SCF Data Security

Advances in technology have allowed organizations to gather a wealth of personal data from individuals. With the global increase in data collection, threats to the data gathered have grown. Several high profile data breach incidents and online tracking have heightened concerns about the risks associated with unauthorized disclosure of personal information.

Organizations today are challenged to minimize these risks with multilayered approaches to securing computer systems and sensitive data. NORC takes the matter of computer security seriously
and has developed a multi-tiered approach to managing the issues surrounding computer and data security. On this page we describe NORC’s:

  • Policies and procedures regarding personally identifying information (PII)
  • Compliance with federal regulations regarding information security, management, and confidentiality
  • Network Data Security
  • Physical Security

Below you will find links to more information about your rights as an SCF study participant.

PII Information and Use

Personally identifying information (PII) includes names, addresses, phone numbers, birthdates, and other information unique to a participant. PII is only used by NORC to administer the survey. This means we will only use PII to a) contact you regarding your participation in and completion of the study, b) contact you regarding potential rewards/incentives/payments associated with your involvement in the study, and c) respond to any questions or comments you may have. We will never share your personal information with anyone outside of NORC and all PII gathered will be destroyed at the end of the study. Information collected for the study will only ever be used for statistical purposes, will be protected by cybersecurity measures, and will be provided in aggregate form to the survey sponsor (the Federal Reserve Board) so that no individual participants may be identified.

We take physical precautions including password protected equipment and restricted keycard access, as well as network security measures such as encrypted transmissions, to ensure that your information and data are secure.

Compliance to Federal Regulations

NORC abides by numerous federal regulations regarding information security, management, and confidentiality. The most important laws are described below

The Federal Information Security Management Act (FISMA) is United States legislation that protects government information, operations and assets. NORC recognizes that the Federal Information Security Modernization Act of 2014 (FISMA) requires adequate information security protections to mitigate any harm to SCF information under NORC’s management and responsibility, as set out in National Institute of Standards and Technology Special Publication 800-53, Revision 4. FISMA was signed into law as part of the Electronic Government Act of 2018. You can read more about FISMA , NIST, and the ELECTRONIC GOVERNMENT ACT OF 2018.

Participants' answers and information are protected under the Confidential Information Protection and Statistical Efficiency Act of 2018 (CIPSEA). This act provides protection for data and information used for statistical purposes. NORC is also in compliance with the Federal Information Processing Standards (FIPS), which are requirements set forth by the National Institute of Standards and Technology that confirm that our data security system satisfies federal protection requirements.

All SCF project staff must also agree to abide by the Privacy Act of 1974, United States Code 522A, and Internal Revenue Code Sections 6103, 7213, and 7431.

Network and Data Security

The NORC infrastructure maintains a highly secure internal network storage system. NORC uses password protected access rights to prevent data loss, corruption, and unauthorized breaches, thus safeguarding PII and individual privacy. Additionally, NORC follows the least privilege data access model, meaning that users have visibility only to the data for which they have been approved.

NORC will use Federal Information Processing Standard (FIPS) 140-2-(PDF) compliant encryption (Security Requirements for Cryptographic Module, as amended) to protect all sensitive information during storage and transmission. At the time of hiring, staff must read and sign a legally binding pledge upholding the confidentiality provisions established under the Privacy Act of 1974.

Physical Security

NORC takes great care to enforce physical security measures specifically designed to ensure that access to confidential data is restricted to only those with a defined need and prior authorization.

Project laptops and paperwork are always kept secured by Field Interviewers and NORC staff and are password protected. Our data center and offices are accessible only via front desk check-in and badge entry. Non-NORC employees are only allowed entry if they have been pre-authorized by a designated NORC representative and are accompanied by an NORC employee at all times.

Participation in the Survey of Consumer Finances is completely voluntary. If you have any questions or concerns, please call us at 1-800-609-2911 or send us an email at scf@norc.uchicago.org.