Date: Mon, 9 Oct 2006 10:24:18 -0700
Reply-To: "Pardee, Roy" <pardee.r@GHC.ORG>
Sender: "SAS(r) Discussion" <SAS-L@LISTSERV.UGA.EDU>
From: "Pardee, Roy" <pardee.r@GHC.ORG>
Subject: Re: IRB, password protection
Content-Type: text/plain; charset="us-ascii"
My advice is to encrypt it all, and not spend time trying to weigh out
which things should/shouldn't be encrypted. It's just so much easier
and surer to be able to say "yeah my laptop was stolen, but every bit of
study data on it was encrypted with the AES algorithm--the current DOD
standard". IRBs will likely also be suitably impressed by such
If your laptop runs windows XP, see if you can use its encrypting file
system. If not (my organization has disabled EFS unfortunately) then
you might try storing it all on a truecrypt volume:
That's free, open-source stuff, and it's very easy to use. I would say
that it's so easy, it doesn't make sense not to...
It's hard to weigh SAS' encryption in terms of strength--I don't believe
they've disclosed the algorithm they're using. (Not that I could do so
in any event...)
From: SAS(r) Discussion [mailto:SAS-L@LISTSERV.UGA.EDU] On Behalf Of
Kevin Roland Viel
Sent: Monday, October 09, 2006 9:53 AM
Subject: IRB, password protection
I would like to solicit advice on language used in IRB applications
for clinical trials concerning the protection of the data. Is it
sufficient to use SAS passwords or do people typically encrypt the data,
too. Given that I work from a laptop remotely and theft of such
sensitive data has made news lately, never mind liability (is anyone
carrying insurance, I am not incorporated, yet), this seems especially
I would prefer to simply use SAS passwords and create unique patient
ID for those time when I *might* need to send data. Since this company
only licenses one copy of SAS, I guess I could write a perl program and
transmit only these anonymous IDs.
Does this seem sufficient, provided I describe it using about two
paragraphs, or should I look for something more involved?
PS Logon requires a password, each MS application (Access, Excel, and
Word) requires a password, and the SAS datasets require a password.
Department of Epidemiology
Rollins School of Public Health
Atlanta, GA 30322