Guidelines for secure storage & handling of electronic human

advertisement
University of Alaska Fairbanks (UAF) Institutional Review Board (IRB)
Guidelines for secure storage & handling of
electronic human subject research data
Traditionally, the confidential handling of human subject research data was achieved by keeping paper files
securely locked in cabinets and offices. While these provisions still apply to hard copy files today, the diverse
range of human subject research and increasing reliance on electronic data management on an equally broad
range of devices means investigators must pay close attention to their data security needs. The UAF IRB expects
investigators to use the following basic data protection measures.
Applicability:
These guidelines apply to Full and Expedited research projects involving electronic data with either: a) personal
identifiers* OR b) information of a personal or health nature. Studies that collect neither or are determined to
be “Exempt” research should still employ adequate data protection measures, both to protect the loss of
valuable research data and to be responsible stewards of participant data.
These guidelines cover three major issues for electronic data storage and transfer; use of specific devices for
data storage, use of web-based surveys for data collections, and methods to transfer data between
collaborators or between locations. The last issue is particularly important in Alaska where many field sites are
remote or lack internet access. Finally, there is a checklist to assist researchers in determining their data security
needs.
*
Personal identifiers: For the purpose of these guidelines, this includes any or all of the following: (1) names; (2) social
security numbers; (3) birth dates; (4) addresses; (5) IP addresses; (6) any other data that could reasonably lead to
discovering a participant’s identity. Please bear in mind that for rural or remote Alaskan locations with very small
populations, it is possible that even simple demographic information or a combination of demographic data points could
lead to an individual’s identity (for example, in a population of less than 300, a female participant, aged 87).
Data collection and storage devices
The following devices may be used to store and maintain research data that contain personal identifiers or
information of a personal or health nature, provided it utilizes one of the options listed for the device. If needed,
investigators should consult OIT or their departmental IT staff for assistance in applying recommended security
measures. Encryption software is available for many devices from OIT.
1. Secure servers or stand-alone PCs.
a. Research files are protected by a firewall and encryption OR
b. Research data files are separate from any personal identifiers (linked by a key) and both files are
password protected and the server or PC is also password protected
2. Laptop devices
a. Device uses software that automatically encrypts research files or device uses full disk encryption OR
b. Research data files are separate from any personal identifiers (linked by a key) and both files are
password protected and the laptop is also password protected
3. Jump drives, CDs or DVDs:
a. Device uses software that automatically encrypts research files or the entire device is encrypted OR
b. Research data files are separate from any personal identifiers (linked by a key) and both files are
password protected and the device is also password protected
4. PDAs, iPODs Android and Blackberry devices.
a. Device uses software that automatically encrypts research files OR
v.09.2014
b. Research data files are separate from any personal identifiers (linked by a key) and both files are
password protected and the device is also password protected
Web-based survey research
The two most common types of web-based surveys:
1. Investigator-devised and programmed survey tools housed on university servers under the control of the
investigator;
a. Research data with personal identifiers should be submitted directly into a secure web server (“https”)
and the server should encrypt any personal identifiers upon submission and be behind a firewall.
b. Web-based anonymous or de-identified data do not need to be encrypted and firewall protections are
advised but not essential.
2. Independent proprietary vendors of web-based survey tools are generally ethical, but investigators are
expected to obtain information about the security and privacy protections, including whether the tool captures
and saves user IP addresses during completion of the survey;
a. Request that vendor ‘scrub’ IP addresses upon submission of the completed form. Some vendors,
especially those that promote freeware, do in fact collect and share respondents’ IP addresses with their
consortium of investors for marketing and sales purposes and therefore cannot guarantee absolute
anonymity to survey respondents.
b. Request that vendor ‘scrub’ IP addresses from the data before it is provided to the investigator.
With either method, the informed consent forms and scripts must clarify the protections available to the webusing participant. Just as consent forms describe protections of hard copy research materials locked in file
cabinets, consent forms for internet-based research should describe the specific web-based data security
measures employed. If proprietary vendors are collecting the data, and if breach of confidentiality could put
respondents at risk due to the nature of the survey, consent forms should spell out this possibility to potential
respondents. If the vendor is not willing or able to provide this information, another vendor must be used.
Sharing or transmitting field research data or data between researchers
Appropriate data security measures for a given data set must be maintained in perpetuity; whenever protected
data are transferred or shared, the recipient must use the same security measures employed by the sender.
