UW Research

Data Security Requirements Guidance

Print Print

Purpose and Applicability

This webpage describes the types of data security protections that the UW IRB expects researchers to provide for human participants data, according to the possibility and type of harm to participants associated with a breach of the data. These expectations are in addition to other University requirements that may apply, such as:

When UW is the IRB of record for non-UW institutions and individuals, these requirements also apply to those individuals/institutions. Throughout this guidance where reference is made to UW institution-specific policies or services, non-UW institutions or individuals relying on the UW IRB should defer to their equivalent institution-specific policy or service. In the absence of any policy, non-UW institutions or individuals should follow UW policy where applicable. For international research collaborations, researchers should ensure that they are aware of, and in compliance with, any country-specific privacy or data security laws and requirements. 

This webpage is meant to guide researchers in identifying and applying appropriate protections based on evaluation and classification of human participants data. If an expectation described here does not make sense for the particular circumstances of a study (for example, some international settings), researchers may inform the IRB and provide the rationale as well as what protections are available.

Resources

Researchers are expected to consult with their department IT support, as needed. Many of the protections described here are already part of UW-IT supported servers and networks and would not require any additional work or resources from researchers. Additional information and resources from UW-IT and UW Medicine IT Services are available at:

Reporting Incidents

Reporting actual or suspected information security and privacy incidents, including data breaches or loss of data (intentional or unintentional) to all relevant offices is an important data security protection for all research. These must be reported as soon as possible (but no later than any required reporting time frame) to:

  • The reviewing IRB (e.g., UW, WCG, Advarra, Fred Hutch)
  • UW Privacy Office (Incident Report Form)
  • UW Medicine Compliance office (comply@uw.edu), for UW Protected Health Information (PHI)
  • UW Office of Information Security (ciso@uw.edu, if it is an urgent incident call 206-221-5000) for an event involving UW information, UW information systems or UW infrastructure technology
  • UW Compliance & Risk Services (crs-privacy@uw.edu) for PHI from a non-SOM/UW Medicine UW healthcare component)
  • Non-UW institutions relying on the UW IRB must also report to their own institutional offices according to their policies. HSD does not facilitate this reporting.

Additional information and resources regarding reporting incidents are available at:

Description of Risk Levels

Researchers should evaluate the human participants data that they collect, receive, maintain, and use for University research based on the following rubric. All data in the same system should be maintained at the highest level of any type of data. For example, if some of the data are level 1 (L1) and some are level 3 (L3), then the whole system should be protected at level 3 (L3).

Level 1: Suitable for Public Disclosure

Description. Information suitable for publication, public sharing, or open access. Applies to both existing data (retrospective use) and prospectively collected data.

Examples

  • Data from lawful and trusted public sources (e.g., census data, court records)
  • Data for which participants have consented to allow public access (e.g., a museum archive, NIH public access repositories)

Level 2: Little risk of harm to individuals if disclosed

Description. These data have relatively little risk of harm except possible short-term embarrassment or psychological discomfort if the data were disclosed. Disclosure of this information would not reasonably place individuals at risk of criminal or civil liability or be damaging to their financial standing, insurability, employability, educational advancement, or reputation.

Examples

  • Performance of individuals on benign tasks (e.g., online games and puzzles)
  • Individual opinions on innocuous topics (e.g., perceived nutritional values of different foods, product brand preferences)

Level 3: Risk of material harm to individuals if disclosed

Description. These data could result in harm that has a genuine impact, but the magnitude and/or duration are generally not serious, long-lasting, and/or irreversible. Disclosure of these data could cause some financial or social harm, civil liability, reputational harm, or impact on educational advancement. However, disclosure of these data would not cause criminal liability, loss of insurability or employability, or severe financial or social harm.

Examples

  • Non-stigmatized personal health information (e.g., lab results that don’t indicate a clear diagnosis such as Vitamin D levels, visibly obvious conditions such as broken arm, wearing corrective lens)
  • Student course performance information

Level 4: Risk of serious and/or long-lasting harm to individuals if disclosed

Description. These data could result in serious and/or long-lasting harm. Disclosure of these data could cause criminal liability, loss of insurability or employability, severe financial or social harm.

