Data security is our first priority. This page outlines the data acquisition, storage, and security procedures enforced by Building Bright Futures (BBF) for Vermont Insights. The procedures stated here are applicable to all employees and contractors of BBF. Refer to the Data Flowchart for a high-level description of Vermont Insights' Data Demand to Data Use on our Publications page.
Data Sharing Agreement(s) and Analytic Document(s)
In the event that an entity wishes to display data on Vermont Insights or share data with BBF, a Data Sharing Agreement (DSA) and Analytic Document (AD) shall be signed by both the entity and BBF prior to transfer of data set(s). The DSA outlines the purpose of the partnership, the data acquisition process, data storage procedures and security measures, as well as information surrounding how the data will be used by BBF for Vermont Insights. The AD outlines the data documentation, data dictionaries, questions to be answered, and analytics used by BBF for the shared data.
The use of a BBF-provided DSA and AD are not required components of acquiring public use data. Such agreement and documentation shall be used at the discretion of both BBF and the entity. A DSA and AD must be signed by both BBF and the entity sharing data prior to BBF's acquisition of protected health information (PHI), personally identifiable information (PII), sensitive data, or any confidential information that requires specific security, storage, and reporting procedures. At no time should an entity share PHI, PII, sensitive, or confidential information prior to signing both the DSA and AD.
Electronic Transfer of Data Set(s)
Public use data can be transferred to BBF using e-mail, mail, or other mutually agreed upon methods. If the public use data set(s) can be accessed via website(s), the entity sharing the data shall provide BBF with the website address(es) and any additional access information that will enable BBF to download the public use data set(s).
PHI, PII, or sensitive data will not be electronically transferred from the entity sharing the data to BBF using email or other non-secure method. Data must be transferred using BBF's secure online file transfer system, IronBox. IronBox is a service paid for by BBF that allows data and information to be transferred using the industry's highest encryption standard: 256-bit Advanced Encryption Standard (AES). A single BBF IronBox administrator maintains all encryption keys and the system is complaint with the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA). Detailed instructions on how to use IronBox's services can be provided by BBF at the time of required use.
At the written request of the entity sharing data that is deemed PHI, PII, or sensitive (or if IronBox's secure file transfer system is unavailable), BBF will acquire such data set(s) in-person using a 256-bit AES Universal Serial Bus (USB). Data stored on the encrypted USB will be transferred to BBF's storage system (see Section B.) and securely deleted from the USB immediately after the transfer. Detailed instructions on manually transferring the data set(s) to BBF via the encrypted USB can be provided by BBF at the time of required use.
Public use data and de-identified data set(s) BBF uploads onto Vermont Insights are maintained on the Vermont Insights' website servers (see Section F.). Custom firewall and ModSecurity rules (set of web application defense rules) protect the data from unauthorized access. Data are also backed up regularly to prevent unintentional destruction.
PHI, PII, or sensitive data transferred to BBF via IronBox are encrypted during the upload process. BBF temporarily stores the data set(s) in the encrypted IronBox cloud system until retrieval. A single BBF IronBox administrator downloads the data set(s) from the IronBox cloud, employs decryption, and saves the file(s) in a separate HIPAA- and FERPA-complaint cloud-based data storage system. This system, Dropbox for Business with added security via Sookasa, permits the data set(s) to be stored behind 256-bit AES encryption. The original data set(s) are copied to maintain the raw data file, transformed (if applicable), stripped of PHI/PII/de-identified (if applicable), and reviewed for quality assurance purposes.
BBF protects and maintains all sensitive and confidential information obtained from the entity sharing the data, if applicable, against unauthorized use, access, disclosure or loss by using appropriate administrative, technical, and physical safeguards required by the rules and regulations governing the data. In the event there is any theft, loss, unauthorized disclosure, or other potential or known compromise of PHI, PII, or sensitive data shared by the entity with BBF, BBF shall notify the entity within one (1) business day of becoming aware of such compromises in security.
The entity sharing data with BBF shall resolve inconsistencies or anomalies (via data cleaning activities) with the data set(s) prior to granting BBF access. BBF will employ various quality assurance checks and work with the entity sharing data to resolve inconsistencies or anomalies discovered post transfer. BBF's primary quality assurance checks include, but are not limited to:
The entity sharing data shall not hold BBF responsible for the dissemination of misinformation resulting from data quality issues.
Public use data or de-identified data elements used for reporting on Vermont Insights will be made publically available on Vermont Insights. BBF shall provide the entity sharing data with the opportunity to review reports generated from the data on Vermont Insights before they are publically available. Should the entity sharing the data require changes or additions to any part of the reports, these changes will be made by BBF prior to public dissemination. The entity sharing the data will be given the opportunity to re-review the reports and provide additional feedback prior to public release via Vermont Insights.
