- Be especially careful with storage of identifiable and potentially sensitive data on mobile devices or unsanctioned cloud storage providers.
- For research studies, please follow the data management section of the study protocol once data collection is complete and/or prior to analysis.
- Especially relevant are requirements for retaining de-identified data if specified, including removing identifiers as soon as feasible
- Securely storing data sets and restricting access to appropriate members of the research team, for e.g. one group may have access to a location where identifiable data is retained and another group can have access to the de-identified or coded data set.
- For portable devices such as laptops – either university supplied laptops or laptops that have university IT approved full disk encryption software installed should be used.
- An anti-malware application (e.g. Carbon Black) should be installed and updated regularly on all portable devices.
- Protected Health Information (PHI) should not be stored on mobile phones or tablets.
- For mobile storage (USB Flash, hard drives) – avoid storing identifiable or sensitive data. If you absolutely must, then such devices MUST be encrypted. IT (at Medical 243-5999, https://www.it.miami.edu/, help@miami.edu) can provide assistance on encryption services for laptops, selection of appropriate mobile devices, secure remote access and other specific secure practices, etc..
- Physical controls (locked, file cabinet, card key restricted office area etc.) should be used for paper/printouts with identifiable or sensitive information.
- Paper/printouts with identifiable or sensitive information that need to be disposed of, should be shredded or placed in the approved University provided Shred-It bins for such information – NOT in the regular trash.
- Avoid use of sensitive or identifiable paper documents at home, including printing of such documents.
- If you have an unavoidable and approved use case i.e. explicit approval from your business unit leadership, then proper disposal of such information is critical. Some individuals do have a home crosscut shredder which is the preferred solution. At the very minimum, destroy, (e.g. cutting up via scissors), all areas with identifiable information such as name, address, telephone number, email address, MRN or other identifiable information. Again, avoid use unless absolutely needed.