- Only the sub-set of variables required for the analysis is uploaded to the local data server at each study and the sub-set is selected to specifically exclude participant identifiers.
- The identity of users is verified either via login credentials or a signed certificate so that they are only able to access the data for which they have been given permission. A firewall is used to ensure that only the intended clients with specific IP addresses can connect to the servers.
- Communication between users and servers is encrypted so if intercepted it cannot be read by those who are not supposed to view the information. Any breach of data traffic between the analysis computer and the local server can only yield non-disclosive results, not any individual-level data since all data stays at source.
- The output that is returned to the analysis server is designed to be non-disclosive; typically representing results summarised at the level of the study. The individual records that are held on the local server are neither visible nor physically accessible through the remote access process
- Privacy is additionally addressed through data security methods including cell suppression (to avoid disclosure of sensitive tabular data), restrictions on the types of analyses permitted and limits on commands to prevent identification.
- Read more about how analyses are performed and how data security are protected (pdf).