Data Security Flashcards
Informational harm
When data is used against a participant
Who is primarily responsible for following privacy law in a research study?
The researchers
Which of the following fields could potentially be used to identify someone and must be considered closely when publicly releasing the data?
Movie preferences Friends Zip codes and birthdates Ice cream preferences Neighbors
All of the above.
True or False: Only those individuals that participate in the study can be harmed by a data release.
False.
Some study data can provide information about vulnerable populations. For example, data that is shared about one participant may expose information about people within that participant’s population.
What are some strategies for mitigating risks when making measurement choices?
Determine if the sensitive data is necessary for the study
Categorize responses (i.e. income or age) into groups or brackets
Randomized responses
Collecting group responses
Is IRB approval sufficient in protecting researchers from legal obligations?
IRB approval is not sufficient in protecting researchers from legal obligations. It’s the researchers’ responsibility to understand the legal framework that dictates their research.
Which scenario represents the best process for transferring sensitive data among research partners?
A researcher encrypts her files and then sends the files and passwords to the files via email
A researcher stores the files in a shared Dropbox folder and shares with research partners
A research manager stores unencrypted data on their computer and then sends an encrypted file to the research team
The research team encrypts all files, stores them on Dropbox, and shares passwords over the phone
All scenarios are sufficient
The research team encrypts all files, stores them on Dropbox, and shares passwords over the phone
What are some ways in which data can be de-identified?
Redaction/removal
Partitioning
Encryption
True or False: If files are encrypted and the encryption key is lost, the files can be easily retrieved.
False.
Encryption keys cannot be easily retrieved. Encryption is one of the best methods for securing data.
A dataset is considered K-anonymous when:
For each record, at least k-1 records contain the same identifying characteristics to make them indistinguishable
K-anonymous is an attribute designated to a dataset that contains identifying characteristics, but because enough records contain the same characteristics, the records cannot be identified.
Transforming data is one control used when making data publicly available. What type of transformation is done when a birthdate field is transformed to age (in years)?
Generalization
When you change all the values of a field such as birthdate to age, you are making the data less accurate. Thus, you are generalizing the data. While this helps protect your study participants, it could potentially affect your final results if someone were trying to replicate them.
Informed consent document
The informed consent document should be seen as an agreement with the researchers and the survey participants. At no point in time during data collection or thereafter should the researchers do something that goes against the signed informed consent clause.
A hardening system built for high risk information might include
Password complexity enforcement
Default password changes
When developing a password, what is a good practice?
Passwords tend to be some of the weakest set of controls within a data security system because they are subject to human error. A password manager, such as LastPass, can help people create strong passwords, manage a large number of passwords, and build a multi-factor access system.
What is one drawback to using Dropbox or Google Drive for hosting data?
Data can be decrypted by these companies if they are legally required
