National Cancer Institute
DCCPS logo
Health Services & Economics Branch
Cancer Control and Population Sciences

Privacy & Confidentiality Issues:

SEER-Medicare Policy on Encryption & Data Security: Portable Devices & Removable Media

Effective June 4, 2008

There have been a growing number of reports of stolen laptops that have contained sensitive personal data about patients in clinical studies. Because of the potentially sensitive nature of the SEER-Medicare data, the National Cancer Institute is implementing a new policy related to how the SEER-Medicare may be stored, transferred or used on portable devices and removable media.

Definitions of Portable Devices and Removable Media

  1. A portable device includes any non-fixed equipment that contains an operating system which may be used to create, access or store SEER-Medicare data. This includes but is not limited to laptops, personal digital assistants (PDAs), and smart phones.
  2. Removable media includes, but is not limited to: CDs, DVDs, MP3 players, removable memory, and USB drives (thumb drives).


Any investigator who has obtained the SEER-Medicare data (including all persons with access to the data) must take all reasonable measures to ensure the safety and confidentiality of the data that are downloaded to any portable device or removable media. Reasonable measures include storing large files only on network drives or password protecting data AND encrypting any data on portable device or removable media. Encryption is a method used to protect the confidentiality, integrity, and authenticity of the data. SEER-Medicare data stored on portable devices or removable media must be encrypted using one of the following approved encryption standards: Data Encryption Standard (DES) that uses a 64-bit input-output block size; Advanced Encryption Algorithm (AES) that uses a 128, 192, or 256-bit key size; or International Data Encryption Algorithm (IDEA) that uses a 128-bit key size. If any portable device or removable media containing SEER-Medicare data are lost or stolen, the investigator must report the loss to the SEER-Medicare contact within 24-hours/first business day of discovering the loss.

Footer begins
Last modified:
05 Jun 2008
Search | Contact Us | Accessibility | Privacy Policy  
DCCPS National Cancer Institute Department of Health and Human Services National Institutes of Health The US government's official web portal