• uconn
Page content relevant to:

Data Security Guidance for Human Subjects Research


Federal regulations for human subjects research require Institutional Review Boards (IRBs) to determine that adequate provisions to protect the privacy of subjects and the confidentiality of data are in place and that researchers include adequate provisions for monitoring the data collected to ensure the safety of subjects in their research plan. This page will help investigators plan for the collection, transmission, and storage of research data in a secure manner consistent with University policies and federal regulations. Methods for working with research data often evolve over time given rapid changes to technology. As a result, periodic updates will be made to this page. Researchers are encouraged to reference this page as information is often updated to reflect new technology and security parameters.

The Principal Investigator is responsible for all aspects of research, including the collection, transmission, storage, backup, and security of data and ensuring those listed as key personnel are informed and trained on the procedures related to data security. Research team meetings should include documentation of training and discussion about the safeguards in place to protect research data.  This is particularly important should a breach occur or loss or theft of a device that stores identifiable data. These occurrences must be immediately communicated to the IRB, Information Technology Services (ITS), or UConn’s Privacy Office. To assist researchers with documenting these procedures and for the IRB to review and make appropriate determinations, the Data Security Assessment Form must be completed and submitted to the IRB whenever any human subjects research includes the access, use, collection, transfer, or storage of individual of individual level human data. Any changes regarding the use of technology in research must be submitted to the IRB (via an amendment to an approved protocol) for approval prior to implementation of the changes.

Questions related to the security or allowable use of software for the collection, transmission, and storage of research data can be directed to UConn’s Information Security Office security@uconn.edu.


      Definitions

      Anonymous Data: Records including tissue and samples that do not have a code assigned that would permit the data to be traced back to an individual. This includes any information that was recorded or collected without any of the 18 identifiers as defined by HIPAA. Note that IP addresses are considered by the University and some international standards to be identifiable even though the address is linked to the computer and not specifically to the individual.

      Confidential data under UConn policy is data that is regulated by Federal or State laws including but not limited to Family Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), or the Children’s Online Privacy Protection Act (COPPA). Sensitive data include information related to alcohol or drug use, traumatic experiences, child/elder abuse, or illegal behavior, or where disclosure outside of the research study has the potential to place participants at risk of criminal or civil liability or be damaging to their financial standing, employability, educational advancement, or reputation.

      De-identified Data: Data that are stripped of all identifying information and there is no way the data could be linked back to an individual through a key or other coding method. Best practice when de-identifying data is to use the safe harbor method where all HIPAA identifiers are removed.

      Coded Data: Data, including tissue and samples are coded when a link or key to the code exists, such as a number, letter, symbol, pseudonym, or any combination, that is linked to an individual participant’s identifiers. The code should not include information related to an individual, such as initials or date of birth.

      Protected Health Information(PHI): Individually identifiable health information, held or maintained by a covered entity or its business associates acting for the covered entity, that is transmitted or maintained in any form or medium (including the individually identifiable health information of non-U.S. citizens). This includes identifiable demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse. For purposes of the Privacy Rule, genetic information is considered to be health information.”  UConn is designated as a Hybrid Entity under HIPAA. Under the Hybrid status, UConn’s Speech & Hearing Clinic is a covered Entity. Please contact UConn’s Privacy webpage for more information regarding HIPAA.

      Private Information: includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information that has been provided for specific purposes by an individual and that the individual can reasonably expect will not be made public (e.g., a medical record).

      Identifiable Private Information: is private information for which the identity of the subject is or may readily be ascertained by the investigator or associated with the information. An identifiable biospecimen is a biospecimen for which the identity of the subject is or may readily be ascertained by the investigator or associated with the biospecimen.


      Data Collection and Storage:

      All University owned computers and laptops must have encryption enabled by default and must be used for all storage of UConn Confidential Data or identifiable participant data and comply with UConn’s Confidential Data Policy. Research data may be stored on UConn secure drives, such as P and R, or the use of university authorized cloud services, such as UConn Office 365 (e.g. OneDrive/SharePoint).

