The PALMS system contains personal information about study participants that may be protected under various governmental and organizational privacy regulations. In the United States, these regulations include the Health Insurance Portability and Accountability Act (HIPAA) Security Rule as well as numerous University of California policies.

The PALMS Information Security Policy document details the procedures the PALMS staff at UCSD use to protect data on PALMS servers. Protection of data on your workstation is the responsibility of you and your organization.

We recommend all PALMS users follow these guidelines to protect their data and the integrity of the PALMS community:
  1. Access to PALMS should be limited to individuals for whom it is an authorized work related requirement.
  2. PALMS users should be given access privileges appropriate for their position.
  3. PALMS users should have successfully completed training in Human Subjects Protection and Personal Information Security.
  4. Misuse or unauthorized access of PALMS data should result in disciplinary actions appropriate to the offense in accordance with your organizations personnel policies.
  5. PIs should notify PALMS administrators as soon as possible once a staff member no longer needs access to PALMS in order to deactivate the account.
  6. Use a sufficiently complex password to access PALMS. PALMS accounts and passwords must never be shared. Please request a separate PALMS account for each individual user.
  7. On the computer used to access PALMS, apply security patches to operating systems and application software in a timely manner.
  8. Use up-to-date anti-virus software. Where appropriate enable internal firewalls and install intrusion detection software.
  9. Portable devices, such as laptops, should be password protected or encrypted. Removable media should be encrypted.
  10. Transfer of PALMS data via USB flash drives should be discouraged. When such transfers occur, delete the PALMS data from the flash drive as soon as possible.
  11. Secure, maintain and when necessary dispose of all removable electronic media according to your organizations established procedure. Hard drives and USB flash drives should be wiped. CD-ROMs and DVDs should be destroyed before disposing.
  12. Consider encrypting email containing PALMS data attachments.
  13. Publicly accessible computers, open wireless networks and third party proxy services are very vulnerable to penetration by malicious software and hackers. Access to PALMS via such systems is strongly discouraged.
  14. When adding participants, do not use Personal Identifiable Information (PPI) as the Participant Id.
  15. Likewise, when running calculations or exporting CSV and KML files, do not use PPI in the result name or file name.
  16. PALMS users should use caution when presenting or publishing maps produced with PALMS data. Consider using data collected by staff members in place of data collected by study participants.