The Daily Tar Heel
Printing news. Raising hell. Since 1893.
Tuesday, Feb. 20, 2024 Newsletters Latest print issue

We keep you informed.

Help us keep going. Donate Today.
The Daily Tar Heel

ITS works to secure personal data

Professor Daniel Nelson is responsible for the office that provides ethical and regulatory oversight for any research that involves humans as subjects. "That includes approximately 4,500 research studies here at Carolina."
Professor Daniel Nelson is responsible for the office that provides ethical and regulatory oversight for any research that involves humans as subjects. "That includes approximately 4,500 research studies here at Carolina."

In an increasingly technological world, personal data runs the risk of being exposed — but researchers are on their way to tightening data security requirements.

While most of the roughly 30,000 daily hacking attempts that could happen at a large research university like UNC bounce off firewalls, even a small breach can threaten the entire system.

“If one little bit of spyware finds a crevice and crawls in and sits there, you have a potential breach,” said Dan Nelson, professor and director of the Office of Human Research Ethics at UNC.

As society moves into an entirely digital environment, Nelson said researchers have had to change their methods of securing data. Data security doesn’t mean spreadsheets locked in a filing cabinet anymore­ — everything is online.

“(Technological advances) increase the power of the science, but it also increases our exposure to potential breaches of confidentiality, either intentional or accidental,” he said.

And now, there is a big push for universities and their respective Information Technology Services to work together to help researchers secure their data — especially sensitive personal data, including medical records, sexual behavior, illegal substance abuse or immigration status.

“Most researchers may be trained to collect and analyze data but aren’t necessarily trained to know how many bits of encryption are needed to meet current security standards,” Nelson said.

He said the Office of Human Research Ethics, which is responsible for ethical and regulatory oversight of any research at UNC involving humans as subjects, receives more than 4,000 research projects annually that must go through a review process before being approved.

The office developed a system to assess the level of security that might be needed for a given research project, Nelson said.

He said the system identifies sensitive topics in the research, and the more sensitive the system ranks a project, the more protection it’ll need.

Among those highly sensitive projects at UNC is the National Longitudinal Study of Adolescent Health, known as the Add Health project — a social science and health study of adolescents that started in 1995 through the Carolina Population Center.

Kathleen Mullan Harris, project director, said they’ve been ahead of the curve on confidentiality issues.

The project created a highly secure system in the early 1990s that researchers still use today, though with some upgrades, she said.

“The plan that we have … it allows us to sleep at night,” Mullan Harris said.

Researchers spoke with adolescents and their families in 1995 to study how social environments affect behavior. They continue to follow up with the 90,000 students originally interviewed.

The study records highly sensitive personal data including participants’ potentially illegal, violent or sexual behaviors, Mullan Harris said. Add Health even collects bio specimens to test for STDs and DNA strands.

Mullan Harris said they remove identifying information, like names and addresses, from the records. But in order to follow up with participants, the project has scattered the identifiers in servers outside the U.S. so that it’ll be difficult for hackers to connect the dots.

“We as researchers or directors still have no idea as to who is involved in our study,” she said. “I know an awful lot about them, but I have no idea who they are.”

The security plan is to protect the Add Health project from subpoena by the court — when students were interviewed 18 years ago, there was no telling who they’d later become. Add Health didn’t want its data to be used against its participants in court.

But since research is often so expensive, institutions want to be able to give others access to their findings, said Nancy Dole, deputy director of the Carolina Population Center.

“There is an inherent tension between making data available and protecting it,” she said.

To get the day's news and headlines in your inbox each morning, sign up for our email newsletters.

Dramatic changes in technology have also led to stricter federal regulations to protect research data, said Cathy Bates, chief information officer at Appalachian State University and member of Educause’s Higher Education Information Security Council Leadership Team.

Educause is a nonprofit organization that works to advance higher education through information technology and helps improve data protection in universities.

Bates said it’s difficult for researchers to stay abreast of changing regulations and know what their responsibilities are in protecting data.

She said campus ITS teams should work more with the Institutional Research Board to provide support for researchers. Without their help, Bates said research projects run the risk of creating disjointed security efforts that allow for easier breaches.

“On a minute-by-minute basis, networks, especially open access networks, are just consistently being crawled over to see what kind of data someone can access.”

Special Print Edition
The Daily Tar Heel Victory Paper for February 5, 2024