Examples

  • Personal health information such as mental health, alcohol and substance abuse, HIV status, STIs, cancer, reproductive healthcare
  • Individually identifiable financial account information
  • Information about illegal behavior (e.g., use of illegal substances, underage use of legal substances)
  • Information about immigration status

 

Expected Data Security Protections by Risk Level

Level 1

No specific protections are required above and beyond general University requirements for handling data made publicly available by the UW or has no sensitivity. Nevertheless, the UW IRB strongly encourages the adoption of some, or all the data security protections described for Level 2 when the data is non-sensitive but has not yet been made publicly available.

Levels 2-4

Consult the tables below to identify the specific requirements. If you are requesting any exceptions to specific requirements, please note these and the rationale in the Data and Specimen Security Protections question in the Privacy and and Confidentiality section of the APPLICATION IRB Protocol or the APPLICATION IRB Protocol No Contact with Subjects.

Users

The individuals who have access to the data.

Requirements Description Applies To
U1
Limit Access
Limit the access to appropriate users, except when the data are intentionally made public. Limitation is provided using passwords or other access credentials or mechanisms, depending upon the nature and location of the data. L2-L4
U2
No shared passwords or accounts
Users’ passwords and other access credentials must not be shared. Accounts should be individually identifiable and assigned to only one person. L2-L4
U3
Protection of passwords
Passwords and other access credentials, especially those assigned to individual users, must not be stored in plain-text locations, or included in scripts and configuration files. Individuals must document the safeguards implemented to protect access credentials in circumstances where the credentials must be stored for specific purposes (e.g., cryptographic keys or certificates for scripts or API connectivity).

EXAMPLE: Use a password management application such as 1Password, LastPass, or KeePass that generates stores and protects long, random, unique passwords.

L2-L4
U4
Strong passwords
Passwords should be of sufficient length and complexity to reasonably protect them from being guessed by humans or computers.

  • A minimum of 8 characters in length
  • For accounts that grant administrator privileges, a password of at least 12 characters in length must be used
  • Include three of the following four character types:
    • A capital letter, A-Z
    • A lowercase letter, a-z
    • A number, 0-9
    • One of these symbols: `! @#$%^&*()-_+={}[]:<>.?/
  • DO NOT use ~\|;”‘, or spaces, except where possible with UW NetID
  • Must not match any of your last 5 passwords
  • Never use the same character more than twice in a row
L2-L4
U5
Different passwords
Different passwords should be used for different applications. For example, your UW NetID password should be different than your password to access NIH eRA Commons which should be different from your password for your personal Gmail account. L2-L4
U6
Changing passwords
Passwords should be changed periodically or in alignment with requirements applicable to the dataset and/or systems used for the project. L2-L4
U7
Compromised passwords
Passwords must be reset and changed immediately if there is suspicion or report of compromise. Such cases should be reported immediately by calling 206-221-5000 and also be promptly reported to the other appropriate entities (e.g., UW-IT Report an Incident or Data Breach). L2-L4
U8
Report loss of data
Any actual or suspected loss, theft, or improper use of (or access to) the data must be reported immediately to the reviewing IRB and any other appropriate entities (e.g., UW Medicine Privacy or Compliance Office, UW Privacy Office, UW Office of Information Security, non-UW institutional offices). Review Reporting Incidents above.). L2-L4
U9
Data storage policy
Researchers should separate subject identifiers (i.e., any information that, alone or in combination with other information, can be used to identify a specific individual such as name, date of birth, medical record number, address, email, etc.) from the data, using a “key” or code to link identifiers to the data. The link between the key/code and the identifiers should be stored in a separate system or location from other research data with appropriate security controls to prevent unauthorized access. L3-L4
U10
Authorization and documentation of access
Document, implement and follow a formal access control policy for the study’s data (both digital and non-digital) and systems. The policy should:

  • Define roles and associated privileges
  • Criteria for role assignment
  • Identification of who is responsible for approving access
  • Procedures for granting access, revalidating the need for access, and removal of access
  • Procedures for documenting all individuals who have access, regardless of whether they are members of the study team (e.g., IT administrators, auditors, custodial services staff)

The access control policy and procedures should be commensurate with the size, complexity, and operational needs of the study. For example, a year-long study conducted by two UW faculty co-PIs would require fewer and simpler roles and processes than a multi-year study involving UW and external collaborators, rotating cohorts of research assistants, multiple lab facilities, and information systems owned by multiple organizations.

Existing departmental policy(ies) that satisfy this requirement may be used in lieu of developing a study-specific policy. Review HSD’s Research Data Access Control Policy template for guidance.

L3-L4
U11
Data disposal
Destroy, return, or de-identify data if the data are no longer needed and the applicable records retention period has ended. The method of disposition should be appropriate to the nature and risk of the data.

Disposal practices may be modeled after existing references like the UW Medicine Electronic Media Data Disposal Standard or UW-IT Secure Disposal of Computers and Devices or other applicable criteria. Note that Records Retention requirements may still apply to the data within the storage media planned for disposal.

L2-L4
U12
Confidentiality and security training
A written process is established and followed for ensuring and documenting that appropriate training about confidentiality and data security has been provided to individuals who will have ongoing access to the data. Training materials should be kept up to date with the latest information security and privacy best practices and regulatory requirements (review Resources).

CITI human subjects training is not sufficient for meeting this requirement.

Existing departmental policy(ies) that satisfy this requirement may be used in lieu of developing a study-specific policy. Review HSD’s Confidentiality and Security Training Policy template for guidance.

L3-L4
U13
Authorized users
There is a written data use agreement or data processing agreement that defines the authorized uses of the data by anyone outside of the UW study team who is given access to the data. L3-L4
U14
Certificate of Confidentiality
ENCOURAGED but not required unless the IRB explicitly requires it for the specific study. Apply for a federal Certificate of Confidentiality or Privacy Certificate, to protect against disclosure of the data in response to a subpoena or other legal process. Review HSD’s Guidance on Certificate of Confidentiality for more information. L4
U15
Multi-Factor Authentication
Multi-Factor Authentication (MFA) should be implemented for all non-local (e.g., across the Internet or other institutional network) system access by users and administrators (not study participants), if available.

If MFA cannot be implemented at each authentication event, MFA should at least be incorporated into the nearest logical boundary or perimeter safeguards (e.g., requiring MFA to connect to the VPN before accessing data on a department server).

MFA is not required for accessing individual workstations by users physically present at the device unless explicitly specified for a study (e.g., some federal projects with extensive security obligations).

L3-L4

Devices

User devices (including portable devices but not servers) on which data are collected, processed, and/or stored. Examples: desktop computer; laptop computers; smart phones; USB or flash drives; iPads; laptops; tablet computers; DVDs.

Requirements Description Applies To
D1
Configure the device
Configure the device for secure operation and limit access to the specific person or persons authorized to use the device. To the greatest extent practicable, institutional devices (i.e., owned by UW or the researcher’s institution) should be used instead of personally owned devices, especially for L3 and L4 data.

Device configuration may be modeled after existing references like HSD’s WORKSHEET Device Configuration, the UW Medicine Minimum Computing Device Security Standard, UW-IT Security Laptops, UW-IT Smartphone configuration or other applicable criteria.

Where available, researchers are encouraged to leverage more rigorous configuration settings and/or advanced solutions offered or required by their department (e.g., using an Endpoint Detection and Response (EDR) product like CrowdStrike in lieu of the Microsoft Defender antivirus software built into Windows devices).

If the requirements of this document conflict with other policies, standards, practices, or similar obligations for a device, system, or dataset, the more restrictive or rigorous of the two should usually be implemented.

