Human Subject data falls into the following categories for which appropriate security measures must be taken:

a) Anonymous Data: Data that never contains identifying values that can link the information to any participant. Once anonymous data has been collected, there is no way for the researcher (or anyone else) to identify any of the contributing participants. If any values or combination of values can be used to identify any specific participant, regardless of the kind of information provided, it is not considered anonymous; the data would be considered identifiable.

b) Coded Data: A dataset containing information about a living individual that has had the direct identifiers of the individual removed (e.g., name, SSN#, student #, etc.) and replaced with a code (e.g., 101, 102, 103, etc.). The research team typically keeps a separate file containing the list of subject code numbers and other identifiable information as a “Master List” so that the coded dataset can be re-linked to the subjects’ identities if needed using the subject codes. This would fall under identifiable data.

c) De-identified Data: a dataset containing only information about living individual(s) that had identifiable information at one time, but has since had all identifiers removed from the data in a manner that any member of the research team is not able to identify the individual(s) from whom the information was collected. Links between the data and the individual about whom the data was recorded may still exist, but are not readily accessible, and will not be made available to the researcher(s) at UTA. Note that studies utilizing a coding system with a “Master List” linking subject codes to identifiable information are not considered de-identified; instead, these datasets are considered “Coded Data”.

d) Identifiable Data: A dataset containing any information that would allow someone (including members of the research team) to be able to directly or indirectly identify the person from whom the information was collected; a dataset in which the identity of the subject can be or may be readily ascertained by someone, or is associated with the information.

e) Sensitive Data: Data that could potentially cause harm to subjects in the event of a data breach; a dataset containing information about living individuals that could reasonably place the subjects at risk of criminal or civil liability or be damaging to their financial standing, employability, educational advancement, or reputation if the information was disclosed outside of the research context.

f) Non-Sensitive Data: Data that is not likely to cause harm to subjects in the event of a data breach; a dataset containing information about living individuals that may contain individually identifiable information, but which is not likely to place the subjects at risk of criminal or civil liability or be damaging to their financial standing, employability, educational advancement, or reputation if the information was disclosed outside of the research context.

NOTE THAT THE BELOW INFORMATION IS PROVIDED AS SUGGESTIONS FOR SECURE HUMAN SUBJECTS DATA COLLECTION AND STORAGE; HOWEVER, THE BELOW STANDARDS MAY BE OUT OF DATE IF RECENT CHANGES HAVE BEEN MADE. FOR THE MOST UP TO DATE INFORMATION ABOUT YOUR ALLOWABLE OPTIONS FOR SECURE DATA COLLECTION AND STORAGE METHODS, PLEASE GO DIRECTLY TO THE UTA SANCTIONED UNIVERSITY AND CLOUD DATA STORAGE LOCATIONS WEBPAGE.

All data categories may use the following data collection and storage devices:

• UTA-Sanctioned Cloud Storage can be used for both internal and external collaboration, and can be used by faculty, staff and students for the storage of human subject data. When sharing data, it is important to ensure folders are password protected or have appropriate access control to prevent accidental data compromise or leak. Special caution must be taken when handling identifiable data. To request access, please contact the OIT Help Desk.
• UTA-owned computer that is encrypted and has OIT standard image: All computers containing confidential information must be encrypted following Institutional standards. Where possible, all data must be stored on secure UTA-sanctioned cloud storage. Always ensure that you are following established practices for protecting regulated data. Consult the Information Security Office if you have questions. Access control and encrypted devices must be used for most regulated data; additional controls may be required such as physical security (cable locks, locked room, etc.)
• UTA-owned ISO approved external drives that are hardware encrypted: All portable devices containing confidential information, must be encrypted following Institutional standards. Where possible, all data must be stored on secure UTA-sanctioned cloud storage. Always ensure that you are following established practices for protecting regulated data. Consult the Information Security Office if you have questions. Access control and encrypted devices must be used for most regulated data; additional controls may be required such as physical security (cable locks, locked room, etc.)
• QuestionPro: QuestionPro enables faculty, staff, and students to create and conduct unlimited surveys for University-related academic or administrative purposes. The tool offers a range of features to create web forms, conduct offline research studies, collect and analyze data, and more. While the collection and storage of identifiable data is permitted, collecting and storing SSN's is not permitted without first consulting the Information Security Office. When possible, data should be removed from QuestionPro and stored on an encrypted UTA computer.

De-identified, Anonymous, and Non-Sensitive data may use the following data collection and storage devices:

• UTA Office 365 OneDrive: OneDrive is currently available to employees and students. Ensure that OIT has implemented security settings for your OneDrive to ensure that inadvertent sharing of data does not occur.
• UTA-owned computer that is not encrypted (with encryption exception)
• UTA-owned external drives that are not encrypted
• Exchange and UTA Office 365 Email: Email and texting generally may be used for recruitment, scheduling of appointments, and non-sensitive informational purposes ONLY, per your IRB protocol. Email may not be used for human subjects data collection or storage.

Supplemental training webinars are available in the CITI program, under the IPS for Researchers Course. Investigators are encouraged to complete this training for additional education in data security.

Data Management and Security for Student Researchers: An Overview (ID 20423)

• The runtime is 1 hour
• Learning Objectives:
  • Define the basic principles governing protection and confidentiality of research data.
  • Identify best practices to use in securing research data.
  • Assess situations in which research data may need extra security protections.

Partnering with Technology Companies

• The runtime is 1 hour, 2 minutes, and 58 seconds.
• Learning Objectives:
  • Review the goals of digital health, the interdisciplinary struggles of working with technology companies, and an overall approach to the problems.
  • Identify best practices for researchers, technology companies, institutions, and Institutional Review Boards (IRBs) for creating partnerships.
  • Explore some of the common challenges faced by the research community and technology companies in the design and conduct of research.

• Dropbox
• Google WorkSpace with UTA SSO
• iCloud
• Elsevier Mendeley
• Non-UTA owned computers, external drives or phones that are not encrypted
• Survey Monkey
• Gmail

If you would like to request another process for data collection and/or storage, you must contact the Information Security Office.

THE UNIVERSITY OF TEXAS AT ARLINGTON

• Information Security Office - Sanctioned University and Cloud Data Storage
• IRB Terms and Definitions