If field research takes place in remote areas of Alaska or researchers must share data with co-researchers, the
IRB prefers the following methods:
a. Secure File Share (aka; secure File Transfer Protocol or “FTP”). This service is available through the UAF
Life Sciences Informatics (INBRE) and can be used to securely transmit data between collaborators,
wherever located, as long as both parties have internet access. A researcher submits a request to INBRE
once the share account is activated, it can be used to store and share research data, personal identifiers,
and/or key files for de-identified data sets. A single researcher may also use this service to store and
access their own research data from different locations; for example, home and office. In this way, no
data is stored on personal computers or laptops.
b. Virtual Private Network (VPN). VPNs are commercially available for nominal fees and in some cases
these fees may be allowable grant charges.
c. Email. The IRB prefers this method not be used to transfer data in favor of either a Secure File Share
service or a VPN. If neither of those is available, email may only be used to transfer data if it is contained
in an encrypted file attachment.
d. Jump drives, CDs or DVDs. These may be used to transfer data provided the device utilizes encryption or
password options above for the device. They may be hand-carried, stored in carry-on luggage (NOT
checked baggage) or mailed via USPS certified mail, FedEx, or UPS. Package tracking must be used.
v.09.2014
Investigator checklist for data protections
The following checklist can assist investigators in assessing their data security and protections and provide
guidance on what to include in protocol narratives and consent forms.
TOPIC
DATA TYPES
Will your study collect personal
identifiers?
GUIDANCE/RECOMMENDATIONS
___Yes
___No
Will a key file be used to separate
research data from personal
identifiers?
___Yes
___No
Will you be receiving personally
identifiable data from pre-existing
data sets (e.g. medical records,
academic records)?
___Yes
___No
Will participant data be entered
directly into electronic devices
during research surveys or
procedures?
___Yes
___No
Will you be using any portable
devices for data collection or
storage? (This includes Laptops,
iPADs, PDAs, Androids, Blackberries,
etc.)
___Yes
___No
Are you planning to put data on
small portable storage devices such
as jump drives?
___Yes
___No
Are you using a university desktop
PC or MAC for entering study data?
___Yes
___No
v.09.2014
If Yes then:
Generally, the IRB requires researchers to keep personal
identifiers separate from the research data. A separate key
file or code table can be used to maintain confidentiality of
individual records.
*Note this protection in the protocol and on the consent
form.
If Yes then:
Ensure key file is separate from the research data and that
the device the files are stored on is protected by measures
for the given device above.
If Yes then:
Ensure key file is separate from the research data and that
the device the files are stored on is protected by measures
for the given device above.
If Yes then:
Ensure that encryption is installed such that personal
identifiers are always encrypted as they are entered, saved
or submitted. Ideally, the encryption occurs during entry,
but at the “save” or “submit” function is also acceptable.
*Note this in the consent form. An example of language for
this might be: “All personal identifying information is
encrypted as it is submitted.” Or “All personal identifiers are
encrypted when the data are uploaded.”
If Yes then:
Ensure that encryption is installed such that personal
identifiers are always encrypted as they are entered, as they
are saved or submitted. Ideally, the encryption occurs during
entry, but at the “save” or “submit” function is also
acceptable.
There are two ways of encrypting data for portable devices:
(1) Encrypting the entire device so that a password is needed
to even open any operation of the device; and (2) encryption
only of the specific file containing research data.
If Yes then:
Ensure that personal identifiers are not stored on jump
drives. Other research data can be stored on jump drives as
long as there is no way that the data could be traced back to
a participant.
If Yes then:
Ensure that your device is behind the university firewall.
Is the device a personally owned
desktop PC or MAC?
___Yes
___No
Are you using a privately devised
survey tool?
___Yes
___No
Are you using a commercial or
independent proprietor’s survey
tool?
___Yes
___No
For independent proprietor surveys;
are survey questions of a sensitive
nature such that a breach of
confidentiality could put subjects at
risk?
___Yes
___No
v.09.2014
Ensure that backups are to secure system servers or if an
external hard drive is used for backups, ensure that it
contains only encrypted personal identifiers.
If Yes then:
Do not store any personal identifiers on a personal desktop
device.
Anonymous or de-identified research data should be
protected by a firewall at all times.
If Yes then:
The survey must be housed on a secure, university-owned,
firewall protected server.
If Yes then:
Be sure to find out to whether IP addresses are collected,
what protections are in place to protect the data against
unauthorized access, and whether the data can be
encrypted upon transmission. Note such protections or lack
of in the consent form.
If Yes then:
Consent form should address the possibility of breach of
confidentiality and reiterate that anonymity cannot be
guaranteed unless written statement from proprietor
confirms IP addresses are scrubbed from the data upon
submission by the participant. If data is scrubbed by the
proprietor AFTER submission, or by the researcher, the
consent form should state as much.
Download