University of Alaska Fairbanks (UAF) Institutional Review Board (IRB) Guidelines for secure storage & handling of electronic human subject research data Traditionally, the confidential handling of human subject research data was achieved by keeping paper files securely locked in cabinets and offices. While these provisions still apply to hard copy files today, the diverse range of human subject research and increasing reliance on electronic data management on an equally broad range of devices means investigators must pay close attention to their data security needs. The UAF IRB expects investigators to use the following basic data protection measures. Applicability: These guidelines apply to Full and Expedited research projects involving electronic data with either: a) personal identifiers* OR b) information of a personal or health nature. Studies that collect neither or are determined to be “Exempt” research should still employ adequate data protection measures, both to protect the loss of valuable research data and to be responsible stewards of participant data. These guidelines cover three major issues for electronic data storage and transfer; use of specific devices for data storage, use of web-based surveys for data collections, and methods to transfer data between collaborators or between locations. The last issue is particularly important in Alaska where many field sites are remote or lack internet access. Finally, there is a checklist to assist researchers in determining their data security needs. * Personal identifiers: For the purpose of these guidelines, this includes any or all of the following: (1) names; (2) social security numbers; (3) birth dates; (4) addresses; (5) IP addresses; (6) any other data that could reasonably lead to discovering a participant’s identity. Please bear in mind that for rural or remote Alaskan locations with very small populations, it is possible that even simple demographic information or a combination of demographic data points could lead to an individual’s identity (for example, in a population of less than 300, a female participant, aged 87). Data collection and storage devices The following devices may be used to store and maintain research data that contain personal identifiers or information of a personal or health nature, provided it utilizes one of the options listed for the device. If needed, investigators should consult OIT or their departmental IT staff for assistance in applying recommended security measures. Encryption software is available for many devices from OIT. 1. Secure servers or stand-alone PCs. a. Research files are protected by a firewall and encryption OR b. Research data files are separate from any personal identifiers (linked by a key) and both files are password protected and the server or PC is also password protected 2. Laptop devices a. Device uses software that automatically encrypts research files or device uses full disk encryption OR b. Research data files are separate from any personal identifiers (linked by a key) and both files are password protected and the laptop is also password protected 3. Jump drives, CDs or DVDs: a. Device uses software that automatically encrypts research files or the entire device is encrypted OR b. Research data files are separate from any personal identifiers (linked by a key) and both files are password protected and the device is also password protected 4. PDAs, iPODs Android and Blackberry devices. a. Device uses software that automatically encrypts research files OR v.09.2014 b. Research data files are separate from any personal identifiers (linked by a key) and both files are password protected and the device is also password protected Web-based survey research The two most common types of web-based surveys: 1. Investigator-devised and programmed survey tools housed on university servers under the control of the investigator; a. Research data with personal identifiers should be submitted directly into a secure web server (“https”) and the server should encrypt any personal identifiers upon submission and be behind a firewall. b. Web-based anonymous or de-identified data do not need to be encrypted and firewall protections are advised but not essential. 2. Independent proprietary vendors of web-based survey tools are generally ethical, but investigators are expected to obtain information about the security and privacy protections, including whether the tool captures and saves user IP addresses during completion of the survey; a. Request that vendor ‘scrub’ IP addresses upon submission of the completed form. Some vendors, especially those that promote freeware, do in fact collect and share respondents’ IP addresses with their consortium of investors for marketing and sales purposes and therefore cannot guarantee absolute anonymity to survey respondents. b. Request that vendor ‘scrub’ IP addresses from the data before it is provided to the investigator. With either method, the informed consent forms and scripts must clarify the protections available to the webusing participant. Just as consent forms describe protections of hard copy research materials locked in file cabinets, consent forms for internet-based research should describe the specific web-based data security measures employed. If proprietary vendors are collecting the data, and if breach of confidentiality could put respondents at risk due to the nature of the survey, consent forms should spell out this possibility to potential respondents. If the vendor is not willing or able to provide this information, another vendor must be used. Sharing or transmitting field research data or data between researchers Appropriate data security measures for a given data set must be maintained in perpetuity; whenever protected data are transferred or shared, the recipient must use the same