Data Security & Storage
Data security is a general concern at universities. Be sure to review the Seattle University Data Privacy Policy (last updated July 2011) for a general discussion of how best to handle confidential, high-risk confidential, vs. personal information. The SU HR department also has some excellent information on FERPA (the Family Educational Rights and Privacy Act of 1974) and the university division of Risk & Cybersecurity offers clear tutorials on cybersecurity basics, including when not to use public wifi, how to deploy a VPN, password protecting sensitive files and emails, and turning MFA on for all professional accounts.
All of these are potentially relevant concerns for you as you develop a research protocol that includes robust protection of participant data. Because we are concerned with data gathered in a research project, however, there are additional concerns to be addressed.
Questions to consider when developing your protocol application include:
- Where will my participant data be stored?
- Who will have access to the data?
- Am I storing the data in the safest manner?
- Could these data be lost?
At the end of a study, what will you do with your data? You may choose to delete or destroy the data. An alternative is to de-identify the data and store them securely.
Student PIs should ensure that faculty advisers have access to any data collected as part of student research projects. All data should be fully deidentified or transferred to the faculty adviser's possession prior to student graduation (which is also when IRB approval expires).
What kinds of data are you collecting, in what formats? This also impacts how you store it.
Paper Data
Either scan paper data into an electronic format or storage, or keep those papers in a locked filing cabinet in a secure office. Once data have been transferred to an electronic format, destroy original paper forms (e.g., by shredding), unless keeping original paper copies is required (e.g., by professional standards).
Audio or Video Tapes
Once video or audio recordings are transcribed, destroy the recordings as soon as the accuracy and completeness of the transcriptions have been verified. If using an external transcription agency, you must provide evidence of their policy with respect to the security and deletion of original recordings.
If using recordings as primary data sources and not transcribing them, take extra precautions to secure the recordings, particularly those containing identifiers. Further, retain such recordings at the end of the study as research data.
Electronic Data
Most researchers now rely primarily on electronic forms of data -- and also on online platforms, software packages, and apps to deploy and process them. This requires certain safeguards, in addition to the general university ones outlined above.
First and foremost, limit access to your participant data to authorized and identified persons. This includes using password-protected files and devices.
Be very careful, especially with the ubiquity of Cloud-based data storage options, that participant data does not get mixed in with your personal data and get uploaded to your personal or family Cloud.
Free versions of Dropbox, Google Docs, or other 3rd-party servers are not secure. In fact, free versions of anything online are typically not secure and/or are not private -- that is why they are free. Use Dropbox Business, Box, or another secure server that allows encryption. The university typically offers secure options to all its staff and faculty.
Do not store data solely on portable media, such as electronic recording devices (e.g., cell phones, tablets, thumb drives). While data may be collected and/or transferred using portable devices, transfer such data as soon as possible to a desktop computer and back up the data to secure servers or secure Cloud storage. In general, back up all electronic data frequently to a secure source.
Use layers of passwords to protect data, for example, on files and folders and also on your devices and your Cloud Storage. Turn on MFA (multi-factor authentication) for accounts wherever possible, through an Authenticator app or SMS or email.
If using Qualtrics to deploy and analyze online surveys, monitor closely who has access to the data. When downloading data from Qualtrics, follow the recommendations above.
Maintain a distinct separation of data from identifiers. If identifiers are necessary for editing, analysis, etc., delete them from data as soon as possible.
Terms to Know
CODED: When a researcher replaces identifying information (names, addresses, etc.) with a code involving letters, numbers, or some other combination AND the researcher maintains a separate list with a code key, so that linking the data with the list would reveal an individual's identity and responses.
NON-IDENTIFIABLE DATA: When the researcher does not collect any direct identifiers (name, address, etc.) OR enough indirect identifiers (age, race, gender, etc.) so that a combination could reveal an individual's identity... OR when no code exists to link an individual to responses.
DE-IDENTIFIED DATA: When all potentially identifiable identifiers have been stripped from the data, so that neither the researcher nor any other person could re-identify an individual's identity in connection with the data.
See also the guidance section on Anonymity, Privacy, and Confidentiality.