Data Security Policy Principles

The following overarching principles are intended to guide organizations in developing and implementing an appropriate security plan. PMI organizations should, at a minimum:

  • Strive to build a system that participants trust. This means having a “participant first” orientation when identifying and addressing data security risks. Participants are the foundational stakeholders of all research activities.

  • Recognize that security, medicine, and technology are evolving quickly. As a result, organizations should treat security as a core element of the organization’s culture and services and ensure that security processes and controls are adaptable and updatable.

  • Seek to preserve data integrity, so that participants, researchers, and physicians and other healthcare providers, can depend on the data. 

  • Identify key risks, and develop evaluation and management plans that address those risks, while still enabling science and research to advance.

  • Provide participants and other relevant parties with clear expectations and transparent security processes.

  • Use security practices and controls to protect data, but not as a reason to deny a participant access to his or her data, or as an excuse to limit appropriate research uses of the data.

  • Act responsibly. Seek to minimize exposure of participant data, and to keep participants and researchers aware of breaches in order to maintain trust over time.

  • Share experiences and challenges so that organizations can learn from each other.