Your data security is our top priority. Your plan’s data will be completely encrypted by your record keeper before it is sent to the database. This will ensure total security for your plan.
For the transfer itself, only encrypted data will be sent to the database, and no personally identifiable information will be sent. This includes social security numbers, employee ID numbers, names, birthdates, job titles, address, location, or any other piece of information that can be used to identify any individual.
The following is a detailed description of the data transfer process:
Phase 1: at Third Party provider
- Generate encryption key
- Distribute encryption key to data provider
- Details:
- Third Party generates encryption key on secure, dedicated system
- The key is sent from Third Party to the data provider via secure method using an encrypted file
- At no point, does Third Party receive any data
- The encryption key never goes to EBRI or NAGDCA
Phase 2: at Data Provider
- Implements hash algorithm – extracts data files
- Transfers data file to database
- Details:
- Decrypts package from Third Party to extract encryption key
- Implements masking protocol: runs real ssn value through HMAC-SHA256 algorithm and encryption key, resulting in 64 character hash value
- Combines 64 character hash value with data files
- Real ssn value, along with any personally identifiable data is deleted from data files before it is sent to the PRRL
- The encryption key never goes to EBRI or NAGDCA – Third Party available for implementation support
- The data files are transferred from data provider to PRRL via secure method. FTP transfer of encrypted file is preferred method
Phase 3: at PRRL
- Manipulates final data files
- Produces analytic deliverables
- Details:
- Decrypts package from data provider to extract data files containing standard 64 character hashed id
- Re-encrypts hashed value with an EBRI proprietary key
- Manipulate data and process analytical results on segregated & secure system
- At no point, does PRRL receive encryption key used by providers