Human Subjects Data Security
One of the biggest potential risks to research participants in our modern-day world is the threat that confidential information will be exposed to unauthorized individuals who are not part of the research team. Maintaining human subject data securely with the appropriate level of confidentiality is a key component of minimizing risks to your study participants.
To ensure that these confidentiality risks have been adequately addressed, you must explain the precautions that will be taken to protect confidentiality of subject data and information in your IRB protocol, and how these precautions will be communicated to your subjects (during the informed consent or another process).
Data security should be considered for each piece and type of data collected throughout the life cycle of the study, including data collection; data transmission/transportation; accessing the data for review/analysis; collaboration; data storage; reporting; and disposition. Consider the tools and resources that you will use for data collection, how you will ensure that access to identifiable data will be limited only to authorized research personnel, and who will be responsible for the data storage and eventual disposition or destruction.
All electronic data must be maintained on UTA-sanctioned storage tools and data collection via surveys should use QuestionPro (UTA's preferred vendor). Utilizing a product outside of the UTA-sanctioned storage tools and survey platform would require exceptions by the Office of Information Security (OIT) and Information Security Office (ISO).
To check whether your selected resource will require these exceptions, you can use OIT's 'Technology Acquisition Helper' to search for the data storage tool or survery platform you intend to use. If the resource has already been reviewed and approved through the Technology Approval Process (TAP) and the Information Security Office (ISO) Risk Assessment, then additional clearance will not be needed for use in your human subject research protocol.
If the platform has not been approved through one or both of these processes, you will be required to attach an approved request from both OIT and ISO to your protocol submission in Mentis for IRB approval. If this platform has been reviewed by both processes already, you may need a renewal. Projects that will obtain/store confidential information (FERPA data, biometric identifiers, identifiable human subjects research, etc.) will need to have an ISO Risk Assessment conducted annually. Projects that will obtain/store controlled (de-identified human subjects research, anonymous research, etc.) and public information will need an ISO Risk Assessment conducted every 2 years. For further information on data classification definitions, please scroll to the bottom of the page or visit: https://www.uta.edu/security/policies/procedure.php.
To ensure you are utilizing UTA-sanctioned storage tools, please use the following links:
Technology Acquisition Helper: https://webapp.uta.edu/tap
TAPREQ Form: https://go.uta.edu/tapreqform
ISO Risk Assessment Form: https://go.uta.edu/isoappassessment
TAPREQ Instructions: https://webapp.uta.edu/tap/pages/instructions
TAPREQ Information and Resources: https://webapp.uta.edu/tap/pages/info
ISO Risk Assessment Questions: https://webapp.uta.edu/tap/pages/isorisk
UTA Security Policies and Standards: https://www.uta.edu/security/policies/procedure.php
All paper documents in their original form must be stored on the UTA campus unless the IRB grants an exception, as UTA and the IRB must be able to access research records and consent forms at any time.
Special considerations must be taken when conducting research outside of the UTA campus, such as in situations with collaborative or field research. When human subjects data will first be collected outside of UTA, the IRB protocol must be specific and detailed about how the data will be kept secure at the site where it is collected, as well as how and when the data will be securely transported to the UTA campus (or to a secure UTA server) for storage.
Record Retention Period: All records (paper or electronic) must be maintained and kept secure for at least 3 years after the closure of the protocol or in accordance with funding agency requirements (whichever is longer). Student PIs should address long-term storage arrangements if planning to leave UTA prior to the end of the retention period.
More information about the TAPREQ is provided on the EIR Accessibility webpage. Contact Laura Hopkins, EIR Accessibility Coordinator, if you have questions regarding the TAP at laura.hopkins@uta.edu or 817-272-5961. More information about the ISO Risk Assessment is provided on ISO Risk Management webpage. Contact the Application Risk Assessment Team at grc@uta.edu if you have any questions about this process.
Human Subject data falls into the following categories for which appropriate security measures must be taken:
a) Anonymous Data: Data that never contains identifying values that can link the information to any participant. Once anonymous data has been collected, there is no way for the researcher (or anyone else) to identify any of the contributing participants. If any values or combination of values can be used to identify any specific participant, regardless of the kind of information provided, it is not considered anonymous; the data would be considered identifiable.
b) Coded Data: A dataset containing information about a living individual that has had the direct identifiers of the individual removed (e.g., name, SSN#, student #, etc.) and replaced with a code (e.g., 101, 102, 103, etc.). The research team typically keeps a separate file containing the list of subject code numbers and other identifiable information as a “Master List” so that the coded dataset can be re-linked to the subjects’ identities if needed using the subject codes. This would fall under identifiable data
c) Confidential Data: University data protected specifically by federal or state law or UT Arlington rules and regulations (e.g., HIPAA; FERPA; Sarbanes-Oxley, Gramm-Leach-Bliley; the Texas Identity Theft Enforcement and Protection Act; University of Texas System Policies; specific donor and employee data). University data that are not otherwise protected by a known civil statute or regulation, but which must be protected due to contractual agreements requiring confidentiality, integrity, or availability considerations (e.g., Non-Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Granting or Funding Agency Agreements, etc.).
d) Controlled Data: University data not otherwise identified as Confidential data, but which are releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.). Such data must be appropriately protected to ensure a controlled and lawful release.
