Data Security: Policies and Regulations Impacting Research Data

Security considerations in managing sensitive data.

What Is IRBIS?

First, IRB stands for Institutional Review Board, which is the committee formally designated to approve, monitor, and review research involving humans. IRBIS, the Institutional Review Board Information System, is the online form for submitting approvals to UNC's IRB.  Studies involving humans may contain sensitive data and IRBIS establishes clear definitions of the levels of data determined by the IRB.  These are the concrete requirements for data protection.  If your data as described in your IRB application meets the standards for Level 3 data, you will be referred to seek help from your appropriate IT office.

Levels of Data Security Requirements

Level I
The study collects data that does not require additional security measures.

Recommended Measures

  • Access to data should be protected by a username and password.
  • Data should be accessed over a secure network.
  • Computers storing data should have anti virus software.
  • Users should be given the lowest necessary level of access to data.

Level II

The study collects data that requires additional security measures in order to ensure there is no inadvertant disclosure.

Required Measures

  • Access to data must be protected by a username and password.
  • Data must be accessed from within a secure network.
  • Computers storing data must have anti virus software (Symantec Endpoint Protection).
  • Users should be given the lowest necessary level of access to data.
  • The senior IT official in the school or department may contact those running the study to discuss data security questions and concerns.

Level III
The study collects data that requires additional security measures in order to ensure there is no inadvertant disclosure. Any computers storing or accessing data collected for the study are required to implement these measures.

Required Measures

  • Access to data must be protected by a username and password that meets the complexity and change requirements of a UNC Onyen.
  • Data must be accessed from within a secure network.
  • Computers storing data must have anti virus software (Symantec Endpoint Protection).
  • Study data must be encrypted where technologically feasible.
  • Computers used to store study data must be scanned regularly for vulnerabilities.
  • Users should be given the lowest necessary level of access to data.
  • The senior IT official in the school or department may contact those running the study to discuss data security questions and concerns.

Continue...