It is important to understand the type of data you are working with to determine the appropriate security measures required. Different categories of human subject data carry varying levels of sensitivity, and selecting the correct safeguards depends on accurately identifying the data classification.

The Information Security Office (ISO) provides data classification definitions, which are outlined below along with common categories of human subjects data.

1. Anonymous Data: Data that never contains identifying values that can link the information to any participant. Once anonymous data has been collected, there is no way for the researcher (or anyone else) to identify any of the contributing participants. If any values or combination of values can be used to identify any specific participant, regardless of the kind of information provided, it is not considered anonymous; the data would be considered identifiable.
2. Coded Data: A dataset containing information about a living individual that has had the direct identifiers of the individual removed (e.g., name, SSN#, student #, etc.) and replaced with a code (e.g., 101, 102, 103, etc.). The research team typically keeps a separate file containing the list of subject code numbers and other identifiable information as a “Master List” so that the coded dataset can be re-linked to the subjects’ identities if needed using the subject codes. This would fall under identifiable data
3. Confidential Data (ISO definition): University data protected specifically by federal or state law or UT Arlington rules and regulations (e.g., HIPAA; FERPA; Sarbanes-Oxley, Gramm-Leach-Bliley; the Texas Identity Theft Enforcement and Protection Act; University of Texas System Policies; specific donor and employee data). University data that are not otherwise protected by a known civil statute or regulation, but which must be protected due to contractual agreements requiring confidentiality, integrity, or availability considerations (e.g., Non-Disclosure Agreements, Memoranda of Understanding, Service Level Agreements, Granting or Funding Agency Agreements, etc.).
4. Controlled Data (ISO definition): University data not otherwise identified as Confidential data, but which are releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.). Such data must be appropriately protected to ensure a controlled and lawful release.
5. De-identified Data: a dataset containing only information about living individual(s) that had identifiable information at one time, but has since had all identifiers removed from the data in a manner that any member of the research team is not able to identify the individual(s) from whom the information was collected. Links between the data and the individual about whom the data was recorded may still exist, but are not readily accessible, and will not be made available to the researcher(s) at UTA. Note that studies utilizing a coding system with a “Master List” linking subject codes to identifiable information are not considered de-identified; instead, these datasets are considered “Coded Data”.
6. Identifiable Data: A dataset containing any information that would allow someone (including members of the research team) to be able to directly or indirectly identify the person from whom the information was collected; a dataset in which the identity of the subject can be or may be readily ascertained by someone, or is associated with the information.
7. Non-Sensitive Data: Data that is not likely to cause harm to subjects in the event of a data breach; a dataset containing information about living individuals that may contain individually identifiable information, but which is not likely to place the subjects at risk of criminal or civil liability or be damaging to their financial standing, employability, educational advancement, or reputation if the information was disclosed outside of the research context.
8. Published or Public Data (ISO definition): University data not otherwise identified as Confidential data, but which are releasable in accordance with the Texas Public Information Act (e.g., contents of specific e-mail, date of birth, salary, etc.). Such data must be appropriately protected to ensure a controlled and lawful release.
9. Sensitive Data: Data that could potentially cause harm to subjects in the event of a data breach; a dataset containing information about living individuals that could reasonably place the subjects at risk of criminal or civil liability or be damaging to their financial standing, employability, educational advancement, or reputation if the information was disclosed outside of the research context.

All electronic human subjects data must be maintained using technologies that are approved or reviewed through UTA’s Technology Assessment Process to ensure compliance with university accessibility, security, privacy, regulatory requirements, and to protect participant confidentiality.

Before using any software, platform, or application for recruitment, data collection, storage, or analysis, investigators must verify the technology’s assessment status at:
https://techassessment.uta.edu.

Technologies are categorized as:

• Approved – Cleared for use at UTA. Investigators remain responsible for complying with IRB requirements and study‑specific data security obligations.
• Unapproved – Does not meet federal, state, or UT System standards and may not be used for human subjects research.
• Not listed – Requires submission of a Technology Assessment Review before it can be acquired or used.

Investigators must resolve technology assessment status before IRB approval is finalized for studies involving electronic data systems. Once submitted, requests are reviewed by OIT EIR Accessibility, OIT Enterprise Architecture, and the Information Security Office. An email notification will be issued once all reviews are complete. Most assessments are estimated to be completed within 30 days.

