The convenience of fast computers and the Internet have encouraged large collaborative research efforts by allowing transfers of data from multiple sites to a single data repository; however, standards for managing data security are needed to protect the confidentiality of participants. Through Dartmouth Medical School, in 1996–1998, the authors conducted a medicolegal analysis of federal laws, state statutes, and institutional policies in eight states and three different types of health care settings, which are part of a breast cancer surveillance consortium contributing data electronically to a centralized data repository. They learned that a variety of state and federal laws are available to protect confidentiality of professional and lay research participants. The strongest protection available is the Federal Certificate of Confidentiality, which supersedes state statutory protection, has been tested in court, and extends protection from forced disclosure (in litigation) to health care providers as well as patients. This paper describes the careful planning necessary to ensure adequate legal protection and data security, which must include a comprehensive understanding of state and federal protections applicable to medical research. Researchers must also develop rules or guidelines to ensure appropriate collection, use, and sharing of data. Finally, systems for the storage of both paper and electronic records must be as secure as possible. Am J Epidemiol 2000;152:371–8.