JUNE 2014 NOTE:
With assistance from Information Technologies (IT), the IRB originally recommended the use of TrueCrypt for encryption. However, TrueCrypt publicly announced (June 2014) that the program should no longer be used and is not secure. The IRB contacted IT for advice on alternative programs, and the information in italics below is updated information from John Gregory, Executive Director of IT.
Researchers should no longer use the TrueCrypt program and should select a new encryption program.
Data Encryption Requirement
To ensure confidentiality of identifiable, electronic data, the Institutional Review Board (IRB) requires that the electronic key linking participants’ identities to their data be encrypted. This is accomplished by the use encryption software. The IRB contacted Information Technologies for advice on encryption software, and below is their response:
The Information Security Office requires as a standard, AES 128 or AES 256 encryption for data at rest. By far the most popular encryption software employed in the UMS is BitLocker for Windows and FileVault for Macs. There isn’t a cross-platform solution that we are aware of.
- Windows: BitLocker is included with Windows 8 and 8.1 and Windows 7 Enterprise and Ultimate versions (it is not known what the cost is for other versions of Windows 7). An open source alternative is Diskcrytor.
- Macs: FileVault2 is included with OS X version 10.7 and higher (the only supported versions of OS X).
- Linux: The most apparent encryption to us is Linux Unified Key Setup (LUKS).
There are many alternatives, including some that are not intended for full disk encryption, but suitable for file encryption. If there is a particular alternative that would someone would like to discuss, he or she can contact Sam Gaudet, 973-3297, [ mailto:email@example.com ]firstname.lastname@example.org.
Points to remember regarding the encryption requirement:
- This is for ELECTRONICALLY COLLECTED/STORED IDENTIFIABLE DATA.
- If data are collected without identifiers (i.e., anonymous data), encryption is not required.
- Most often, the only data that must be encrypted is the computer file that is the key linking participants’ names to collected data – generally a small file. If data are coded, but the key is in paper format (i.e., handwritten), there is nothing to encrypt (obviously!).
- If electronic, identifiable data are not coded, the entire dataset must be encrypted. This might occur if: a) the dataset includes participants’ names (usually not done), or b) the data could be identifiable because of the type of data collected (e.g., some demographics can identify people).