Data Security
Ensuring data security is an utmost priority for the Center for Data Science and Public Policy (DSaPP) and the University of Chicago. In the case that the partner prefers to give us data rather than access to their computer and data systems, we take a series of steps to ensure the data remain secure. The following measures are considered industry standard and are followed by large tech companies and other industry players across the world.
Data obtained from the partner organization are placed in a secure data center by University of Chicago staff. Partners have, for example, mailed encrypted hard drives, and sent data through encrypted connections (SFTP). Data encryption technologies including 3DES IPsec VPN, Secure Sockets Layer (SSL), Transport Layer Security (TLS), and digital certificates are used to protect transmission of and access to data and systems used for analysis. Data are not stored on local computers or other devices and will remain on file servers in the secured environment at all times. Credentials for the hard drive or connection are shared separately and securely.
Public-key authentication is required to access the server that contains the data. Public-key authentication requires a specific file to be present and referenced on a user’s system when communicating with the server. These files are unique to the user communicating with the server and involve an additional password lock specific to that key. The database server is only accessible within a private, secure network. Accessing the database server requires public-key authentication and usernames and passwords. We encrypt our data drives and database at rest. We use logging and an intrusion-detection system to monitor and maintain the security of the system.
The University of Chicago’s Center for Data Science and Public Policy and Data Science for Social Good program has extensive experience working with sensitive data, including those protected by HIPAA, FERPA, and 42 CFR Part 2, as well as our partners’ local and administrative requirements.