      University devices must be used when research involves collection or storage of photographic images or voice recordings of research participants, and data protected under HIPAA and FERPA. At times, researchers purchase cell phones and other devices to be used by the research team. Personal devices, such as laptops, cell phones, or digital recorders that are owned by the researcher or member of the study team are not an acceptable method to collect identifiable or UConn Confidential data due to inherent risk of loss of confidentiality. If it is not possible to use a university device, the consent form must reference loss of confidentiality as a risk to research participants. Data should be held on personal devices only for the time necessary to be promptly moved to a secure university managed location. A personal device, such as a cell phone may be used for appointment reminders, as long as personal identifiers are not paired with other identifiable information. Personal laptops may be used for storing public data. All personal devices must be password protected. ITS recommends using university applications and sponsored software for identifiable data collection because there are secure controls in place to help minimize risk.

      When using wearable devices, such as an activity trackers,  a smartwatch, voice recording devices, location trackers, or other technology to collect research data, information must be included in the informed consent form that states participants will be required to download and agree to terms of service or other agreements applicable to the app if the participant is using their own device and not one provided to them by the researchers.  If an app meets the regulatory definition of a mobile medical application as defined by the FDA, additional regulatory determinations may need to be made depending on its intended use.


      Transmission of Research Data:

      UConn does not recommend the transmission of identifiable datasets by email due to the inherent risk of compromise. When emailing data that do not contain any personal identifiers, include [encrypt] in the subject line of an email when sending from a university email account. If emails are compromised, this could place data at risk and result in loss of confidentiality for research participants. Identifiable data should be transmitted via a secure service, such as Office365, FileLocker, a secure website, or by using secure protocols, such as a File Transfer Protocol (FTPS). Filelocker is an encrypted web-based application that is used to provide short term secure storage and encrypted transport of files both across campus and anywhere with web access. The level of security should be appropriate to the risk.


      Informed Consent:

      Human subjects regulations allow researchers to obtain written consent in an electronic format. The Office for Human Research Protections (OHRP) and the U.S. Food and Drug Administration (FDA) issued guidance for obtaining informed consent electronically. Electronic informed consent (eIC) should be easy to navigate, allowing the user to proceed forward or backward within the system and stop and continue at a later time. If the consent process takes place remotely and is not personally witnessed by study personnel, the electronic system must include a method to ensure that the person electronically signing the informed consent is the subject who will be participating in the research or the subject’s legally authorized representative (LAR) (see 21 CFR 11.100 (b)). Examples may include verification of a state issued ID or other documents, use of personal questions, biometric or visual methods. At UConn, an example is the use of the NetID and password.   However, minimal risk social behavioral research may not warrant such verification. FDA-regulated clinical investigations must comply with criteria under 21 CFR part 11. For this type of research, the electronic system must capture and record the date the subject or LAR provided consent and a copy of the informed consent must be provided to the person signing the form. Consent forms that include a hand-written signature may be returned via fax or postal mail.

      For anonymous internet-based surveys or for research that the IRB grants a waiver of signed consent, include “I agree” or “I do not agree” check boxes on the information sheet or consent form for participants to click to indicate their active choice of whether or not they consent to participate. Please be sure to use the most updated forms found on the IRB’s Forms & Templates page. These forms are periodically updated and include other applicable required statements.


      Web Conferencing for Collecting Research Data

      The use of web conferencing to conduct research interviews and/or to collect research data has increased significantly. To comply with UConn ITS guidelines and policies, researchers should use UConn approved software or services when conducting these activities. This guidance has been developed in conjunction with Research Compliance Services (RCS) and UConn’s ITS Security to assist researchers in understanding what platforms may be appropriate.

      The nature of the data dictates which platforms may be appropriate. For example, investigators who will collect identifiable sensitive data (e.g. personal health information, illegal behaviors, substance use, etc.) that could place research participants at risk if disclosed may use Microsoft Teams or WebEx to conduct remote research interviews. Investigators collecting research data that is not sensitive may also use Google Hangouts/Meet when conducting research interviews remotely. In all cases, researchers must ensure their data collection activities are properly secured against outside (non-invited) guests. Most platforms provide specific controls to help prevent inappropriate access; for example, please visit online instructions for WebEx. When using software that is not secured or sponsored by university ITS, the consent form must include loss of confidentiality and possibility of data mining as risks.

      Other web-based software may be allowable on a case-by-case basis, but must first be cleared through ITS and/or Procurement. Some web conference software allows the researcher to record sessions, share screens, and automatically transcribe the recording. When recording sessions, researchers are asked to ensure that the recordings are stored in one of the following ways: on a University secure server, UConn’s version of Office 365, NetApp, or SharePoint.


