14. What protections are in place for storage of sensitive data, including for future secondary use?
Kent State University has worked with the consultant to develop a research data security description and protocol, which includes specific information on data encryption, the handling of personally identifiable information, physical security and a protocol for handling unlikely breaches of data security. The data from online participants will be submitted to a secure server hosted by the consultant. The survey is run on a firewalled Web server with forced 256-bit SSL security and is stored on a SQL database that can only be accessed locally. The server itself may only be accessed using encrypted SSH connections originating from the local network. Rankin & Associates Consulting project coordinator Susan Rankin will have access to the raw data along with several Rankin & Associates data analysts. All Rankin & Associates analysts have CITI (Human Subjects) training and approval and have worked on similar projects for other institutions. The Web server runs with the SE-Linux security extensions (that were developed by the NSA). The server is also in RAID to highly reduce the chance of any data loss due to hardware failure. The server performs a nightly security audit from data acquired via the system logs and notifies the administrators. The number of system administrators will be limited, and each will have had required background checks.
The consultant has conducted more than 130 institutional surveys and maintains an aggregate merged database. The data from the Kent State project will be merged with all other existing climate data stored indefinitely on the consultant’s secure server. No institutional identifiers are included in the full merged data set held by the consultant. The raw unit-level data with institutional identifiers is kept on the server for six months and then destroyed. The paper and pencil surveys are returned to the consultant directly and kept in a locked file drawer in a locked office. The consultant destroys the paper and pencil responses after they are merged with the online data. The consultant will notify the committee chairs of any breach or suspected breach of data security of the consultant’s server.
The consultant will provide Kent State with a data file at the completion of the project.