Data Security: Reducing Risk

When conducting human subjects research, one of the most common risks—regardless of the risk otherwise present in the study protocol—is that the confidentiality of data collected from the subjects will be breached.

The security, and management, of data is of concern not only during the conduct of research, but after the actual investigation is finished. Data from closed studies must be appropriately secured, and the investigators should have a clear data retention plan in mind even before starting the research.

Because the disclosure, loss, or theft of data potentially presents a risk both during and after a research study, the IRB is especially interested in determining if investigators have appropriate measures in place to protect the data that they collect. Below you find some guidance and recommended best practices regarding data management.


Use Coded Identifiers and a Master Key

One of the easiest ways to help protect the confidentiality of data that you collect is through the use of coded identifiers.


Plan for Data Transport, Storage, and Security

Ideally, transport of data (whether through physical or electronic means) should be limited to reduce the risk of loss or theft. When it is not in transit, data should be stored in a secure location accessible only to authorized study personnel.

It is recommended that you include in your IRB research proposal the following information: how data will be transported (if applicable); where data will be stored; what security measures will be used; who will have access to the data; and how any identifiable information (consent forms, code keys, etc.) will be kept separately and securely from data files. 


Establish a Data Retention Plan

In accordance with federal guidelines, the IRB requires that study data and consent forms must be maintained securely for, at minimum, three (3) years after the completion of a study (this applies only to non-exempt research).  Regulations, best practices, and ethical guidelines in your specific discipline (e.g., those related to data covered by HIPAA) may dictate a longer retention schedule. The IRB requires the following data retention practices.