L2-L4
D2
Configure the applications
Configure the applications being used on the device to protect the access and transfer of data. This could include, but is not limited to, restricting or preventing some data synchronization or backup features, and enforcement of encryption in-transit and at-rest. Also, review D8 below. L2-L4
D3
Update the operating system and applications
Operating systems, applications, software, and firmware must be kept up to date, by installing revisions, security patches, and upgrades. L2-L4
D4
Protection against loss
Store or otherwise secure the device in a way that minimizes the possibility of loss or theft.

Never leave laptops and other mobile devices unattended (e.g., in your car).

L2-L4
D5
Device disposal
Before disposing of or repurposing the device, the data stored on it must be physically destroyed, over-written or wiped using a method that is appropriate to the risk and sensitivity of the data.

Device disposal practices may be modeled after existing references like the UW Medicine Electronic Media Data Disposal Standard, UW-IT Secure Disposal of Computers and Devices or other applicable criteria.

L2-L4
D6
Portable devices
Portable devices cannot be used to store identifiable data for an indefinite period of time except when specifically allowed by the IRB because of well-justified circumstances.

Some portable devices may be used to view or access identifiable data if necessary (e.g., using a laptop’s web browser to view data collected via REDCap, accessing data stored on a department-managed fileserver requiring connectivity through a UW VPN). Other types of portable devices (e.g., cameras, audio recorders) may be used to temporarily store the original version of study data as part of data collection. In both circumstances, care must be exercised to ensure that the devices follow other applicable requirements set in this document (e.g., D4’s protection against loss or theft, D5’s sanitization practices, U1’s access limitations, U8’s reporting of loss requirements) and that copies of the data are not retained on the device.

L3-L4
D7
Permanent storage
All data should be uploaded from local or portable devices to a secure server or service as soon as possible.

  • Data must not be stored locally on devices except in circumstances where temporary storage is required (e.g., storage media for recording audio or video). Consider disabling auto download features from web browsers.
  • Data must not be stored in or processed by any cloud solution unless the solution is covered by appropriate contractual agreements (e.g., Business Associate Agreement, Data Processing Agreement).
L3-L4
D8
Encryption
The data must be encrypted. All confidential and sensitive data must be encrypted when not in use and when being transmitted. Any internal or external storage device must utilize encryption that meets or exceeds the encryption methodology applied to other departmental assets (e.g., AES-128).

Additional information about encryption and example encryption methods may be found at the UW-IT Whole Disk Encryption webpage or UW Medicine Encryption Guidance webpage.

L3-L4
D9
Device management and monitoring
A written process is established and followed for ensuring that:

  • Devices are securely configured
  • Updates and patches to operating systems and applications are installed promptly
  • Devices are inventoried and tracked to avoid loss or theft and ensure unauthorized individuals do not have access
  • Devices are used according to the UW Acceptable Use Policy (for UW data) and in accordance with data use agreements and other applicable requirements

Existing departmental policy(ies) that satisfy this requirement may be used in lieu of developing a study-specific policy. SeeReview HSD’s Device Management & Monitoring Policy template for guidance.

L3-L4

Servers/Services

Computer servers or computing services on which data are collected and/stored, including file sharing or collaboration services. Examples: Dropbox; cloud-based storage; email; backup & recovery services; online productivity tools such as Google Docs; department servers; externally hosted servers and Infrastructure as a Service (IaaS) solutions; Mechanical Turk; REDCap.

