Laptops and Other Portable Media

There have been a growing number of reports of stolen laptops that have contained sensitive personal data about patients in clinical studies. Because of the potentially sensitive nature of the SEER-CAHPS data, the National Cancer Institute (NCI) implemented a new policy, effective June 2008, related to how the SEER-CAHPS may be stored, transferred or used on portable devices and removable media.

Definitions of Portable Devices & Removable Media

A portable device includes any non-fixed equipment that contains an operating system which may be used to create, access or store SEER-CAHPS data. This includes but is not limited to laptops, personal digital assistants (PDAs), and smart phones.

Removable media includes, but is not limited to: CDs, DVDs, MP3 players, removable memory, and USB drives (thumb drives).

Policy

Any investigator who has obtained the SEER-CAHPS data (including all persons with access to the data) must take all reasonable measures to ensure the safety and confidentiality of the data that are downloaded to any portable device or removable media. Reasonable measures include storing large files only on network drives or password-protecting data AND encrypting any data on a portable device or removable media. Encryption is a method used to protect the confidentiality, integrity, and authenticity of the data. SEER-CAHPS data stored on portable devices or removable media must be encrypted using one of the following approved encryption standards: Data Encryption Standard (DES) that uses a 64-bit input-output block size; Advanced Encryption Algorithm (AES) that uses a 128, 192, or 256-bit key size; or International Data Encryption Algorithm (IDEA) that uses a 128-bit key size. If any portable device or removable media containing SEER-CAHPS data are lost or stolen, the investigator must report the loss through email within 24 hours/first business day of discovering the loss.