Human Subjects Data Security
One of the biggest potential risks to research participants in our modern-day world is the threat that confidential information will be exposed to unauthorized individuals who are not part of the research team. Maintaining human subject data securely with the appropriate level of confidentiality is a key component of minimizing risks to your study participants.
To ensure that these confidentiality risks have been adequately addressed, you must explain the precautions that will be taken to protect confidentiality of subject data and information in your IRB protocol, and how these precautions will be communicated to your subjects (during the informed consent or another process).
Data security should be considered for each piece and type of data collected throughout the life cycle of the study, including data collection; data transmission / transportation; accessing the data for review / analysis; collaboration; data storage; reporting; and disposition. Consider the tools and resources that you will use for data collection, how you will ensure that access to identifiable data will be limited only to authorized research personnel, and who will be responsible for the data storage and eventual disposition or destruction.
All electronic data must be maintained on UTA sanctioned storage tools and data collection via survey should use QuestionPro. Utilizing a product outside of the UTA sanctioned storage tools and survey platform would require an exception by the Office of Information Security. For example, if you would like to purchase an individual license to continue working with Qualtrics, you must apply for an exception. To apply for an exception, please submit a Technology Approval Process Service Now request. Each request will need to have a separate TAP Request in Service Now. To create a TAP Request, go to UTA Service-Now, select "Request Something", select "Technology Approval Process" under the section "Desktop or Lab Hardware & Software", then complete questions for the TAP review. To access QuestionPro, please visit myapps.uta.edu and log in using your UTA NetID and password. Navigate to the QuestionPro tile and click sign in. For more information on QuestionPro, please visit https://go.uta.edu/survey.
All paper documents in their original form must be stored on the UTA campus unless the IRB grants an exception, as UTA and the IRB must be able to access research records and consent forms at any time.
Special considerations must be taken when conducting research outside of the UTA campus, such as in situations with collaborative or field research. When human subjects data will first be collected outside of UTA, the IRB protocol must be specific and detailed about how the data will be kept secure at the site where it is collected, as well as how and when the data will be securely transported to the UTA campus (or to a secure UTA server) for storage.
Record Retention Period: All records (paper or electronic) must be maintained and kept secure for at least 3 years after the closure of the protocol or in accordance with funding agency requirements (whichever is longer). Student PIs should address long-term storage arrangements if planning to leave UTA prior to the end of the retention period.
Data Classification Definitions
Human Subject data falls into the following categories for which appropriate security measures must be taken:
a) Anonymous Data: Data that never contains identifying values that can link the information to any participant. Once anonymous data has been collected, there is no way for the researcher (or anyone else) to identify any of the contributing participants. If any values or combination of values can be used to identify any specific participant, regardless of the kind of information provided, it is not considered anonymous; the data would be considered identifiable.
b) Coded Data: A dataset containing information about a living individual that has had the direct identifiers of the individual removed (e.g., name, SSN#, student #, etc.) and replaced with a code (e.g., 101, 102, 103, etc.). The research team typically keeps a separate file containing the list of subject code numbers and other identifiable information as a “Master List” so that the coded dataset can be re-linked to the subjects’ identities if needed using the subject codes. This would fall under identifiable data.
c) De-identified Data: a dataset containing only information about living individual(s) that had identifiable information at one time, but has since had all identifiers removed from the data in a manner that any member of the research team is not able to identify the individual(s) from whom the information was collected. Links between the data and the individual about whom the data was recorded may still exist, but are not readily accessible, and will not be made available to the researcher(s) at UTA. Note that studies utilizing a coding system with a “Master List” linking subject codes to identifiable information are not considered de-identified; instead, these datasets are considered “Coded Data”.
d) Identifiable Data: A dataset containing any information that would allow someone (including members of the research team) to be able to directly or indirectly identify the person from whom the information was collected; a dataset in which the identity of the subject can be or may be readily ascertained by someone, or is associated with the information.