IRB Submission Requirements

The IRB protocol application must clearly specify the types of data to be collected, the technologies used for data collection, storage, and analysis, and the safeguards in place to protect participant confidentiality and data security. Use of an approved technology does not replace IRB review or eliminate the need for study‑specific data security controls. When outlining data security procedures, researchers should consider the following:

• Paper Records: All original paper documents must be stored on the UTA campus unless the IRB grants an exception. UTA and the IRB must have access to research records and consent forms at any time.
• Research Conducted Off-Campus: Special considerations apply to collaborative or field research conducted outside the UTA campus. If human subjects data will initially be collected off-campus, the protocol must include detailed plans for securing data at the collection site and for securely transporting it to the UTA campus (or a secure UTA server) for storage.
• Record Retention: All records—paper or electronic—must be securely maintained for at least three years after protocol closure or as required by the funding agency (whichever is longer). Student PIs should plan for long-term storage if leaving UTA before the retention period ends.

Researchers proposing to use a technology that is not listed or is listed as Unapproved must submit a Technology Assessment Request before the technology may be used for human subjects research.

Technology Assessment Requests are submitted through ServiceNow and reviewed by appropriate offices, which may include OIT Accessibility, Enterprise Architecture, and the Information Security Office (ISO), depending on the technology and data involved.

Investigators will be notified when all reviews are complete. Most assessments are completed within approximately 30 days, though some reviews may require additional time.

Attach the approved Technology Assessment documentation and/or completed ticket as part of the IRB Application submission in Mentis. To prevent delays in IRB review, researchers are strongly encouraged to complete the Technology Assessment prior to submitting their research protocol.

Approved Data Collection and Storage Devices
All data categories may use the following data collection and storage devices:

Use of any device or platform listed below is permitted only if the underlying technology is approved or reviewed through the Technology Assessment Process, as applicable.

• UTA-Sanctioned Cloud Storage can be used for both internal and external collaboration, and can be used by faculty, staff and students for the storage of human subject data. When sharing data, it is important to ensure folders are password protected or have appropriate access control to prevent accidental data compromise or leak. Special caution must be taken when handling identifiable data. To request access, please contact the OIT Help Desk.
• UTA-owned computer that is encrypted and has OIT standard image: All computers containing confidential information must be encrypted following Institutional standards. Where possible, all data must be stored on secure UTA-sanctioned cloud storage. Always ensure that you are following established practices for protecting regulated data. Consult the Information Security Office if you have questions. Access control and encrypted devices must be used for most regulated data; additional controls may be required such as physical security (cable locks, locked room, etc.)
• UTA-owned ISO approved external drives that are hardware encrypted: All portable devices containing confidential information must be encrypted following Institutional standards. Where possible, all data must be stored on secure UTA-sanctioned cloud storage. Always ensure that you are following established practices for protecting regulated data. Consult the Information Security Office if you have questions. Access control and encrypted devices must be used for most regulated data; additional controls may be required such as physical security (cable locks, locked room, etc.)
• QuestionPro: QuestionPro enables faculty, staff, and students to create and conduct unlimited surveys for University-related academic or administrative purposes. The tool offers a range of features to create web forms, conduct offline research studies, collect and analyze data, and more. While the collection and storage of identifiable data is permitted, collecting and storing SSN's is not permitted without first consulting the Information Security Office. When possible, data should be removed from QuestionPro and stored on an encrypted UTA computer.

• UTA Office 365 OneDrive: OneDrive is currently available to employees and students. Ensure that OIT has implemented security settings for your OneDrive to ensure that inadvertent sharing of data does not occur.
• UTA-owned computer that is not encrypted (with encryption exception)
• UTA-owned external drives that are not encrypted
• Exchange and UTA Office 365 Email: Email and texting generally may be used for recruitment, scheduling of appointments, and non-sensitive informational purposes ONLY, per your IRB protocol. Email may not be used for human subjects data collection or storage.

The following are NOT permitted for data collection and/or storage:

• Dropbox
• Google WorkSpace with UTA SSO
• iCloud
• Elsevier Mendeley
• Non-UTA owned computers, external drives or phones that are not encrypted
• Survey Monkey
• Gmail

Supplemental training webinars are available in the CITI program, under the IPS for Researchers Course. Investigators are encouraged to complete this training for additional education in data security.

Data Management and Security for Student Researchers: An Overview (ID 20423)

• The runtime is 1 hour
• Learning Objectives:
  • Define the basic principles governing protection and confidentiality of research data.
  • Identify best practices to use in securing research data.
  • Assess situations in which research data may need extra security protections.

Partnering with Technology Companies

• The runtime is 1 hour, 2 minutes, and 58 seconds.
• Learning Objectives:
  • Review the goals of digital health, the interdisciplinary struggles of working with technology companies, and an overall approach to the problems.
  • Identify best practices for researchers, technology companies, institutions, and Institutional Review Boards (IRBs) for creating partnerships.
  • Explore some of the common challenges faced by the research community and technology companies in the design and conduct of research.

• Information Security Office - Sanctioned University and Cloud Data Storage
• IRB Terms and Definitions