Data Stewardship at Merc
We believe in the power of data – we also believe in being responsible data users.
Personnel
All MERC staff – including student employees – sign a confidentiality agreement at the start of the onboarding process. This details what our responsibilities regarding the data we handle, as well as the reasons why. Then, before anyone starts working with data, we have to complete the CITI Responsible Conduct of Research training. All staff are required to keep their CITI training current. In addition, regular staff complete the annual CITI training on Information Privacy and Security.
Training and professional development is built into the structure of MERC. We participate in webinars on various data-related topics as they are available, and conduct internal training sessions on a variety of topics relevant to our work. Past internal training topics have included data management, data integrity, the cognitive response process, federal demographic question updates, behind the scenes of the service center, and many more. Regular staff also participate in external professional development to learn new skills, build on existing skills, and increase specialization. This information is brought back to the office and shared through staff meetings, ad hoc trainings we call MERC Werc, and in meeting with students. Trainings are also built into the regular meetings with undergraduate students and graduate level interns – including foundational level knowledge, tasks that help with current assigned work, and new content built around requests. We invest in our team.
Systems
Data storage at MERC depends on the type of data collected. In general, MERC utilizes Sharepoint for digital data storage, with a restricted secure drive for sensitive data (e.g. HIPAA data). In the case of physical copies of data (such as production records or surveys), these are data entered, and then stored according to the contract/agreement with the project lead. If no agreement is in place, the hard copies are scanned and shredded, with the scanned copies saved on the Sharepoint drive. The length of data storage depends on the contract/agreement with the project lead. Our general practice is to save data for five years after the end of project, to allow for any further analysis.
UNL’s SharePoint is hosted in Microsoft’s 365 Commercial environment. The environment is owned and managed by Microsoft. Microsoft’s 365 Commercial environment employs a consistent control framework and uniform implementations of controls based on the U.S. National Institute for Standards and Technology (NIST) Special Publication (SP) 800-53. Microsoft’s 365 Commercial has successfully completed a FedRAMP High Impact Level audit, including a SAR (Security Assessment Report). Microsoft’s completed its scope of responsibility towards FedRAMP accreditation for a Federal agency ATO and Microsoft 365 Commercial supports accreditation with Federal agencies at the FedRAMP High Impact Level. Microsoft 365 Commercial has accreditation from the Department of Health and Human Services (DHHS) for the FedRAMP Moderate Impact Level as formally acknowledged in the FedRAMP Marketplace. Microsoft Commercial cloud environments also has implemented controls for NIST 800-171, NIST 800-171 is a set of controls used to secure Non-Federal Information Systems (commercial systems) and is derived from NIST 800-53. Additionally, the University’s agreement with Microsoft includes a HIPAA BAA (Business Associates Agreement) for use with Restricted Sharepoint.
MERC uses the Qualtrics survey platform for most online data collection. Qualtrics uses a TLS (aka HTTPS) encryption for all transmissions. The data centers hosting the data are SSAE-18 SOC and ISO 27001 certified. The results of surveys are downloaded into analytic software, and saved and archived on computers that have up-to-date security software.
Data and Reporting
While the majority of data collected by MERC is not under the category of human subject research, we are bound by the promises made to respondents when collecting the data. Any data release is based on those promises and the agreement with the client.
For reporting data, we use the following guidelines:
- For qualitative data, we remove all identifying information, dates, proper nouns, references to events, and image or audio data. Demographic data is also assessed for the ability to combine information and may be redacted to protect the privacy of the respondents. Direct quotes are acceptable for release as long as they do not contain uniquely identifiable information that would allow for re-identification. Exceptions to above: 1) If the participants/respondents have granted explicit permission to share their verbatim answer, granted after use, but prior to release. 2) In the instance of case studies where the unit of analysis is the focus of the study; however, every effort should be made to mask other identifying characteristics of data sources involved. These guidelines are based in part on the Census Research Report Series (Survey Methodology #2020-01) Issue Paper on Disclosure Review for Information Products with Qualitative Research Findings.
- For quantitative data, merged quantitative data will only be shared in aggregate form (descriptive and bivariate tables). To avoid accidentally disclosing identifiable information and reduce misinterpretation due to small population sizes, we suppress tables that a) have all cases in a row or column in a single cell, b) have rows or columns with fewer than 10 cases total, or c) have one case that contributes more than 40% of the total. If possible, data categories may be collapsed or rounded to allow for reporting instead of suppression. If multiple waves of data are available, multi-wave aggregates can be used to provide estimates when there are too few cases in a single wave. Weighting to population characteristics may also be used to reduce identification. These guidelines are adapted from the National Longitudinal Study of Adolescent to Adult Health Data Use Terms of Use.
The majority of the student data collected by MERC staff is voluntarily provided through surveys and interviews with students, which does not fall under the domain of the Family Educational Rights and Privacy Act (FERPA). In such cases as personally identifiable information from education records (such as test scores or course grades, and is protected by FERPA) is desired for the purposes of evaluation, it is up to PI to work with MERC and the UNL IRB to determine the best practice to safeguard student privacy. In all cases, student data is only reported or presented in aggregate form, with all efforts to protect the confidentiality of the participants.