data collection activities will be conducted in full compliance with BJS regulations to
maintain the confidentiality of data obtained on private persons and to protect the rights
and welfare of human research subjects as contained in their regulations. Respondents
will receive information about confidentiality protections as part of the informed consent
process.
All data collectors will be trained on confidentiality procedures and be prepared to
describe them in full detail, if necessary, or to answer any related questions raised by
respondents. Training will include procedures for safeguarding sample member
information in the field, including securing hardcopy case materials and laptops in the
field, while traveling, and in respondent homes, and protecting the identity of sample
members.
All project employees will sign a confidentiality pledge that emphasizes the importance
of confidentiality and describes their obligations.
Access to the file linking respondents’ sample identification numbers and item data with
their contact information will be limited to project staff who have signed confidentiality
agreements.
Hardcopy documents containing personally identifying information (PII) will be stored in
locked files and cabinets. Discarded material containing PII will be securely shredded.
All field staff laptops will be equipped with encryption software so that only the laptop
user or RTI administrators can access any data on the hard drive even if the hard drive is
removed and linked to another computer.
Laptops will use the Microsoft Windows operating system and require a valid login ID
and password in order to access any applications or data.
All data transferred to RTI servers from field staff laptops will be encrypted and
transferred via a secure (SSL) broadband connection or optionally a secure telephone
(land) line. Similarly, all data entered via the web-based survey system will be encrypted
as the responses will be on a web site with an SSL certificate applied. Data will be passed
through a firewall at RTI, then collected and stored on a protected network share on the
RTI Network. Only authorized RTI project staff members will have access to the data on
the secure network share.
Web survey respondents will be required to create a unique password to access their
survey, and in the event of a break-off, to resume the survey at a later date. At log in,
Web respondents will also be required to select and answer one of 5 security questions
that will be used in the event the respondent requests a password re-set after beginning
the survey.
Following receipt from the field, PII will be stored only on RTI password protected,
secured servers. Only authorized project members will have access to PII for research
sample members.

•

•
•

CARI files recorded on the field laptops will be encrypted using the GPG encryption
technology as soon as the interview is completed. The GPG technology uses a pair of
public and private keys. The files will be encrypted using a public key installed on the
laptop. The encrypted audio files will be zipped up along with the survey response data
and transferred to the project share on the internal network at RTI. They will then be
decrypted using the private key for review by RTI quality monitors. Only authorized
project staff will be able to access the CARI files.
Audio files recorded during telephone interviews will be stored on a dedicated internal
share. Only authorized project staff will be able to access and review the files.
Data collected through telephone interviews (CATI) and the World Wide Web will be
stored on secure RTI servers. Only authorized project staff will have access to the data,
which will require passwords and the enabling of user access by RTI IT security
personnel. The data will be stored in SQL Server databases which require an additional
layer of security to access.