Requirements Description Applies To
S1
Complex Passwords
[This requirement may be assumed to be met if the server or service is under the direct authority and control of UW-IT, UW Medicine IT, or the Office of Research Information Services. Other requirements may also be met for specific servers but should be verified.]
Servers and services that manage passwords must force the following password requirements to reasonably protect them from being guessed by humans or computers:

  • A minimum of 8 characters in length
  • For accounts that grant administrator privileges, a password of at least 12 characters in length must be used
  • Include three of the following four character types:
    • A capital letter, A-Z
    • A lowercase letter, a-z
    • A number, 0-9
    • One of these symbols: `! @#$%^&*()-_+={}[]:<>.?/
  • DO NOT use ~\|;”‘, or spaces, except where possible with UW NetID
  • Must not match any of your last 5 passwords
  • Never use the same character more than twice in a row
L2-L4
S2
Server Communication
[This requirement may be assumed to be met if the server or service is under the direct authority and control of UW-IT, UW Medicine IT, or the Office of Research Information Services. Other requirements may also be met for specific servers but should be verified.]
Communications between (1) servers or services and (2) client machines must be protected.

  • Firewall configurations must restrict connections between publicly accessible servers and system components that store Confidential data. Firewalls and similar mechanisms should be configured to allow only the minimum viable level of access.
  • All data must be encrypted in-transit using cryptographic protocols, such as Transport Layer Security (TLS 1.2 or greater)

UW-IT managed firewall

L2-L4
S3
Server-application communication
[This requirement may be assumed to be met if the server or service is under the direct authority and control of UW-IT, UW Medicine IT, or the Office of Research Information Services. Other requirements may also be met for specific servers but should be verified.]
Communications between servers or services must be protected.

  • Firewall configurations must restrict connections between publicly accessible servers and system components that store Confidential data. Firewalls and similar mechanisms should be configured to allow only the minimum viable level of access.
  • All data must be encrypted in-transit using cryptographic protocols, such as Transport Layer Security (TLS 1.2 or greater)

UW-IT managed firewall

L2-L4
S4
Password changes and change methods
[This requirement may be assumed to be met if the server or service is under the direct authority and control of UW-IT, UW Medicine IT, or the Office of Research Information Services. Other requirements may also be met for specific servers but should be verified.]
  • Mechanisms for users to set or change passwords must be secure
  • All default or temporary passwords must be changed prior to using an account, server, system, or service for its intended purpose
L2-L4
S5
Server Operators
[This requirement may be assumed to be met if the server or service is under the direct authority and control of UW-IT, UW Medicine IT, or the Office of Research Information Services. Other requirements may also be met for specific servers but should be verified.]
People responsible for the operation of servers must have the skills, experience, and/or training needed to implement these requirements. L2-L4
S6
Commercial Services
Researchers are responsible for learning about the security protections for any commercial service they use, such as Mechanical Turk, file-sharing services, and cloud services. This includes selecting among options for appropriate configurations and protections.

Commercial services must have contractual protections implemented commensurate with the data stored or processed, such as ensuring a Business Associates Agreement (BAA) is executed prior to allowing a service to access any electronic Protected Health Information (ePHI) and a Data Processing Agreement (DPA) before sharing any personal data with an external organization or contractor.

L2-L4
S7
Current Patches
[This requirement may be assumed to be met if the server or service is under the direct authority and control of UW-IT, UW Medicine IT, or the Office of Research Information Services. Other requirements may also be met for specific servers but should be verified.]
Operating systems and application patches must be kept current. Wherever feasible, applications should be enabled to perform automatic updates to receive the latest security patches. L2-L4
S8
Malware Detection
[This requirement may be assumed to be met if the server or service is under the direct authority and control of UW-IT, UW Medicine IT, or the Office of Research Information Services. Other requirements may also be met for specific servers but should be verified.]
The server or services run applicable malware detection software with up-to-date signature files.

Researchers and server operators should consult with IT personnel within their department, major university organization, or other organizational unit to determine if any advanced and/or centrally administered anti-malware solutions are available for servers or services planned for use in their project.

L2-L4
S9
No Shared Accounts
[This requirement may be assumed to be met if the server or service is under the direct authority and control of UW-IT, UW Medicine IT, or the Office of Research Information Services. Other requirements may also be met for specific servers but should be verified.]
All system and user accounts must be tied to a unique individual. Individuals must not share access to accounts, passwords, or create generic accounts intended to be shared.

