Citizen Portal
Sign In

Utah Population Database reports 94 of 97 NIST controls implemented; questions raised about opt-out and data removal

6548201 · October 15, 2025

Get AI-powered insights, summaries, and transcripts

Subscribe
AI-Generated Content: All content on this page was generated by AI to highlight key points from the meeting. For complete details and context, we recommend watching the full video. so we can fix them.

Summary

Dr. Nicola Kemp reported an internal security audit of the Utah Population Database that found 94 of 97 NIST SP 800-171 protections fully implemented; three items are in remediation. Committee members asked detailed questions about individual opt-out, deletion and data governance.

Dr. Nicola Kemp, director of the Utah Population Database (UPDB) at the University of Utah’s Huntsman Cancer Institute, presented the results of the database’s biennial internal security audit. UPDB serves as a statewide research data resource that links records from multiple contributors to support biomedical and public-health research.

Kemp said UPDB follows the NIST Special Publication 800-171 security framework and maintains a system security plan that is audited every two years. The audit reviewed the system security plan’s 97 checklist items; Kemp reported 94 were found fully implemented and effective, and three protections required improvement. She said two of those three items were low-risk and one was moderate-risk; none were categorized as high or critical. The items in the plan-of-action-and-milestones (POA&M) are being addressed and Kemp said the moderate-risk item was on track to be completed before year-end.

Committee members pressed UPDB staff on questions about opt-out and data removal. Kemp and other University of Utah compliance staff explained two points: (1) individuals can opt out of driver-license data sharing at the Driver License Division and, when that opt-out is processed before data ingestion, UPDB will not receive those DLD records; (2) if DLD or other source records already have been ingested, UPDB has procedures to remove specific contributor data (for example, DLD records) following documented requests. Kemp also said UPDB does not distribute personally identifiable information (PII) to researchers; datasets released for approved studies are de-identified and researchers receive study-specific anonymized identifiers.

University compliance staff described technical and operational constraints to wholesale deletion requests. They said because UPDB ingests data from many contributors repeatedly, completely purging a person’s data requires coordination with each contributor and could require the requester to provide identifying information so staff can verify and remove matching records across multiple contributor data sets. The committee asked for a written explanation of UPDB’s opt-out and removal procedures and an explanation of how UPDB complies with Utah’s Government Records and Access and Management Act (GRAMA) and other applicable data-privacy obligations.

Committee members asked whether UPDB uses profiling, scoring or predictive analytics. UPDB staff said the database supports population-level, epidemiologic research and that individual profiling for non-research enforcement or marketing uses is not permitted. Academic and medical studies that use linked data proceed under institutional review board (IRB) review and other regulatory safeguards, the presenters said.

The committee requested follow-up material describing UPDB’s privacy safeguards, governance, data-contributor agreements, and the technical steps for an individual opt-out or removal; the committee chairs asked UPDB to provide the material in writing for distribution to the members.