(1) Institutions shall remove personally identifiable information not required by ORS 350.337 from an individual’s responses to the survey.
(2) Institutions must store, access, and preserve survey data with secure procedures matching the security level for other sensitive data at the institution.
(3) Access to the survey database must be limited to professionals trained in confidential information handling. The titles of all individuals with access, including employees of third-party vendors, must be listed in recruitment materials and on the institution’s survey site.