Situation
Joan Consultant was working with a colleague, Joe Analyst, who was located in a branch office of their consulting firm in a different state. They were preparing a report for a client, Acme Cellular, on the results of open-ended interviews with managers and staff of one department of Acme. Joan had entered her interview notes for each interview in her computer, identifying the interviewee by position title. She had also prepared an analysis of the key points of agreement and disagreement between management and staff members. She emailed the Acme files for both the analysis write-up and the interview notes to Joe for his review and input. He returned the analysis, with edits and additions by email. He also faxed her interview notes from two of the interviews (which he had printed out) with hand-written questions on sections of the interviews he did not understand.
Questions
- Did Joan and Joe take the proper precautions in emailing files to safeguard the confidentiality of their data and report material?
- Was it appropriate for Joe to fax interview notes to Joan?
- What are some alternative ways to safeguard confidentiality when emailing data files or draft report material?
- What are ways to safeguard confidentiality when faxing data files or draft report material?
Discussion
In emailing the date files, Joan should have made sure that there was no way the files could be individually identified. Although access to an individual’s email normally requires one or two password entries, this does not guarantee that others cannot gain access.
Using position title for a given department is not a sufficient safeguard since in many instances only one person will have a specific title. Assigning separate ID numbers for each person would provide greater protection. The ID numbers can be structured so that staff or management level is imbedded, so Joe will know the position of the individuals. Using a different name or a number for the company would provide additional protection should an unauthorized person gain access to the data. While these kinds of procedures should be standardized in any organization routinely carrying out such work, it is the responsibility of the researcher to establish mechanisms to protect confidentiality of data.
Faxing data presents a greater problem, since faxed information has no password protection. Generally faxed documents are received in a central, open location, so any person walking by can see or take the material. Confidential data should not be faxed except to a secure machine with an operator trained in document security and control.
