DataStat Confidentiality Policy

DataStat is committed to a policy of maintaining the confidentiality of respondent information and assuring the security of all sensitive data.

There are several aspects to the implementation of this policy. These aspects include:

  • An organizational atmosphere of respect for the respondent and the ethics of public opinion research.
  • Procedures and training to assure that these ethical principles are translated into the necessary practices and discipline.
  • Physical security for sensitive materials.
  • Computer and network security to protect database versions of these materials.
  • Compliance with HIPAA regulations as well as laws related to respondent access and confidentiality.

Personnel Policies and Practices

DataStat is a member of the American Association for Public Opinion Research and subscribes to the AAPOR Code of Ethics. This code requires us to protect the respondent from abuse or harm in any way and to protect the confidentiality of any data collected from the respondent. This includes the management of data to assure that no data are released that would allow the identification of any respondent, unless informed permission for this is obtained from the respondent.

All employees are required to agree to these principles and to indicate this agreement in the form of a signed confidentiality pledge. All research staff are required to take part in training that includes a section on professional conduct and the ethics of opinion research. This training covers confidentiality at the level of individual respondent data as well as confidentiality of client research purposes. They review the Confidentiality Pledge and must sign it before they are allowed to begin work.

Physical Security

There is an electronic security system in the building. The doors are keyed according to a keying plan that provides access to employees which is appropriate to their needs.

There is a poured concrete, fireproof vault, with a combination-lock door which provides protection for both data media and other sensitive materials. The vault is partitioned into several storage areas. Employees at the Senior Research Director level and above have general access to the vault, but only the principals and the facility manager have access to the secured file room where sensitive files and data are stored.

Upon receipt of sensitive materials, they are logged and placed in the secured file room of our vault. Senior Research Directors requiring use of the data may request a checkout. The checkout procedure records the location and person responsible for any material temporarily removed from secure storage. Typical use of such data generally does not require it to be outside of storage for more than a few moments. At the conclusion of a project, sensitive material is returned to the client or destroyed.

If paper materials containing sensitive data are generated during the course of a project, they are shredded before disposal. DataStat operates its own industrial shredding equipment.

Computer and Network Security

DataStat has extensive security procedures in place to protect data as well as computer and network resources. Security is implemented both through business processes as well as technical means. The DataStat network is protected by a Unix-based firewall. Outside users of the DataStat web resources access the systems through secured connections using 128-bit encryption and authentication through Versign software.

Sensitive data within the computer network is protected by internal network security. Passwords and software protection limits access. The computer network is backed up routinely, and the backup tapes are stored within the vault. Separate backup systems are maintained for internal data, which is preserved indefinitely, and for HIPAA-regulated, or related data, which is on a time-based destruction schedule. DataStat maintains live project data within a special server system that encrypts data for storage and decrypts the data, in real-time, for project analytical purposes.