e) De-identified Data: a dataset containing only information about living individual(s) that had identifiable information at one time, but has since had all identifiers removed from the data in a manner that any member of the research team is not able to identify the individual(s) from whom the information was collected. Links between the data and the individual about whom the data was recorded may still exist, but are not readily accessible, and will not be made available to the researcher(s) at UTA. Note that studies utilizing a coding system with a “Master List” linking subject codes to identifiable information are not considered de-identified; instead, these datasets are considered “Coded Data”.
f) Identifiable Data: A dataset containing any information that would allow someone (including members of the research team) to be able to directly or indirectly identify the person from whom the information was collected; a dataset in which the identity of the subject can be or may be readily ascertained by someone, or is associated with the information.
g) Non-Sensitive Data: Data that is not likely to cause harm to subjects in the event of a data breach; a dataset containing information about living individuals that may contain individually identifiable information, but which is not likely to place the subjects at risk of criminal or civil liability or be damaging to their financial standing, employability, educational advancement, or reputation if the information was disclosed outside of the research context.
h) Published or Public Data: University data not otherwise identified as Confidential data, but which are releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.). Such data must be appropriately protected to ensure a controlled and lawful release.
i) Sensitive Data: Data that could potentially cause harm to subjects in the event of a data breach; a dataset containing information about living individuals that could reasonably place the subjects at risk of criminal or civil liability or be damaging to their financial standing, employability, educational advancement, or reputation if the information was disclosed outside of the research context.
NOTE THAT THE BELOW INFORMATION IS PROVIDED AS SUGGESTIONS FOR SECURE HUMAN SUBJECTS DATA COLLECTION AND STORAGE; HOWEVER, THE BELOW STANDARDS MAY BE OUT OF DATE IF RECENT CHANGES HAVE BEEN MADE. FOR THE MOST UP TO DATE INFORMATION ABOUT YOUR ALLOWABLE OPTIONS FOR SECURE DATA COLLECTION AND STORAGE METHODS, PLEASE GO DIRECTLY TO THE UTA SANCTIONED UNIVERSITY AND CLOUD DATA STORAGE LOCATIONS WEBPAGE.All data categories may use the following data collection and storage devices:
- UTA-Sanctioned Cloud Storage can be used for both internal and external collaboration, and can be used by faculty, staff and students for the storage of human subject data. When sharing data, it is important to ensure folders are password protected or have appropriate access control to prevent accidental data compromise or leak. Special caution must be taken when handling identifiable data. To request access, please contact the OIT Help Desk.
- UTA-owned computer that is encrypted and has OIT standard image: All computers containing confidential information must be encrypted following Institutional standards. Where possible, all data must be stored on secure UTA-sanctioned cloud storage. Always ensure that you are following established practices for protecting regulated data. Consult the Information Security Office if you have questions. Access control and encrypted devices must be used for most regulated data; additional controls may be required such as physical security (cable locks, locked room, etc.)
- UTA-owned ISO approved external drives that are hardware encrypted: All portable devices containing confidential information, must be encrypted following Institutional standards. Where possible, all data must be stored on secure UTA-sanctioned cloud storage. Always ensure that you are following established practices for protecting regulated data. Consult the Information Security Office if you have questions. Access control and encrypted devices must be used for most regulated data; additional controls may be required such as physical security (cable locks, locked room, etc.)
- QuestionPro: QuestionPro enables faculty, staff, and students to create and conduct unlimited surveys for University-related academic or administrative purposes. The tool offers a range of features to create web forms, conduct offline research studies, collect and analyze data, and more. While the collection and storage of identifiable data is permitted, collecting and storing SSN's is not permitted without first consulting the Information Security Office. When possible, data should be removed from QuestionPro and stored on an encrypted UTA computer.
De-identified, Anonymous, and Non-Sensitive data may use the following data collection and storage devices:
- UTA Office 365 OneDrive: OneDrive is currently available to employees and students. Ensure that OIT has implemented security settings for your OneDrive to ensure that inadvertent sharing of data does not occur.
- UTA-owned computer that is not encrypted (with encryption exception)
- UTA-owned external drives that are not encrypted
- Exchange and UTA Office 365 Email: Email and texting generally may be used for recruitment, scheduling of appointments, and non-sensitive informational purposes ONLY, per your IRB protocol. Email may not be used for human subjects data collection or storage.
Supplemental training webinars are available in the CITI program, under the IPS for Researchers Course. Investigators are encouraged to complete this training for additional education in data security.
Data Management and Security for Student Researchers: An Overview (ID 20423)
- The runtime is 1 hour
- Learning Objectives:
- Define the basic principles governing protection and confidentiality of research data.
- Identify best practices to use in securing research data.
- Assess situations in which research data may need extra security protections.
Partnering with Technology Companies
- The runtime is 1 hour, 2 minutes, and 58 seconds.
- Learning Objectives:
- Review the goals of digital health, the interdisciplinary struggles of working with technology companies, and an overall approach to the problems.
- Identify best practices for researchers, technology companies, institutions, and Institutional Review Boards (IRBs) for creating partnerships.
- Explore some of the common challenges faced by the research community and technology companies in the design and conduct of research.
- Dropbox
- Google WorkSpace with UTA SSO
- iCloud
- Elsevier Mendeley
- Non-UTA owned computers, external drives or phones that are not encrypted
- Survey Monkey
- Gmail
If you would like to request another process for data collection and/or storage, you must contact the Information Security Office.
THE UNIVERSITY OF TEXAS AT ARLINGTON
- Information Security Office - Sanctioned University and Cloud Data Storage
- IRB Terms and Definitions