Levels of Data Security Requirements

Last Updated: June 21, 2024 12:26 pm

OASIS IRB Support

Level I

Based on ITS Security definitions no research is Level I.

 

Level II

Collects data that requires additional security measures in order to ensure there is no inadvertent disclosure.

Required Measures

  • Access to data must be protected by a username and password.
  • Data must be accessed from within a secure network (either use the campus network while physically on campus or using the campus VPN).
  • Computers storing data must have campus-approved antivirus/antimalware software.
  • Computers and all other devices (phone, tablet, flash drive, external hard drive) storing research data should be encrypted where technologically feasible.
  • University-approved cloud storage (e.g., OneDrive).
  • For video/audio interviews, the most secure measure feasible (e.g., Zoom).
  • Users should be given the lowest necessary level of access to data.
  • The senior IT official in the school or department may contact those running the study to discuss data security questions and concerns.

Level III

The study collects data that requires additional security measures in order to ensure there is no inadvertent disclosure. Any computers storing or accessing data collected for the study are required to implement these measures.

Required Measures

  • Access to data must be protected by a username and password that meets the complexity and change requirements of a UNC Onyen.
  • Data must be accessed from within a secure network (either use the campus network while physically on campus or using the campus VPN).
  • Computers storing data must have campus-approved antivirus/antimalware software.
  • Computers and all other devices (phone, tablet, flash drive, external hard drive) storing research data should be encrypted where technologically feasible.
  • University-approved cloud storage (e.g., OneDrive).
  • For video/audio interviews, the most secure measure feasible (e.g., Zoom for HIPAA).
  • Computers used to store study data must be scanned regularly for vulnerabilities.
  • Users should be given the lowest necessary level of access to data.
  • The senior IT official in the school or department may contact those running the study to discuss data security questions and concerns.

Resources

Data Security: Policies and Regulations Impacting Research Data: IRBIS