Data Security Policy Principles

*The All of Us Research Program was created as part of the Precision Medicine Initiative (PMI). To learn more about how the All of Us Research Program is rooted in precision medicine, see our Program Overview.

The following overarching principles are intended to guide organizations in developing and implementing an appropriate security plan.

PMI organizations should, at a minimum:

  • Strive to build a system that participants trust. This means having a “participant first” orientation when identifying and addressing data security risks. Participants are the foundational stakeholders of all research activities.

  • Recognize that security, medicine, and technology are evolving quickly. As a result, organizations should treat security as a core element of the organization’s culture and services and ensure that security processes and controls are adaptable and updatable.

  • Seek to preserve data integrity, so that participants, researchers, and physicians and other healthcare providers, can depend on the data. 

  • Identify key risks, and develop evaluation and management plans that address those risks, while still enabling science and research to advance.

  • Provide participants and other relevant parties with clear expectations and transparent security processes.

  • Use security practices and controls to protect data, but not as a reason to deny a participant access to his or her data, or as an excuse to limit appropriate research uses of the data.

  • Act responsibly. Seek to minimize exposure of participant data, and to keep participants and researchers aware of breaches in order to maintain trust over time.

  • Share experiences and challenges so that organizations can learn from each other.

Last Reviewed: January 26, 2022