Quest Data Security Guidance

• Publicly available data
• Data that is intended for public release but needs to be kept private until publication
• Data that will be shared as part of a publication

• Data subject to compliance frameworks such as HIPAA, FERPA, NIST 800-171, NIST 800-53, FISMA, or FedRAMP
• Controlled Unclassified Information (CUI) from government grants or contracts
• Data subject to export control restrictions
• Financial account numbers such as credit cards or bank account numbers
• Government identification numbers, such as social security numbers, driver’s license numbers, or state identification card numbers
• Passwords or other information that allows access to secured online accounts
• Biometric data, such as fingerprints, retina or iris scans, or facial geometry
• Health insurance or medical record account numbers, policy numbers, or other identifiers
• Identifiable protected health information, including medical records, that are not de-identified to the standard defined by the Health and Human Services de-identification standards; potential identifying fields include email addresses, residential addresses, birthdates, license plate numbers, photographs or images, phone numbers, and combinations of information such as age and zip code.
• Private, personally identifiable information that could harm individuals if it were public. This includes information that could cause reputational harm. For example, survey data that includes the respondent’s IP address (which can be identifying) and their private opinions on a sensitive topic.
• Unstructured text data that may contain any of the above restricted types of information directly or through combinations of information in the text. This includes, for example, unstructured text fields in medical records that do not contain explicit data fields with personal information but may contain names, dates, or other identifying information in the unstructured text.
• Data collected or scraped from restricted or non-public websites, such as social media posts that are only shared with contacts
• Data being used for commercial or for-profit endeavors
• Data that is not associated with the research or business of Northwestern University

• Deidentified human-subject research data:
  • If you are working with survey data, check that all identifiers have been removed, including IP addresses or email addresses that may have been collected automatically when using tools like Qualtrics or other online forms.
  • If the data includes open-ended responses or other human-generated text fields, review those fields for potentially identifying information.
  • For data not governed by specific requirements (such as non-health data), consider what would happen should your data become public: could it cause harm to the study participants? If so, Quest is not an appropriate place for your data. 
• Human genetic data: Any genetic data on Quest must not include personal identifiers and must be deidentified according to HIPAA standards. Data cannot be subject to specific data security, privacy, or compliance requirements such as GDPR, NIST 800-66, NIST 800-171, NIST 800-53, FISMA, or FedRAMP. Note that some genetic data files released by NIH may carry security requirements that are not compatible with Quest such as those within NIH Controlled-Access Repositories.
• MRI and other medical images: Medical image files must be deidentified to remove any personal/facial features, metadata with patient information, and medical record numbers or other identifiers on the images before being stored on Quest. Note that Quest may not be used for deidentifying MRI images.
• Data governed by a Data Use Agreement (DUA): Please reach out to the Research Computing and Data Services team (quest-help@northwestern.edu) for more details on Quest security measures and compare them to the provisions of the DUA.

Q: I have research data that is not appropriate for Quest. What other systems can I use to analyze this data?

A: The Research Data Storage Service (RDSS) and FSMResfiles provide appropriate options for the storage of some sensitive research data. These storage systems can be mounted on university-owned and managed computers to provide secure access to your data. If you need to meet specific compliance or data use agreement requirements, or you need computational resources beyond what your laptop or personal computer can accommodate, Northwestern IT and Feinberg School of Medicine IT can work with you to set up secure cloud computing environments or other available resources. Contact researchdata@northwestern.edu to start that conversation.

Q: Can I use Quest to deidentify my data?

A: No. Data needs to be deidentified before it is transferred to Quest. If you need computational resources beyond your laptop or personal computer to perform the deidentification, contact researchdata@northwestern.edu to discuss options.