e) Sensitive Data: Data that could potentially cause harm to subjects in the event of a data breach; a dataset containing information about living individuals that could reasonably place the subjects at risk of criminal or civil liability or be damaging to their financial standing, employability, educational advancement, or reputation if the information was disclosed outside of the research context.
f) Non-Sensitive Data: Data that is not likely to cause harm to subjects in the event of a data breach; a dataset containing information about living individuals that may contain individually identifiable information, but which is not likely to place the subjects at risk of criminal or civil liability or be damaging to their financial standing, employability, educational advancement, or reputation if the information was disclosed outside of the research context.NOTE THAT THE BELOW INFORMATION IS PROVIDED AS SUGGESTIONS FOR SECURE HUMAN SUBJECTS DATA COLLECTION AND STORAGE; HOWEVER, THE BELOW STANDARDS MAY BE OUT OF DATE IF RECENT CHANGES HAVE BEEN MADE. FOR THE MOST UP TO DATE INFORMATION ABOUT YOUR ALLOWABLE OPTIONS FOR SECURE DATA COLLECTION AND STORAGE METHODS, PLEASE GO DIRECTLY TO THE UTA SANCTIONED UNIVERSITY AND CLOUD DATA STORAGE LOCATIONS WEBPAGE.
All Data categories may use the following Data Collection and Storage devices
- UTA Sanctioned Cloud Storage can be used for both internal and external collaboration, and can be used by faculty, staff and students for the storage of human subject data. When sharing data, it is important to ensure folders are password protected or have appropriate access control to prevent accidental data compromise or leak. Special caution must be taken when handling identifiable data. To request access, please contact the OIT Help Desk.
- UTA owned computer that is encrypted and has OIT standard image: All computers containing confidential information must be encrypted following the institution’s standards. Where possible, all data must be stored on secure UTA sanctioned cloud storage. Always ensure that you are following established practices for protecting regulated data. Consult the Information Security Office if you have questions. Access control and encrypted devices must be used for most regulated data; additional controls may be required such as physical security (cable locks, locked room, etc.)
- UTA owned ISO approved external drives that are hardware encrypted: All portable devices containing confidential information, must be encrypted following the institutions standards. Where possible, all data must be stored on secure UTA sanctioned cloud storage. Always ensure that you are following established practices for protecting regulated data. Consult the Information Security Office if you have questions. Access control and encrypted devices must be used for most regulated data; additional controls may be required such as physical security (cable locks, locked room, etc.)
- QuestionPro: QuestionPro enables faculty, staff, and students to create and conduct unlimited surveys for University-related academic or administrative purposes. The tool offers a range of features to create web forms, conduct offline research studies, collect and analyze data, and more. While the collection and storage of identifiable data is permitted, collecting and storing SSN's is not permitted without first consulting the Information Security Office. When possible, data should be removed from QuestionPro and stored on an encrypted UTA computer.
De-identified, Anonymous, and Non-Sensitive data may use the following Data Collection and Storage Devices
- UTA Office 365 OneDrive: OneDrive is currently available to employees and students. Ensure that OIT has implemented security settings for your OneDrive to ensure that inadvertent sharing of data does not occur.
- UTA owned computer that is not encrypted (with encryption exception)
- UTA owned external drives that are not encrypted
- Exchange and UTA Office 365 Email: Email and texting generally may be used for recruitment, scheduling of appointments, and non-sensitive informational purposes ONLY, per your IRB protocol. Email may not be used for human subjects data collection or storage.
- External collaboration will be through the following approved public facing websites: UTA, Mavericks Blog, SharePoint, Mavspace, and Maverick Wiki. Ability to modify and update content by an external collaborator will require a sponsored NetID authentication used for controlling access to content or providing the ability to edit and publish public facing content. These services are available from the internet and special caution must be made to ensure non-public data is controlled. Always consult the Information Security Office before storing regulated data.
The Following are NOT Permitted for Data Collection and/or Storage
- Google Drive
- Elsevier Mendeley
- Non-UTA owned computers, external drives or phones that are not encrypted
- Survey Monkey
If you would like to request another process for data collection and/or storage, you must contact the Information Security Office.