• uconn
Page content relevant to:

Data Security Guidance for Human Subjects Research


Web Conferencing for Collecting Research Data

The use of web conferencing to conduct research interviews and/or to collect research data has increased significantly due to the COVID-19 pandemic. To comply with UConn Information Technology Services (ITS) guidelines and policies, researchers must use UConn approved software or services when conducting these activities. This guidance has been developed in conjunction between Research Compliance Services (RCS) and UConn’s IT Security to assist researchers in understanding what platforms may be appropriate.

The nature of the data dictates which platforms may be appropriate. For example, investigators who will collect identifiable sensitive data (e.g. personal health information, illegal behaviors, substance use, etc.) that could place research participants at risk if disclosed may use Microsoft Teams or WebEx to conduct remote research interviews. Investigators collecting research data that is not sensitive may also use Google Hangouts/Meet when conducting research interviews remotely. In all cases, researchers must ensure their data collection activities are properly secured against outside (non-invited) guests. Most platforms provide specific controls to help prevent inappropriate access; for example, please visit online instructions for WebEx.

Other web-based software may be allowable on a case-by-case basis, but must first be cleared through ITS and/or Procurement.

Some web conference software allows the researcher to record sessions, share screens, and automatically transcribe the recording. Please see the Collaborating and Communicating Remotely Guide for additional information regarding the recommended software.

When recording sessions, researchers are asked to ensure that the recordings are stored in one of the following ways: on a University secure server, UConn’s version of Office 365, NetApp, or SharePoint. For specific questions related to acceptable collection and storage of research data, please submit a ticket to Techsupport.

As a reminder, Principal Investigators are responsible for ensuring research data are collected, stored, and transmitted securely and that all personnel working on the study are aware of the safeguards that must be in place to protect the privacy of participants and the confidentiality of study data. Also, be sure to submit any changes regarding the use of technology to collect research data to the IRB (via an amendment to an approved protocol) for approval prior to implementation of the changes.

For specific questions related to the allowable use of other web-based software or questions related to data security and the use of web-based platforms for research data collection, please contact Chris Bernard, Chief Information Security Officer at chris.bernard@uconn.edu.


Internet Based Research

Computer- and internet-based methods of collecting, storing, utilizing, and transmitting data in research involving human participants are developing at a rapid rate. As these new methods become more widespread in research in the social, psychological, and social sciences, they present new challenges to the protection of research participants. The Institutional Review Board (IRB) reviews computer- and internet-based research protocols using the same considerations and standards of approval of research under 45 CFR 46.111 and 21 CFR 56.111 as all other research activities. All studies including those using computer and internet technologies must (a) ensure that the procedures fulfill the principles of voluntary participation and informed consent, (b) maintain the confidentiality of information obtained from or about human participants, and (c) adequately address possible risks to participants including psychosocial stress and related risks.

The purpose of these guidelines is to help researchers plan, propose, and implement computer- and internet-based research protocols that provide the same level of protection of human participants as more traditional research methodologies. The guidelines are comprised of requirements and recommendations that are consistent with the basic IRB principles applied to all research involving human participants. ITS has developed a Glossary of Terms related to data security, which may be helpful for researchers and students.

Recruitment:

  • Computer-and internet-based procedures for advertising and recruiting potential study participants (e.g., social media, internet advertising, e-mail solicitation, banner ads) must follow the IRB guidelines for recruitment that apply to any traditional media, such as newspapers and bulletin boards. All advertising and recruitment material must be reviewed and approved by the IRB prior to implementation.
  • Investigators are advised to review the University’s policy on Use of Official Email Lists prior to soliciting participants by email. If you plan on using LISTSERVs at UConn, please contact list moderators for individual list policies regarding solicitations for research.

