Skip to main content
Institutional Review Board (IRB)
Submit an Application

Data Security

Table of Contents

Overview

Federal regulations and institutional policy require BYU IRB to determine the adequacy of provisions to protect the privacy of subjects and to maintain the confidentiality of their data. To meet this requirement, federal regulations require researchers to provide a plan to protect the confidentiality of research data. Today, the majority of data is at some point collected, transmitted, or stored electronically.

The purpose of this guidance is to help the research community develop best practices for managing electronic data and hardcopy files. These best practices will need to adapt as technology evolves, so it is important that research teams keep current with the guidance and resources offered by the University. In addition, research is now a global enterprise, and investigators should understand the international laws or regulations that may apply when conducting research outside the United States.

The Principal Investigator (PI) is responsible for ensuring that research data is secure when it is collected, stored, transmitted, or shared. All members of the research team should receive appropriate training about securing and safeguarding research data. For example, the research team should understand they need to document their standard practices for protecting research data so that they can provide these details to the IRB if a mobile device is lost or stolen. Data security must be discussed regularly at research team meetings, and data security details must be included in the study data and safety monitoring plan. The University offers a wide range of training for all faculty, staff, and students, and we encourage investigators to consult with their IT staff and/or departmental data security experts to develop standard best practices. (With Permission of the University of Pittsburg HRPO)

The following recommendations are to assist you in designing a data security and storage plan for your study. The recommendations are extensive, but not exhaustive. Please consider all facets of your study requiring data storage and security.

Back to Top

IRB BOX Recommendations

The IRB strongly recommends storing your study materials (consent materials, data, etc.) in your BOX account. The recommendations in the following sections apply to file storage in BOX, as well, but provide more specific guidance to consider when developing the data security and storage part of your study.

University Information Security Program

The institutional administrative procedures provide information about implementing safeguards to protect nonpublic information including:

  • Risk Based Implementation
  • Limiting Access to Information
  • Management and Training
  • Physical Security
  • Information Systems Security
  • Selection of Appropriate Service Providers

Back to Top

Use Coded Identifiers and a Master Key

One of the easiest ways to help protect the confidentiality of data that you collect is through the use of coded identifiers.

  • Assign each study participant a random unique identifier.

  • Develop a master key to enable the organization of identifying information and data (preferably in an electronic format and vigorously protected with encryption and passwords). Investigators and programs engaged in work where very sensitive and/or federally protected data are gathered should be charged with identifying and implementing file encryption to convince the IRB that robust safeguards are in use.

  • Enter the contact or other identifiable information you collect into the master key.

  • Record the coded study identifiers in the master key.

  • Once the data are organized and analyzed, the master key (and participant contact information forms, if used) should be destroyed. If it is important to your study to keep the master key, please provide a detailed rationale to the IRB. In your proposal, detail how and when these keys will be destroyed.

  • Data documents should have only the data and the study ID code; all other identifiers must be eliminated.

  • Ideally, the informed consent, data, and the master key should be transported and stored independently, but reasonable alternatives can be proposed and approved

Back to Top

Plan for Data Transport, Storage, and Security

Ideally, transport of data (whether through physical or electronic means) should be limited to reduce the risk of loss or theft. When it is not in transit, data should be stored in a secure location accessible only to authorized study personnel. The IRB highly recommends using BOX for data storage, Brigham Young University's online file storage platform, for all data storage and transportation. For instance, scanning the documents on site to BOX eliminates the need to secure identifiable physical data for transport.

  • Data that are transported physically from a study site to an investigator's office or lab should be locked in a secure container (e.g., a briefcase or lockbox). If possible, a personal vehicle (rather than public transit) should be used.
  • Data must be transported separately (whether in separate electronic files or physical containers) from consent documentation or master keys. This ensures that if data is lost or stolen, there will be no associated identifiable information at risk of disclosure.
  • Identifiable data and documents should not be stored (except temporarily and out of necessity) at the investigator's place of residence. All identifiable study materials and data should be stored securely on Brigham Young University campus. (Note: De-identified data sets may be used for analysis, etc. off-campus).
  • Electronic data should be stored only on password-protected (and, if possible, encrypted) storage media or computers.
  • Copies of electronic data files should be kept to an absolute minimum. If multiple study personnel need access to the data, storage in a central secure location such as BOX is preferable over multiple copies being provided.
  • Electronic data should not be sent over email; but if necessary, it should only be sent if it is de-identified.
  • Data (whether electronic or physical) must be stored separately from the master code key.