  • Access must be granted using the principle of least privilege (i.e., restricting users’ access to only the minimum-viable amount, level, or resources needed to perform a task)
  • Access should be granted using a role-based access management scheme (i.e., controlling users’ access through membership to groups in lieu of manually configuring each type of access)
L2-L4
S10
Audit Activity
[This requirement may be assumed to be met if the server or service is under the direct authority and control of UW-IT, UW Medicine IT, or the Office of Research Information Services. Other requirements may also be met for specific servers but should be verified.]
Audit activity such as system, security, and privacy events must be logged and reviewed regularly to detect errors and anomalous or unauthorized activity. L2-L4
S11
Idle Sessions
[This requirement may be assumed to be met if the server or service is under the direct authority and control of UW-IT, UW Medicine IT, or the Office of Research Information Services. Other requirements may also be met for specific servers but should be verified.]
Implement controls to protect unattended sessions. Lock the screen and require authentication to unlock, disconnect idle sessions, and/or end idle sessions after a defined period of inactivity. The amount of time before action and the controls implemented should consider other controls and requirements including clinical care, operational needs, and physical access safeguards. L3-L4
S12
Improper Access
[This requirement may be assumed to be met if the server or service is under the direct authority and control of UW-IT, UW Medicine IT, or the Office of Research Information Services. Other requirements may also be met for specific servers but should be verified.]
Servers must be protected from improper network-based access using solutions such as network/host-based firewalls and virtual private networks (VPNs).

UW-IT managed firewall

Husky On Net (HON) UW-IT free individual VPN

L2-L4
S13
Logging Access
[This requirement may be assumed to be met if the server or service is under the direct authority and control of UW-IT, UW Medicine IT, or the Office of Research Information Services. Other requirements may also be met for specific servers but should be verified.]
User and administrator access to servers and applications must be logged. Where feasible, such logs should be securely stored on a separate system. L2-L4
S14
Reporting Incidents
Researchers are responsible for ensuring that server and application operators understand that they must promptly inform the researchers (and through them, the reviewing IRB, and relevant offices) of any actual or suspected information security and privacy incidents, including data breaches. Review Reporting Incidents above. L3-L4
S15
Reviewing Logs
[This requirement may be assumed to be met if the server or service is under the direct authority and control of UW-IT, UW Medicine IT, or the Office of Research Information Services. Other requirements may also be met for specific servers but should be verified.]
The logs must be periodically reviewed for anomalous behavior. L3-L4
S16
Secure Disposal
[This requirement may be assumed to be met if the server or service is under the direct authority and control of UW-IT, UW Medicine IT, or the Office of Research Information Services. Other requirements may also be met for specific servers but should be verified.]
Before disposing of or repurposing storage media (e.g., hard drives), the storage media device must be securely sanitized (i.e., wiped, overwritten, or destroyed) using a method that is appropriate to the highest level of risk, sensitivity, or classification of data on the storage media device.

Disposal practices may be modeled after existing references like the UW Medicine Electronic Media Data Disposal Standard, UW-IT Secure Disposal of Computers and Devices, UW Facilities Preparing items for surplus, or other applicable criteria. Note that Records Retention requirements may still apply to the data within the storage media planned for disposal.

L2-L4
S17
Password Guessing
[This requirement may be assumed to be met if the server or service is under the direct authority and control of UW-IT, UW Medicine IT, or the Office of Research Information Services. Other requirements may also be met for specific servers but should be verified.]
Servers or services must implement a mechanism that inhibits password guessing attacks on user accounts if the server or service does its own authentication. L3-L4
S18
Server Vulnerability
Server operators must take reasonable actions to ensure that their systems are not vulnerable to attack. Software and/or firmware patches and upgrades must be applied in a timely manner to prevent malicious actors exploiting a known software or firmware weakness. When patches cannot be applied in a timely manner, implement compensating controls to reduce the risk.

