Risk and Level of Security

Risk and Level of Security banner

The principal investigator is responsible for assuring confidentiality of research data and mitigating risk. The principal investigator should provide to the IRB details regarding the protections to secure the data from anticipated threats or hazards during collection, transmission and storage. Researchers must develop plans incorporating the applicable information and endorsed by the college IT personnel.

Florida Atlantic policy 12.7 for System and Data Classifications applies to all university computing, network, and telecommunications resources or data, whether stored, hosted and/or maintained on university resources or third party servers or sites. 5

Classifications for Data

Click on    to see information.

Level 1 – Health Information  

Information that the University collects in relation to healthcare treatment or health insurance billing that the University is under an obligation to protect. This information may include Protected Health Information (PHI or ePHI) protected under the Federal Health Insurance Portability and Accountability Act (HIPAA), health information protected by the Florida Information Protection Act (FIPA), or records relating to healthcare functions related to students and covered under the Federal Family Educational Rights and Privacy Act (FERPA). Certain individually identifiable medical records and genetic information, categorized as extremely sensitive.


Note: Data security plan MUST be developed with IT expert from the college where the study will be conducted.

Level 1 – Non-Health Information  

Note: The IRB won't approve a protocol collecting Level 1 information without a DSP developed with the IT representative of the cover entity.

Highly sensitive information that may be used to open or access financial accounts from another individual: SSN, bank account, passport, credit card, driver license numbers and etc.

National security information (subject to specific government requirements).

Passwords and Florida Atlantic PINs that can be used to access confidential information.

Level 2  

Information that the university has an obligation to protect under law or regulatory requirements not included covered in Level 1 Information. This includes, but is not limited to information defined under FERPA, and the Gramm-Leach-Bliley Act (GLBA).

Personnel records (employees may discuss terms and conditions of employment with each other and third parties).

Institutional financial records, individual donor information, other personal information protected under state, federal and foreign privacy laws not classified as Level 1 information.

Level 3  

Information that would adversely affect the institution's physical or cyber security if disclosed, but may not necessarily be protected by the University's obligations under law or regulatory requirements. This may include information such as detailed building diagrams, risk assessments, fraud procedures and police procedures.

Unpublished research work and intellectual property not in Level 1 or 2. Patent applications and work papers, drafts of research papers.

Level 4  

Any information that is created and stored during the normal course of business that is not protected by law or specific obligations of the university.