security measures employed by the sender. If field research takes place in remote areas of Alaska or researchers must share data with co-researchers, the IRB prefers the following methods: a. Secure File Share (aka; secure File Transfer Protocol or “FTP”). This service is available through the UAF Life Sciences Informatics (INBRE) and can be used to securely transmit data between collaborators, wherever located, as long as both parties have internet access. A researcher submits a request to INBRE once the share account is activated, it can be used to store and share research data, personal identifiers, and/or key files for de-identified data sets. A single researcher may also use this service to store and access their own research data from different locations; for example, home and office. In this way, no data is stored on personal computers or laptops. b. Virtual Private Network (VPN). VPNs are commercially available for nominal fees and in some cases these fees may be allowable grant charges. c. Email. The IRB prefers this method not be used to transfer data in favor of either a Secure File Share service or a VPN. If neither of those is available, email may only be used to transfer data if it is contained in an encrypted file attachment. d. Jump drives, CDs or DVDs. These may be used to transfer data provided the device utilizes encryption or password options above for the device. They may be hand-carried, stored in carry-on luggage (NOT checked baggage) or mailed via USPS certified mail, FedEx, or UPS. Package tracking must be used. v.09.2014 Investigator checklist for data protections The following checklist can assist investigators in assessing their data security and protections and provide guidance on what to include in protocol narratives and consent forms. TOPIC DATA TYPES Will your study collect personal identifiers? GUIDANCE/RECOMMENDATIONS ___Yes ___No Will a key file be used to separate research data from personal identifiers? ___Yes ___No Will you be receiving personally identifiable data from pre-existing data sets (e.g. medical records, academic records)? ___Yes ___No Will participant data be entered directly into electronic devices during research surveys or procedures? ___Yes ___No Will you be using any portable devices for data collection or storage? (This includes Laptops, iPADs, PDAs, Androids, Blackberries, etc.) ___Yes ___No Are you planning to put data on small portable storage devices such as jump drives? ___Yes ___No Are you using a university desktop PC or MAC for entering study data? ___Yes ___No v.09.2014 If Yes then: Generally, the IRB requires researchers to keep personal identifiers separate from the research data. A separate key file or code table can be used to maintain confidentiality of individual records. *Note this protection in the protocol and on the consent form. If Yes then: Ensure key file is separate from the research data and that the device the files are stored on is protected by measures for the given device above. If Yes then: Ensure key file is separate from the research data and that the device the files are stored on is protected by measures for the given device above. If Yes then: Ensure that encryption is installed such that personal identifiers are always encrypted as they are entered, saved or submitted. Ideally, the encryption occurs during entry, but at the “save” or “submit” function is also acceptable. *Note this in the consent form. An example of language for this might be: “All personal identifying information is encrypted as it is submitted.” Or “All personal identifiers are encrypted when the data are uploaded.” If Yes then: Ensure that encryption is installed such that personal identifiers are always encrypted as they are entered, as they are saved or submitted. Ideally, the encryption occurs during entry, but at the “save” or “submit” function is also acceptable. There are two ways of encrypting data for portable devices: (1) Encrypting the entire device so that a password is needed to even open any operation of the device; and (2) encryption only of the specific file containing research data. If Yes then: Ensure that personal identifiers are not stored on jump drives. Other research data can be stored on jump drives as long as there is no way that the data could be traced back to a participant. If Yes then: Ensure that your device is behind the university firewall. Is the device a personally owned desktop PC or MAC? ___Yes ___No Are you using a privately devised survey tool? ___Yes ___No Are you using a commercial or independent proprietor’s survey tool? ___Yes ___No For independent proprietor surveys; are survey questions of a sensitive nature such that a breach of confidentiality could put subjects at risk? ___Yes ___No v.09.2014 Ensure that backups are to secure system servers or if an external hard drive is used for backups, ensure that it contains only encrypted personal identifiers. If Yes then: Do not store any personal identifiers on a personal desktop device. Anonymous or de-identified research data should be protected by a firewall at all times. If Yes then: The survey must be housed on a secure, university-owned, firewall protected server. If Yes then: Be sure to find out to whether IP addresses are collected, what protections are in place to protect the data against unauthorized access, and whether the data can be encrypted upon transmission. Note such protections or lack of in the consent form. If Yes then: Consent form should address the possibility of breach of confidentiality and reiterate that anonymity cannot be guaranteed unless written statement from proprietor confirms IP addresses are scrubbed from the data upon submission by the participant. If data is scrubbed by the proprietor AFTER submission, or by the researcher, the consent form should state as much.