Guidance on Good Data Security Practices

Everyone in the University community is responsible for protecting our data.

Good security practices minimize risk to subjects and financial or regulatory/compliance risks to yourself and the University. Privacy and protection of confidential information is a continued priority for the University.

  • Password selection and management –choose strong passwords or passphrases to make sure no one gets access to your private information.  Visit the UChicago IT Services’ website at Choosing Good Passwords and Keeping Them Secure for tips on how to create strong passwords and passphrases and how to keep them secure. 
  • 2Factor Authentication  – 2Factor Authentication (2FA) enhances the security of your CNetID by using your device (mobile phone, landline, tablet, hardware token) to verify your identity. 
  • Virtual Private Network (cVPN)The cVPN ( secures your access to the Internet no matter where you are in the world. Use it whenever you are not at home, on campus, or don’t know whether the local wifi is truly secure.
  • File storage and sharing - Use UChicagoBox ( to securely store and control how files with sensitive data are shared. Carefully set up different Box folders to support the different modes of sharing needed for your protocol.  (Note: some data use agreements may preclude the use of UChicago Box -- you must comply with the terms of any applicable data use agreements.  Data use agreements must be reviewed by University Research Administration.) The University Data Usage Guide shows which services can and cannot be used to store and share sensitive, identifiable human subject research data.
  • Operating System & Software Application Updateskeep your device’s operating system and software applications updated. You can add program application update tools that will prompt you to install the latest updates by visiting the Updating Non-Operating System Software webpage.

Avoid Accidental or Coercive Exposure of Sensitive Information

Whether at home, work, or traveling, you should secure your digital environment and restrict access to sensitive information.

  • Encrypt laptops, desktops, and mobile devices that contain sensitive information.  Visit the IT Services Knowledge Base for instructions on encryption.
  • For smartphones, tablets, and other mobile devices, set a passcode to access your device, set a passcode lock that requires the PIN to be re-entered after 5 minutes of inactivity, and set up auto-wipe so that the device wipes (erases) all of the data it contains after 10 successive passcode failures.
  • Use encrypted and password protected flashdrive to move sensitive data to other devices or share data with others when UChicagoBox is not used. Encrypted USB drives are available at local retailers as well as
  • Never ask for or supply more sensitive information than necessary.
  • Anyone who can access sensitive information should be made aware of its importance and be trained in handling it, including transcribers and data coders.
  • Use Identity Finder to help you locate sensitive data on your computer.

Report any data security incidents to UChicago’s IT Security (email:; phone: 773-702-2378) and to the IRB if your study involves human subjects research.

Keeping Your Data Safe When Traveling

  • Do not leave your devices unattended. Keep mobile devices on your person or in a locked safe whenever possible. Ensure that they are encrypted and have a PIN as described above.
  • Do not expect privacy. Certain countries have policies or legal environments that allow them to record everything and anything, from cellular calls to internet traffic.  Be prepared when traveling abroad that you may be compelled to share any data brought with you.  Certain countries restrict encrypted devices.
  • Make sure that cVPN is set up on your computer before you travel.
  • Install a privacy screen on your laptop to discourage "shoulder surfing."
  • Back up your data and media to a device that will remain in the United States or to UChicago Box.
  • Only download iOS or Android mobile apps from the Apple or Google App Store.
  • Less is best – bring the least amount of information/data and the fewest devices possible.  Utilize travel-only devices that are stripped down to only necessary documents, services, and applications.
  • If possible, do not insert USB ("thumb") drives or other portable media given to you when traveling. If it is necessary, before plugging them in make sure that your virus definitions are up-to-date and that your anti-malware program is configured to automatically examine USB devices for malware before enabling access to them.
  • Turn off your device, or at least the Wi-Fi and Bluetooth capabilities, when not in use.  Do allow them to be in "sleep" or "hibernation" mode when they are not in active use.
  • Limit use of public terminals, and avoid using accounts that require usernames and passwords on public machines.   It is easy for someone to set up a fake WiFi network in a hotel or other public area and encourage people to connect to it to capture sensitive information.
  • If for some reason you can’t use a VPN, at least protect your web browsing. Try typing https instead of http into the address bar — to access Gmail, for example, you’d type If a padlock appears beside the address, the data you send and receive from that site is encrypted. If you’re using Chrome, Firefox, or Opera, it’s even easier: install the HTTPS Everywhere plugin and it’ll do this for you automatically.
  • If you are doing something sensitive online, use cVPN, in addition to any other measures such as HTTPS, to protect the connection against eavesdropping. Also, it’s harder to intercept cellular networks than Wi-Fi ones, so if you have access to reasonably priced cell data on your phone or tablet, use it.
  • If you absolutely must use a public computer, don’t do anything involving money (e.g., online banking and purchasing that involves entering credit card details), use two-factor authentication for as many online services as possible, use the web browser’s Incognito/Private Browsing mode to avoid your details being saved, log out of all of the apps you use, and reboot the computer when you’re finished with it.
  • Software like Prey, Find My iPhone, and Android Device Manager all offer various features for tracking down stolen gear. They can report their location, take photos and video, sound alarms, display messages on the screen, and more, and can help reunite you with your technology. Make sure they’re set up and working correctly before your gear goes missing!
  • Upon your return to the United States, run anti-virus software to scan your device for malware and follow the instructions to correct any issues.  If you used your CNET ID and password while traveling abroad, it’s a good idea to change your password when you return.

Report any incidents/breaches to UChicago’s IT Security (email:; phone: 773-702-2378), and to the IRB if your project involves human subjects research.

For more information and guidance on data security, see