Server operators and researchers should strongly consider enrollment into centrally administered vulnerability monitoring and scanning services that may be available for systems under their care. Options and eligibility for certain centrally administered solutions may vary across the organization. Teams may consider reviewing the UW Medicine Security Standards for Patch Management and UW Medicine Security Standards for Vulnerability Management as example approaches to follow when developing plans for their servers.

L2-L4
S19
Secure Location
[This requirement may be assumed to be met if the server or service is under the direct authority and control of UW-IT, UW Medicine IT, or the Office of Research Information Services. Other requirements may also be met for specific servers but should be verified.]
The server must be kept in a secure location and be subject to regular inventory to ensure that loss or theft is identified.

A “secure location” refers to an environment where access to records, servers, and system components is restricted and controlled to prevent unauthorized access, theft, or tampering. This can include using physical locks (e.g., cable locks, locked cabinets, or rooms) or implementing access controls such as keycards or biometric authentication and monitoring access to detect any unauthorized or anomalous activity. All locations where servers are stored or operated must have appropriate safeguards to ensure the integrity and confidentiality of the information. Further, locations where servers are stored or hosted should also consider potential risks that could arise from environmental or infrastructure sources (e.g., power or network outages, temperature and humidity management, fire suppression needs).

L2-L4
S20
Encryption
Data must be encrypted at-rest. This may be accomplished through solutions at the hardware or software level, such as self-encrypting drives in servers, row-level encryption in database tables, and/or encrypted disk volumes through software like BitLocker or LUKS.

(Review also the in-transit encryption requirement in S2)

L3-L4
S21
External Access
Network connectivity to servers or services used to store, process, or transmit data must be limited to only the ports, protocols, and connections necessary for operational functionality.

Systems that are not inherently designed to be cloud-hosted or accessed from the public internet must not be able to be accessible directly via the internet (i.e., without intermediary protections like connecting to the UW VPN).

UW-IT managed firewall

Husky On Net (HON) UW-IT free individual VPN

L2-L4
S22
Protecting Servers
[This requirement may be assumed to be met if the server or service is under the direct authority and control of UW-IT, UW Medicine IT, or the Office of Research Information Services. Other requirements may also be met for specific servers but should be verified.]
Servers on the same subnet must be protected against attack from each other (or have functionally similar protections suited to the architecture of the subject system or service and its infrastructure). L3-L4

 

Paper and Other Non-Digital Records

Non-digital forms of data storage include (but are not limited to): paper; non-digital film or tape recordings; non-digital drawings or artwork.

Requirements Description Applies To
P1
Limiting access
Access to the non-digital form of data storage must be limited to those people with proper, documented authorization to access the non-digital records. Because of this, non-digital data storage should be used only by people working directly on the same research.

Be sure to consider non-research personnel such as administrative and custodial staff.

L2-L4
P2
Protecting records
The non-digital data must be in a locked and secure location when not in active use.

A “secure location” refers to an environment where access to records and system components is restricted and controlled to prevent unauthorized access, theft, or tampering. This can include using physical locks (e.g., cable locks, locked cabinets, or rooms) or implementing access controls such as keycards or biometric authentication and monitoring access to detect any unauthorized or anomalous activity. All locations where records or other non-digital data are stored or operated must have appropriate safeguards to ensure the integrity and confidentiality of the information.

L2-L4
P3
Destruction of records
Destruction of records (after the end of the records retention schedule and use for approved research, if appropriate) must be accomplished by means that make it impossible to reconstruct the non-digital records.

L2-L4
P4
Documentation of access
The names and roles of all individuals who have access to the non-digital data are documented, tracked, and regularly reviewed over time.

Be sure to consider non-research personnel such as administrative and custodial staff.

L3-L4

Data Transmission

The methods by which data are transferred from one location to another.

Requirements Description Applies To
T1
Email and fax security statement
If using email or fax for communication or to collect data from participants, include a statement to the participants in the transmission (e.g., email signature, fax cover page) that email and fax are not secure.