Data Collection and Security:

  • All laptops, iPads, tablets, portable media such as USB drives, or devices that are used to collect or store personal identifiable information (PII) for research purposes must use encryption.
  • Any sensitive identifiable or confidential data that are collected from human participants over computer networks must be transmitted over the Internet securely and saved locally in an encrypted format. This helps insure that any data intercepted during transmission cannot be decoded and that individual responses cannot be traced back to an individual respondent. ITS and Research Compliance Services encourage the use of Microsoft OneDrive, EFS, Filelocker, Office 365, encrypted email, encrypted USB drive, or secure FTP to transmit sensitive data containing PII. Filelocker is an encrypted web-based application that is used to provide short term secure storage and an encrypted transport of files both across campus and anywhere with web access.
  • The level of security should be appropriate to the risk. For most research, standard security measures like whole disk encryption and secure socket layer (SSL) (commonly used for secure websites) will suffice. However, for sensitive data additional protections should include certified digital signatures for informed consent, or de-identifying data to ensure anonymity. The Office for Human Research Protections (OHRP) has additional guidance for obtaining informed consent electronically.
  • For international research, investigators are cautioned that encryption standards vary from country to country and that there are legal restrictions regarding the export of certain encryption software outside US boundaries.
  • Internet-based survey instruments must be formatted in a way that will allow participants to skip questions if they wish or provide a response such as “I choose not to answer.” Also, at the end of the survey, there should be two buttons: one to allow participants to discard the data and the other to submit it for inclusion in the study. Finally, if applicable, online surveys must include mechanisms for withdrawal. For example, if a participant decides to withdraw, there should be a mechanism for identifying the responses of a participant for the purposes of discarding those responses.
  • Researchers working with children online are subject to the Children’s Online Privacy Protection Act in in addition to human subjects regulations. Researchers are prohibited from collecting personal information from a child without posting notices about how the information will be used and without getting “verifiable parental consent”. For minimal risk research written permission may be obtained by paper, mail, or fax. If the research is more than minimal risk, parental permission should be obtained in a face-to-face meeting.

Online data collection software:

The UConn Office of Institutional Research & Effectiveness (OIRE) has obtained a license from Qualtrics as an on-line data collection tool. Faculty members, students, and staff with an UConn Net ID and password are able to utilize Qualtrics.

The use of on-line survey software should be administered by a professionally trained person with knowledge in computer and internet security. Access to the server should be limited to key project personnel. The server should receive frequent, regularly scheduled security audits.

Data Storage/Disposal:

  • If a server is used for data storage, personal identifying information should be kept separate from the data, and data should be stored in encrypted format. Social Security Numbers are not permitted to be used as an identifier.
  • It is recommended that competent data destruction services be used to ensure that no data can be recovered from obsolete electronic media.
  • Researchers must adhere to the UConn Information Security Office’s Confidential Data Security Standard Policy, and Data Storage Guidelines.

Informed Consent Process For Internet-Based Research:

  • For anonymous internet-based surveys, include “I agree” or “I do not agree” buttons on the Information sheet for participants to click to indicate their active choice of whether or not they consent to participate. For anonymous surveys sent to and returned by participants through email, include the IRB’s information sheet template and inform participants that submitting the completed survey implies their consent.
  • If the IRB determines that written consent is required, the consent form can be mailed or emailed to the participant who can then sign the form and return it via fax or postal mail.
  • Researchers conducting web-based research should be careful not to make guarantees of confidentiality or anonymity, as the security of online transmissions is not guaranteed. A statement in the informed consent form indicating the limits to confidentiality is required. The following statement may be used: “Your confidentiality will be maintained to the degree permitted by the technology used. Specifically, no guarantees can be made regarding the interception of data sent via the Internet by any third parties.”

Source material for this policy guidance was provided by the Pennsylvania State University and the University of Georgia IRBs. The UConn IRB gratefully acknowledges this support.

In addition, the IRB would like to acknowledge information provided by Chris Bernard, University Chief Information Security Officer.

Additional Resources:

UConn Security Policy Manual.pdf

UConn Password Standards

Information Security Office Security Tips

Information Security Office Confidential Data Handling Suggestions

September 2020