Federal regulations require IRBs to determine the adequacy of provisions to protect the privacy of subjects and to maintain the confidentiality of their data. To meet this requirement, federal regulations require researchers to provide a plan to protect the confidentiality of research data. Today, the majority of data is at some point collected, transmitted, or stored electronically. The purpose of this document is to help the research community develop best practices for managing electronic data. These best practices will need to adapt as technology evolves, so it is important that research teams keep current with the guidance and resources offered by the Cambridge Health Alliance. In addition, research is now a global enterprise, and investigators should understand the international laws or regulations that may apply when conducting research outside the United States.
The Principal Investigator (PI) is responsible for ensuring that research data is secure when it is collected, stored, transmitted, or shared. All members of the research team should receive appropriate training about securing and safeguarding research data. For example, the research team should understand they need to document their standard practices for protecting research data so that they can provide these details to the IRB if a mobile device is lost or stolen. Data security must be discussed regularly at research team meetings, and data security details must be included in the study data and safety monitoring plan.
Researchers have a responsibility to be good data stewards. In the past, the majority of data was collected and stored on paper. At a minimum, data was protected by being locked in a file cabinet in a locked room that only members of the research team could access. Today, data is collected, transmitted, and stored on computers and mobile devices. Simply password-protecting a computer may not be sufficient to meet the rigorous security standards mandated by Cambridge Health Alliance and the Office of the Chief Information Security Officer. Researchers need to collaborate with their school, department or center IT staff who have the expertise to evaluate the security methods most appropriate for the sensitivity of the research data.
Data that will be shared with others requires additional oversight to uphold the privacy of the research participant and the confidentiality of their data. If data from the study is to be shared outside the research team, it is important that the researchers obtain the appropriate consent from study participants.
In the past, many consent documents had language that limited sharing of the data more so than was necessary or intended. It is important to think about future data use and to tailor the consent language and permissions to meet your future data sharing needs.
Some researchers may request permission to share identifiable data, but the majority will be sharing de-identified data. Many sponsors, including federal agencies, require data sharing as a condition of funding, and this must be reflected in the consent document and, most importantly, in the consent process (discussion). This includes the acknowledgement of the data sharing practices and the possible risk of re-identification when applicable. One should never guarantee that de-identified data cannot be relinked and the participant’s identity disclosed. As technology evolves, so does the potential risk of re-identification.
The NIH has specific requirements about ensuring data security when collecting identifiable research data in section 2.3.12 Protecting Sensitive Data and Information in Research.
“Recipients of NIH funds are reminded of their vital responsibility to protect sensitive and confidential data as part of proper stewardship of federally funded research, and take all reasonable and appropriate actions to prevent the inadvertent disclosure, release or loss of sensitive personal information. NIH advises that personally identifiable, sensitive, and confidential information about NIH-supported research or research participants not be housed on portable electronic devices. If portable electronic devices must be used, they should be encrypted to safeguard data and information. These devices include laptops, CDs, disc drives, flash drives, etc. Researchers and institutions also should limit access to personally identifiable information through proper access controls such as password protection and other means. Research data should be transmitted only when the security of the recipient’s systems is known and is satisfactory to the transmitter. See also Public Policy Requirements and Objectives—Federal Information Security Management Act.”
The NIH also instituted the Genomic Data Sharing (GDS) Policy to promote sharing, for research purposes, of large-scale human and non-human genomic data generated from NIH-funded research. The policy requires investigators to incorporate a genomic data sharing plan in the ‘resource sharing’ section of their application. This policy applies to proposals and applications submitted after January 25, 2015. More information is available at http://grants.nih.gov/grants/guide/notice-files/NOT-OD-14-124.html.
Based on the type of data involved in the study, the IRB is required to 1) assess potential risks to participants, and 2) evaluate the researchers’ plan to minimize risks. All research activities result in some type of risk and the researcher has the responsibility to mitigate the risk of improper disclosure.
What is the risk?
What are the protections against anticipated threats or hazards (during collection, transmission, storage)?
