/Institutions/United-States-University/json/current/IRB-Handbook-Faculty-and-Staff-Edition-local.json

/Institutions/United-States-University/json/current/IRB-Handbook-Faculty-and-Staff-Edition.json

Data Collection Storage and Protection

The IRB will review the data you are proposing to collect to ensure it is aligned with the goals of your study. You will be asked, in Part 2 of the IRB Review Form, to explain the data you are seeking to collect, how it will be collected, where it will be stored, who will have access to it, how it will be protected, and how and when it will be destroyed. To fulfill privacy requirements, security measures first and foremost aim to assure confidentiality. This mean that information that can identify a participant will be accessed only by appropriate persons for appropriate reasons. Many researchers erroneously state that the data they are collecting are anonymous. While this may be the case for publicly available de-identified data sets, it is often not true in other situations (e.g., if you are collecting any identifying information, like an employee or student number, name, email address, IP address, etc., then you cannot claim the data are anonymous).

One of the best ways to increase data protection is to code it so that only you can link the data to individual participants. The log cross-referencing the participant identification number with the participant's name should be stored separately from the data. If the study involves electronic data, the log with identifiers should be stored on a separate drive or in a cloud-based solution with a unique password.

While de-identifying the data is the ideal method for protecting confidentiality, sometimes this is not possible when doing so would compromise the utility of the data for scientific purposes. In an effort to minimize risk, the IRB may request that data be de-identified as soon as the data analysis is complete and the research has been published or otherwise disseminated. 

Another consideration is the storage and transmission of electronic data. Use care with flash drives or external drives that can be lost or stolen (alternates include cloud-based storage that requires a password and/or two-step authentication).

Research involving sensitive data such as illegal activities or protected health information (PHI) should have a comprehensive data security plan as this type of data requires additional safeguards. Data is considered sensitive when disclosing identifying information could have adverse consequences for participants, damage their financial standing, employability, insurability, educational advancement, reputation, or place them at risk for criminal or civil liability. The data security plan should minimally include plans for authentication of those who have appropriate access to the data (for example, appropriate password protection), appropriate firewall for the computer system, anti-virus and anti-spyware software, encryption of the data files, and secure location and storage of the computer systems and servers. Additionally, the plan should provide considerations to mitigate the risks of storing data on laptops and flash drives.