      Internet Based Research

      Computer and Internet-based methods for collecting, storing, and transmitting data in research involving human participants are increasing in use and constantly evolving. As new methods are developed and used by researchers, they present new challenges to the protection of research participants. The IRB reviews computer and Internet-based research protocols using the same considerations and standards of approval of research under human subjects regulations and UConn policies.

      Internet-based survey instruments should be formatted in a way that will allow participants to skip questions if they wish or provide a response such as “I choose not to answer.” If all of the questions in a survey require a response, then the Information Sheet or consent form must include a statement about this requirement. Also, at the end of the survey, there should be two buttons: one to allow participants to discard the data and the other to submit it for inclusion in the study.

      Computer-and internet-based procedures for advertising and recruiting potential study participants (e.g., social media, internet advertising, e-mail solicitation, banner ads) must follow the IRB guidelines for recruitment that apply to any traditional media, such as newspapers and bulletin boards. All advertising and recruitment material must be reviewed and approved by the IRB prior to implementation.

      Investigators are advised to review the University’s policy on Use of Official Email Lists prior to soliciting participants by email. If you plan on using LISTSERVs at UConn, please contact list moderators for individual list policies regarding solicitations for research.


      Online Data Collection Software:

      The UConn Office of Institutional Research & Effectiveness (OIRE) has obtained a license from Qualtrics as an on-line data collection tool. Qualtrics is available to all faculty members, students, and staff with a UConn Net ID and password.

      Research Electronic Data Capture (REDCap) is also available to UConn researchers for a fee. REDCap is a secure web application for building and managing online survey databases.The use of on-line survey software should be administered by a professionally trained person with knowledge in computer and internet security. Access to the data housed in the survey software must only be limited to key project personnel.

      The informed consent form must include what individuals have access to the data (e.g., survey software panel personnel) and must state how data will be collected, transmitted stored. Both Qualtrics or REDCap may be configured to allow use of a mouse or finder to obtain a written signature.

      For international research, investigators are cautioned that encryption standards vary from country to country and that there are legal restrictions regarding the export of certain encryption software outside US boundaries. Similarly, data privacy regulations vary between states. Investigators are responsible for understanding the data privacy laws where data collection occurs under their protocol.


      Data Storage/Disposal:

      If a server is used for data storage, personal identifying information should be kept separate from the data. It is recommended that competent data destruction services be used to ensure that no data can be recovered from obsolete electronic media. Researchers must adhere to the UConn Information Security Office’s Confidential Data Security Standard Policy, and Data Storage Guidelines. As a reminder, federal regulations require human subjects records be retained for at least 3 years after completion of the research.


      Children’s Online Privacy Protection Act (COPPA)

      Researchers working with children online are subject to COPPA in addition to human subjects regulations. Researchers are prohibited from collecting personal information from a child without posting notices about how the information will be used and without getting “verifiable parental consent”. For minimal risk research written permission may be obtained by paper, mail, or fax. If the research is more than minimal risk, parental permission should be obtained in a face-to-face meeting.


      The Protection of Pupil Rights Amendment (PPRA)

      PPRA, 34 CFR Part 98, is a Federal law governed by the Department of Education that outlines 8 categories of protected information for survey responses and requires that parents be afforded the right to inspect surveys before they are given to students. The law requires schools to obtain written consent from parents before minor students are required to in any U.S. Department of Education funded survey, analyses, or evaluation collects information in the following areas: Political affiliations; mental and psychological problems potentially embarrassing to the student and his/her family;  Sex behavior and attitudes; Illegal, anti-social, self-incriminating and demeaning behavior; Critical appraisals of other individuals with whom respondents have close family relationships; Legally recognized privileged or analogous relationships, such as those of lawyers, physicians, and ministers; Religious practices, affiliations, or beliefs of the student or student’s parent*; or income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program.)


      Source material for this policy guidance was provided by the Pennsylvania State University and the University of Georgia IRBs. The UConn IRB gratefully acknowledges this support as well as guidance from Chris Bernard, UConn’s Chief Information Security Officer.

      Additional Resources:

      UConn Security Policy Manual.pdf

      UConn Password Standards

      Information Security Office Security Tips

      Information Security Office Confidential Data Handling Suggestions

      March 2021