It is recommended that you include in your IRB research proposal the following information: how data will be transported (if applicable); where data will be stored; what security measures will be used; who will have access to the data; and how any identifiable information (consent forms, code keys, etc.) will be kept separately and securely from data files.

Back to Top

Establish a Data Retention Plan

In accordance with federal guidelines and institutional policy, the IRB requires that study data and consent forms must be maintained securely for, at minimum, three (3) years after the completion of a study (this applies only to non-exempt research). Regulations, best practices, and ethical guidelines in your specific discipline (e.g., those related to data covered by HIPAA, APA, AAA) may dictate a longer retention schedule. The IRB requires the following data retention practices.

  • During the retention period, data, signed consent forms and other documentation related to human subjects must be stored in the manner described in the IRB-approved protocol. Access must be limited to those identified in the approved protocol as having access to study data.

    IRB BOX Recommendations

    The IRB strongly recommends storing your study materials (consent materials, data, etc.) in your BOX account. The recommendations in the following sections apply to file storage in BOX, as well, but provide more specific guidance to consider when developing the data security and storage part of your study.

    University Information Security Program

    The institutional administrative procedures provide information about implementing safeguards to protect nonpublic information including:

    • Risk Based Implementation

    • Limiting Access to Information

    • Management and Training

    • Physical Security

    • Information Systems Security

    • Selection of Appropriate Service Providers

    Use Coded Identifiers and a Master Key

    One of the easiest ways to help protect the confidentiality of data that you collect is through the use of coded identifiers.

    • Assign each study participant a random unique identifier.

    • Develop a master key to enable the organization of identifying information and data (preferably in an electronic format and vigorously protected with encryption and passwords). Investigators and programs engaged in work where very sensitive and/or federally protected data are gathered should be charged with identifying and implementing file encryption to convince the IRB that robust safeguards are in use.

    • Enter the contact or other identifiable information you collect into the master key.

    • Record the coded study identifiers in the master key.

    • Once the data are organized and analyzed, the master key (and participant contact information forms, if used) should be destroyed. If it is important to your study to keep the master key, please provide a detailed rationale to the IRB. In your proposal, detail how and when these keys will be destroyed.

    • Data documents should have only the data and the study ID code; all other identifiers must be eliminated.

    • Ideally, the informed consent, data, and the master key should be transported and stored independently, but reasonable alternatives can be proposed and approved.

    Plan for Data Transport, Storage, and Security

    Ideally, transport of data (whether through physical or electronic means) should be limited to reduce the risk of loss or theft. When it is not in transit, data should be stored in a secure location accessible only to authorized study personnel. The IRB highly recommends using BOX for data storage, Brigham Young University's online file storage platform, for all data storage and transportation. For instance, scanning the documents on site to BOX eliminates the need to secure identifiable physical data for transport.

    • Data that are transported physically from a study site to an investigator's office or lab should be locked in a secure container (e.g., a briefcase or lockbox). If possible, a personal vehicle (rather than public transit) should be used.
    • Data must be transported separately (whether in separate electronic files or physical containers) from consent documentation or master keys. This ensures that if data is lost or stolen, there will be no associated identifiable information at risk of disclosure.
    • Identifiable data and documents should not be stored (except temporarily and out of necessity) at the investigator's place of residence. All identifiable study materials and data should be stored securely on Brigham Young University campus. (Note: De-identified data sets may be used for analysis, etc. off-campus).
    • Electronic data should be stored only on password-protected (and, if possible, encrypted) storage media or computers.
    • Copies of electronic data files should be kept to an absolute minimum. If multiple study personnel need access to the data, storage in a central secure location such as BOX is preferable over multiple copies being provided.
    • Electronic data should not be sent over email; but if necessary, it should only be sent if it is de-identified.
    • Data (whether electronic or physical) must be stored separately from the master code key.

    It is recommended that you include in your IRB research proposal the following information: how data will be transported (if applicable); where data will be stored; what security measures will be used; who will have access to the data; and how any identifiable information (consent forms, code keys, etc.) will be kept separately and securely from data files.

    Establish a Data Retention Plan

    In accordance with federal guidelines and institutional policy, the IRB requires that study data and consent forms must be maintained securely for, at minimum, three (3) years after the completion of a study (this applies only to non-exempt research). Regulations, best practices, and ethical guidelines in your specific discipline (e.g., those related to data covered by HIPAA, APA, AAA) may dictate a longer retention schedule. The IRB requires the following data retention practices.

    • During the retention period, data, signed consent forms and other documentation related to human subjects must be stored in the manner described in the IRB-approved protocol. Access must be limited to those identified in the approved protocol as having access to study data.

    Back to Top

Return to Guidance Library