BBF shall not disclose, publish, provide access to, or otherwise make known any information the entity sharing the data explicitly deems confidential. The entity sharing data is responsible for identifying confidential data and explicitly including these details in the AD prior to granting BBF access to the data set(s). BBF agrees not to make confidential data publically available via Vermont Insights.
BBF staff working with confidential data have signed confidentiality agreements and were trained on all appropriate safeguard procedures prior to working with confidential data.
Only public use data or de-identified data set(s) are uploaded to the Vermont Insights' website server. At no time will PHI, PII, or sensitive data be stored on the Vermont Insights' website server. Data properly de-identified according to rules and regulations set forth under FERPA, HIPAA, and/or other rules or regulations governing the data shall be stored on Vermont Insights.
The Vermont Insights' website server is managed by BBF's information technology vendor, cTechnica, through a state-of-the-art data center, HostGator. HostGator is a world-wide and industry-recognized website hosting company with more than 12,000 servers under management. It is based in Houston, Texas with an additional office in Austin. It has two data centers: one in Houston and another in Provo, Utah. cTechnica has a dedicated Virtual Private Server with 24/7 support that can be scaled to demand. All application code and data are backed up on a nightly basis. Only cTechnica has access to the Virtual Private Server.
HostGator has extensive custom firewall rule and large mod-security rule sets protecting their website servers. Their datacenters also have network-level flood protection. Their datacenters are all highly secure facilities with restricted and encrypted access. All HostGator servers are Payment Card Industry Data Security Standard (PCI DSS) compliant by default.
|Analytic Document (AD)||The primary purpose of the Analytic Document is to provide transparency surrounding the use and disclosure of the data set(s) BBF acquires from the data steward/organization through the Data Sharing Agreement.|
|Confidential data/information||Data or information, in its original or duplicate form, that must be protected against unwarranted use, disclosure, or destruction. The term may be used interchangeably with sensitive data.|
|Data security||The application of appropriate administrative, physical, and technical safeguards to protect data from unwarranted use, disclosure, or destruction.|
|Data transmission/transfer||Methods and technologies used to move a copy of data or data set(s) between systems, networks, and/or workstations.|
|De-identified data/data set(s)||Data/data set(s) that do not contain, or stripped of, personally identifiable information and/or protected health information to which there is no reasonable basis to believe that the information can be used to identify an individual. Under both FERPA and HIPAA, if the data have been properly de-identified, they can be shared.|
|FERPA||Family Education Rights and Privacy Act, 34 CFR § 99 (FERPA.) FERPA is a Federal law that protects the privacy of student education records.|
|HIPAA||Health Insurance Portability and Accountability Act, 45 CFR § 160 and 164 (HIPAA).|
|IDEA||Individuals with Disabilities and Education Act (IDEA.) IDEA is a law ensuring services to children with disabilities throughout the nation. IDEA governs how states and public agencies provide early intervention, special education and related services to eligible infants, toddlers, children and youth with disabilities. (Title Education, Subtitle B, Part 303—Early Intervention Program For Infants And Toddlers With Disabilities, 34 CFR § 303.) IDEAS's most recent amendments were passed by Congress in December 2004, with final regulations published in August 2006 (Part B for school-aged children) and in September 2011 (Part C, for babies and toddlers).
FERPA regulations address such issues as confidentiality, maintaining and sharing educational records and disclosure of information. These regulations apply to both Part B and Part C, because the confidentiality requirements in the Part B of IDEA (34 CFR 300.560-300.576) incorporate by reference the regulations in 34 CFR Part 99. Additionally, the confidentiality sections of Part B are also to be used by public agencies to meet the confidentiality requirements under Part C of IDEA (34CFR 303.460). Therefore, FERPA is also incorporated by Part C. http://ectacenter.org/topics/procsafe/privacy.asp (retrieved 03/02/2015)
|Protected health information (PHI)||Any information about health status, provision of health care, or payment for health care that can be linked to a specific individual, sometimes referred to as individually identifiable health information (Health Information Privacy Rule under the Title Public Welfare, Department of Health and Human Services, Administrative and Data Standards, General Administrative Requirements, 45 CFR § 160.103)|
|Personally identifiable information (PII)||Any information that can be used on its own or with other information to identify an individual (Title Education, Family Education Rights and Privacy Act, 34 CFR § 99.3).
PII, as described in across agencies and sectors, includes mention of direct and indirect PII. The U.S. Department of Labor (http://www.dol.gov/dol/ppii.htm), as an example, defines PII as "any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors)."
PII under FERPA can be shared without prior consent with some exceptions including directory information, use by school officials, studies, audits and evaluations (program evaluations) and health and safety emergencies.
|Public use data/data set(s)||Public use data are data or information prepared by investigators or data suppliers with the intent of making them available for public use. The data available to the public are not individually identified or maintained in a readily identifiable form.|
|Sensitive data/information||Data or information, in its original or duplicate form, that must be protected against unwarranted disclosure, use, or destruction. The term may be used interchangeably with confidential data.|