Review UW Medicine’s Electronic Communications Security Standard

Note UW-IT provides an eFax Service (including HIPAA compliance on the UW side with request)

L2-L4
T2
Communications risk
Participants should be cautioned to provide contact information to the study team for and communicate with the study team from communications channels (e.g., email, fax, text message) and devices (e.g., laptops, phones) to which only the participant has access. L2-L4
T3
Fax security
UW’s eFax service must be used in lieu of fax machines or other faxing services.

Arrangements must be made to ensure the intended recipient will receive and promptly store or process fax-transmitted data. This includes coordination of fax transmission to recipient fax machines and verification of the recipient’s fax number.

To the greatest extent practicable, confidential, and sensitive data should not be sent over fax.

Note UW-IT eFax Service (including HIPAA compliance on the UW side with request)

L3-L4
T4
Emailing PHI
Protected Health Information from UW Medicine should be transmitted by email only under the conditions described by UW Medicine standards. Other Protected Health Information transmitted via email should be sent under the same or similar standards.

UW Medicine requirements are located in the Electronic Communications Security Standard and Encryption Security Standard.

L3-L4
T5
Secure transmission
Electronic means of transmission of data over the internet, social media, or by text message must use cryptographic protocols, such as Transport Layer Security (TLS 1.2 or greater), to secure and encrypt transmitted data.

In most circumstances, open and public Wi-Fi networks, consumer-oriented VPN (Virtual Private Network) services, and other insecure or unvetted means of connectivity and data transmission should not be used to transmit or access study data. Alternatives, such as cellular hot-spots or UW-provided VPN services, should be used instead.

Additional details on secure transmission of data may be found in UW Medicine’s Electronic Communications Security Standard and in Resources above.

L3-L4
T6
Transportation of non-digital and digital data
Transportation must occur via a method that ensures point-to-point tracking and delivery to only a verified, authorized individual. Maintain accountability of media during transport through encryption, an accountability system, and/or by restricting transport activities to authorized personnel. Do not leave media unattended during transport. Instances of lost, stolen, or misdelivered media must be reported promptly to the reviewing IRB and appropriate UW office(s). L3-L4
T7
Transportation of confidential or sensitive
Transportation must occur via a method that is under the control of the study team (or designee) at all times. Maintain accountability of media during transport through encryption, an accountability system, and/or by restricting transport activities to authorized personnel. Do not leave media unattended during transport. L3-L4

Vendors

Non-University businesses or individual vendors hired on a contractual basis to perform research-related duties. Examples: a call center that administers surveys over the phone; a radiology service that is hired to read CT scans.

Requirements Description Applies To
V1
Vendor contracts
Written contracts including appropriate university riders must be executed with all vendors/other third parties who collect, process, host, or store information (e.g., Business Associates Agreement, Data Processing Agreement). The contract must be executed by the individual with appropriate delegated authority to execute contracts on behalf of the University (e.g., Department Vice Chairperson, UW Procurement) L3-L4
V2
Contract language
The contract with the outside vendor providing research-related services must include requirements about how the confidentiality, integrity, and availability of the data will be maintained, including requirements related to:

  • Users
  • Use of portable devices
  • Servers
  • Security controls
  • Paper records and other non-digital storage media
  • Data transmission
L3-L4

Related HSD Materials

ONLINE TUTORIAL Data Security Protections
TEMPLATE Confidentiality and Security Training Policy
TEMPLATE Device Management and Monitoring Policy
TEMPLATE Research Data Access Control Policy
WEBPAGE Certificate of Confidentiality (CoC) Guidance
WORKSHEET Device Configuration

Version Information

Open the accordion below for version changes to this guidance.

Version History

Version Number Posted Date Implementation Date Change Notes
2.0 06.26.2025 06.26.2025 Significant revision with updates to the levels and requirements
1.3 06.26.2020 06.26.2020 Update links; Remove “Zipline” from document title
1.2 09.19.2017 09.19.2017 Fix broken link, number, and typo
1.1 09.30.2016 09.30.2016 Fix broken link
1.0 05.31.2016 05.31.2016 Newly published guidance

Keywords: Confidentiality