Evaluators and researchers must take steps to protect data collected from participants/patients. Individually identifiable information may not always be collected, however, if it is, a plan for the protection of the data is needed. This is one way to demonstrate respect for our participants.
Evaluators and researchers often ask what does a plan for protecting the information include? Below are a few examples often used to protect data.
- Assign study participant identification codes to instruments, questionnaires, surveys, etc. Keep a list of the identifiable information linking individuals to their codes in a separate location with restricted access. Only personnel with the appropriate training/education should have access to the data. This is usually the principle investigator/evaluator, coordinator, or research assistant.
- An acceptable data security plan must provide that all electronic transmissions of PHI or PII over the internet (including by email), file transfers or other data transfer modalities, will be encrypted;
- Remove cover or face sheets containing identifiers (e.g., names and addresses) from survey instruments containing data after receiving them from study participants;
- At the end of the study or when you are no longer required to keep the data properly dispose, destroy, or delete study data / documents (simply deleting data from a computer or disk is not sufficient, additional steps must be taken to permanently remove it from the hard drive);
- Securely store data documents within locked locations and/or assign security codes to computerized records;
- If the data will be stored on a multi-user server the specific server name and IP address should be included with the protocol. Also, include who has access to the server and the security of the server;
- No data containing PHI or PII may be stored in external organization storage, such as Google Docs, unless the organization has appropriate legal documentation approved in advance to do so.
What happens if despite all steps to protect the data, a breach occurs? Any loss of or breach of security relating to research data containing PHI or PII must be reported to the IRB as an Unanticipated Problem Involving Risks to Subjects or Others; and (2) also to the study Sponsor (if applicable).
Examples of security breaches include: (1) lost or stolen desktops, laptops, USB drives, CD/DVD/Zip drives, etc. with stored data; (2) a compromised account which is used to look up data (e.g., unauthorized user has had access to the account); (3) a compromised work station or server that contains data; and (4) accidental disclosure of data to unauthorized recipients (e.g., sending data to an incorrect email address).
Protection of study data must be followed at all stages of research, using the methods described above are examples of ways to guard against threats to both privacy and confidentiality. The information in this blog posting provides some examples, but each study is different. Solutions IRB is happy to consult with evaluators and researchers during the planning phase to develop an appropriate data protection plan.
Written by Dana Gonzales, PhD, MHSA, CIP for Solutions IRB, LLC.