Many researchers are purchasing mobile apps or building their own app to interact with study participants. Seek expert IT review and, if commercially available, purchase the app through the CHA's Purchasing Office so a legal and data security review is performed. Even if the participant is asked to download a free App or provided monies for the download, the researcher is still responsible for disclosing potential risks. It is possible that the App the participant downloaded will capture other data stored or linked to the phone on which it is installed (e.g., contact list, GPS information, access to other applications such as Facebook). The researcher has the responsibility to understand known or potential risks and convey them to the study participant. Commercially available apps publish “terms of service” that detail how app data will be used by the vendor and/or shared with third-parties. It is the researcher’s responsibility to understand these terms, relay that information to participants, and monitor said terms for updates. Additionally, it is important that the researcher collect from the App only the minimum data necessary to answer the research questions.
The process of transmitting data is often overlooked as a risk. The plan to protect confidentiality should describe the methods to protect the data during collection and sharing both internally and externally to the CHA. It is advisable to utilize a secure transmission process even if the data is anonymous, coded, or non-sensitive information. If the research team develops a best practice on using a secure data transmission process, then it is less likely a data breach will occur. Email notifications are generally not secure, except in very limited circumstances, and should not be used to share or transmit research data. Text messages are stored by the telecommunications provider and therefore are not secure. Data should be encrypted when “in-transit,” and CHA CISO, or ISPOT provides extensive guidance, software, and resources to assist researchers in this. Terms such as Secure Sockets Layer (SSL and HTTPS) or Secure File Transfer Protocol (SFTP) are indications that the data is being encrypted during transmission.
The first fact to remember is that the research data belongs to the Cambridge Health Alliance and not the researcher. It has become common practice to store some level of personal information in the Cloud with services such as Box, Google Drive, Dropbox, Salesforce.com, Evernote, Office365, and Amazon. Using such services can often result in cost savings; however, special attention must be paid to potential security risks, export control restrictions, and data ownership issues.
Currently, CHA's sanctioned cloud-based storage is Google Drive and DropBox for research. Only data that meets HIPAA de-identification standards should be stored on these services. For identifiable information, the best practice is to store the data on a server maintained by CHA IT or a server that has been sanctioned by CHA’s Information Security Group and Systems Group. Using departmental servers to store research data is not recommended.
If you are considering the storage of any data outside our networks, working through CHA's ISPOT Committee will help you address the following questions that will be required:
Collecting or storing research data using the internet results in additional complexity as one must consider the jurisdictional authority: is it the jurisdiction of the researcher, the location of the study participants, or the location where the data is stored? Data may be collected in one jurisdiction but then stored in another. Researchers need to be aware that there may be differing data security privacy policies. It is important that researchers consider the laws, including international laws and export controls regulations, and if needed have agreements in place to ensure compliance.
Policy Link: Data Transmission Integrity Controls: Encryption and Decryption (A-ISN-0023)
Encryption protects data by encoding information so that only authorized parties may read it. Encryption can occur “at-rest” where the data is being stored and “in-transit” as the data is being moved from one location to another. As previously stated, there are many tools and methods available to encrypt all types of data, and the CHA has extensive resources available to help with encryption. Contacting the Office of the Chief Information Security officer will help guide the process.
The Cambridge Health Alliance has a site license for the RedCap Survey system, which is available at no cost to all staff, and students. This cloud-based research tool has been vetted and authorized by the Chief Compliance Officer and their Office. The software is available to support teaching, academic research, and institutional business. Access to RedCap is available by contacting the CHA IRB Office at CHAIRBoffice@challiance.org
If any other survey software is used, it must first undergo a data security review and be presented to the CHA Information, Security, Privacy Oversight Team (ISPOT), and if commercially available, must be purchased through the CHA Purchasing process and committee's
Many investigators wish to collect the IP addresses of survey participants to provide a method of determining whether the user has previously completed the survey. As stated earlier, CHA and some international standards consider IP addresses to be identifiable information. This is important to consider when conducting surveys, especially if the consent process indicates that a participant’s responses will be anonymous. When using Qualtrics, check the option to anonymize the data collection process and do not collect the IP address. If IP addresses are necessary to the research, include in the consent process that you will be recording this information.
The Data and Safety Monitoring Plan should indicate that research team meetings include discussions about, but not limited to:
Think about the Consent process and documentation:
Include a detailed description of any research activities the research participant will perform that entail the use of the any electronic data (e.g., accessing a website, downloading an App, text messages, completing a survey) so the IRB can determine that risks are minimized.
You are responsible for complying with the policies and standards below. The information on this page help you meet that responsibility.