Data Security and Storage
When conducting human subjects research, one of the most common risks — regardless of the risk otherwise present in the study protocol — is that the confidentiality of data collected from the subjects will be breached.
The security, and management, of data is of concern not only during the conduct of research, but after the actual investigation is finished. Data from closed studies must be appropriately secured, and the investigators should have a clear data retention plan in mind even before starting the research.
Because the disclosure, loss, or theft of data potentially presents a risk both during and after a research study, the IRB is especially interested in determining if investigators have appropriate measures in place to protect the data that they collect. Below you find some guidance and recommended best practices regarding data management. The following recommendations are to assist you in designing a data security and storage plan for your study. The recommendations are extensive, but not exhaustive. Please consider all facets of your study requiring data storage and security.
IRB BOX Recommendations
The IRB strongly recommends storing your study materials (consent materials, data, etc.) in your BOX account. Please refer to the IRB Data Storage in BOX Guidelines (PDF). The recommendations in the following sections apply to file storage in BOX, as well, but provide more specific guidance to consider when developing the data security and storage part of your study. The IRB Data Storage in BOX also includes guidance for Regulatory Binder requirements (see those webpages for further details), but the information has been provided as one set of guidelines for a comprehensive study and data storage approach.
Use Coded Identifiers and a Master Key
One of the easiest ways to help protect the confidentiality of data that you collect is through the use of coded identifiers. The IRB has provided a Log to track screening, enrollment, and Coded Identifiers. Please see IRBNet.
• Assign each study participant a random unique identifier.
• Use this identifier to label all data collection instruments and sheets — do not record any individually identifiable information about the participant as part of the study data.
• Develop a master key to enable the organization of identifying information and data (preferably in an electronic format and vigorously protected with encryption and passwords). Investigators and programs engaged in work where very sensitive and/or federally protected data are gathered should be charged with identifying and implementing file encryption to convince the IRB that robust safeguards are in use. (Do also refer to the IRB's recommendations for storage of files in BOX.)
• Enter the contact or other identifiable information you collect into the master key.
• Record the coded study identifiers in the master key.
• Once the data are organized and analyzed, the master key (and participant contact information forms, if used) should be destroyed. If it is important to your study to keep the master key, please provide a detailed rationale to the IRB. In your proposal, detail how and when these keys will be destroyed.
• Data documents should have only the data and the study ID code; all other identifiers must be eliminated.
• Ideally, the informed consent, data, and the master key should be transported and stored independently (compartmentalization), but reasonable alternatives can be proposed and approved.
Plan for Data Transport, Storage, and Security
Ideally, transport of data (whether through physical or electronic means) should be limited to reduce the risk of loss or theft. When it is not in transit, data should be stored in a secure location accessible only to authorized study personnel. The IRB highly recommends using BOX for data storage, Pacific University's online file storage platform, for all data storage and transportation. For instance, scanning the documents on site to BOX eliminates the need to secure identifiable physical data for transport.
• Data that are transported physically from a study site to an investigator's office or lab should be locked in a secure container (e.g., a briefcase or lockbox). If possible, a personal vehicle (rather than public transit) should be used.
• Data must be transported separately (whether in separate electronic files or physical containers) from consent documentation or master keys. This ensures that if data is lost or stolen, there will be no associated identifiable information at risk of disclosure.
• Identifiable data and documents should not be stored (except temporarily and out of necessity) at the investigator's place of residence. All identifiable study materials and data should be stored securely on the Pacific University campus. (Note: De-identified data sets may be used for analysis, etc. off-campus).
• Electronic data should be stored only on password-protected (and, if possible, encrypted) storage media or computers.
• Copies of electronic data files should be kept to an absolute minimum. If multiple study personnel need access to the data, storage in a central secure location such as Vault is preferable over multiple copies being provided.
• Electronic data should not be sent over email; but if necessary, it should only be sent if it is de-identified.
• Data (whether electronic or physical) must be stored separately from the master code key.
It is recommended that you include in your IRB research proposal the following information: how data will be transported (if applicable); where data will be stored; what security measures will be used; who will have access to the data; and how any identifiable information (consent forms, code keys, etc.) will be kept separately and securely from data files.
Establish a Data Retention Plan
In accordance with federal guidelines, the IRB requires that study data and consent forms must be maintained securely for, at minimum, three (3) years after the completion of a study (this applies only to non-exempt research). Regulations, best practices, and ethical guidelines in your specific discipline (e.g., those related to data covered by HIPAA) may dictate a longer retention schedule. The IRB requires the following data retention practices.
• Following the minimum three-year retention period, individually identifiable information (including the master key and any combination of indirect identifiers that could reasonably identify a subject) must be destroyed, if it has not been already. De-identified data may be retained indefinitely.
During the retention period, data, signed consent forms and other documentation related to human subjects must be stored in the manner described in the IRB-approved protocol. Access must be limited to those identified in the approved protocol as having access to study data.