Data Security: Reducing Risk
When conducting human subjects research, one of the most common risks—regardless of the risk otherwise present in the study protocol—is that the confidentiality of data collected from the subjects will be breached.
The security, and management, of data is of concern not only during the conduct of research, but after the actual investigation is finished. Data from closed studies must be appropriately secured, and the investigators should have a clear data retention plan in mind even before starting the research.
Because the disclosure, loss, or theft of data potentially presents a risk both during and after a research study, the IRB is especially interested in determining if investigators have appropriate measures in place to protect the data that they collect. Below you find some guidance and recommended best practices regarding data management.
Use Coded Identifiers and a Master Key
One of the easiest ways to help protect the confidentiality of data that you collect is through the use of coded identifiers.
- Assign each study participant a random unique identifier.
- Use this identifier to label all data collection instruments and sheets—do not record any individually identifiable information about the participant as part of the study data.
- Develop a master key to enable the organization of identifying information and data (preferably in an electronic format and vigorously protected with encryption and passwords). Investigators and programs engaged in work where very sensitive and/or federally protected data are gathered should be charged with identifying and implementing file encryption to convince the IRB that robust safeguards are in use.
- Enter the contact or other identifiable information you collect into the master key.
- Record the coded study identifiers in the master key.
- Once the data are organized and analyzed, the master key (and participant contact information forms, if used) should be destroyed. If it is important to your study to keep the master key, please provide a detailed rationale to the IRB.
- Data documents should have only the data and the study ID code; all other identifiers must be eliminated.
- Ideally, the informed consent, data, and the master key should be transported and stored independently (compartmentalization), but reasonable alternatives can be proposed and approved.
Plan for Data Transport, Storage, and Security
Ideally, transport of data (whether through physical or electronic means) should be limited to reduce the risk of loss or theft. When it is not in transit, data should be stored in a secure location accessible only to authorized study personnel.
- Data that are transported physically from a study site to an investigator's office or lab should be locked in a secure container (e.g., a briefcase or lockbox). If possible, a personal vehicle (rather than public transit) should be used.
- Data must be transported separately (whether in separate electronic files or physical containers) from consent documentation or master keys. This ensures that if data is lost or stolen, there will be no associated identifiable information at risk of disclosure.
- Identifiable data and documents should not be stored (except temporarily and out of necessity) at the investigator's place of residence. All identifiable study materials and data should be stored securely on the Pacific University campus. (Note: De-identified data sets may be used for analysis, etc. off-campus).
- Electronic data should be stored only on password-protected (and, if possible, encrypted) storage media or computers.
- Copies of electronic data files should be kept to an absolute minimum. If multiple study personnel need access to the data, storage in a central secure location such as Vault is preferable over multiple copies being provided.
- Electronic data should not be sent over email; but if necessary, it should only be sent if it is de-identified.
- Data (whether electronic or physical) must be stored separately from the master code key.
It is recommended that you include in your IRB research proposal the following information: how data will be transported (if applicable); where data will be stored; what security measures will be used; who will have access to the data; and how any identifiable information (consent forms, code keys, etc.) will be kept separately and securely from data files.
Establish a Data Retention Plan
In accordance with federal guidelines, the IRB requires that study data and consent forms must be maintained securely for, at minimum, three (3) years after the completion of a study (this applies only to non-exempt research). Regulations, best practices, and ethical guidelines in your specific discipline (e.g., those related to data covered by HIPAA) may dictate a longer retention schedule. The IRB requires the following data retention practices.
- Following the minimum three-year retention period, individually identifiable information (including the master key and any combination of indirect identifiers that could reasonably identify a subject) must be destroyed, if it has not been already. De-identified data may be retained indefinitely.
- During the retention period, data, signed consent forms, and other documentation related to human subjects must be stored in the manner described in the IRB-approved protocol. Access must be limited to those identified in the approved protocol as having access to study data.