Content.research.uconn.edu



Tips for Completing the Data Security Assessment FormThis document was developed to provide additional clarification to support the completion of the data security assessment form. This form is used as tool to aid the IRB in conducting a risk assessment. Ideally, these guidelines and assessment efforts will help you better understand risks so you can develop a plan to protect data privacy with our assistance. There is no one-size-fits all approach to secure research data. Each investigator must consider the approach that best protects participant privacy and security of data collected from and about participants.As you initially develop your plans and procedures, consider the following:Collect only the data necessary to answer your research questions so that risks to participants are minimized to the extent possible. Before completing this form, draft an outline what data is collected, how it is collected, where the data is stored and how it may be transmitted to facilitate completion of the form.Consider consulting with your department IT staff and/or UITS staff for assistance in procedures to protect the research data given the current resources available to you. Meet with your research team to assess data security requirements.Whenever possible use the resources available from UConn as your first option. Be prepared to provide an explanation if other, non-UConn resources are necessary.Again, collect only the data necessary to answer your research questions so that risks to participants are minimized to the extent possible. Follow these tips to avoid a delay in the review process:Review the Data Security and Internet-Based Research IRB Guidance.Ensure you are using the most current Data Security Assessment FormComplete all applicable sectionsInclude all activities specific to the research studyConsult with department IT staff and/or UITS if you unsure how to answer any of the questions.Contact IRB staff for clarification or consultation if you have questions.Part AThis section reflects what the university considers as identifying information and includes a separate section to list any other unique identifying labels. Be sure to check all that apply and if no identifiers are collected, select anonymous. As technology advances, so does the type of identifiers that may be collected. For example, many devices or apps collect the participant’s location using geolocation which can be considered an identifier.?The description of sensitive data is by no means limited to the risks listed. Carefully, consider risks to participants.For NIH funded research, be sure you are aware of the requirements noted here - section 2.3.12 Protecting Sensitive Data and Information in Research.If sharing Genomic Data, be sure you are aware of the NIH policy - BThis section relates to the technology that will be used to collect data during the course of the study. Note that it may be necessary to contact the vendor or developer of the tool to obtain the information. Due to variability in tools being used, these issues need to be addressed per technology being used. It is important that if you are going to be using these technologies, you or your data manager understand how the technology functions, and the options available to secure the data collected.Mobile App You may choose to utilize a commercial mobile app available publicly from an online source such as Apple, Amazon, or Google. Alternatively, you may wish to develop your own custom application, or have one developed specifically for your study.The answers to the questions in this section will assist the IRB in understanding the risks to the study participants in their use of the mobile app.Please be aware that data stored on mobile devices is often automatically backed up to cloud storage systems such as Apple’s iCloud or to Google services. If data is sensitive and identifiable, encryption should be used to prevent the data from being stored and potentially accessible to those cloud service providers.Mobile apps may require review by the FDA as a medical device (mHealth). Be sure to be aware of the following guidances - Mobile Medical Applications and Cybersecurity. ?Web-based site, survey or other toolMany researchers may need to create custom websites to interact with participants. It is important that these sites are behind UConn firewalls. Under limited circumstances, other sites may be used to host the sites but only after careful consideration.? The goal is to minimize the risk of inadvertent disclosure of participant’s information and to know who may have access to the data.It is highly recommended that UConn researchers consider use of the UConn licensed version of Qualtrics first when conducting survey research. If you choose to another survey tool, be prepared to contact the vendor for detailed information on their security controls to complete the form.Be sure that the website complies with The Children’s Online Privacy Protection Act (COPPA).?Wearable deviceTechnologies such as fitness trackers may be used to collect data such as footstep counts, sleep monitoring, heartrate/pulse, and other biomedical information.?While this data may seem innocuous and non-sensitive, as these devices advance and collect more detailed information on the study participant’s location, health and welfare investigators must carefully consider the requirements to ensure confidentiality of the data and the participant’s privacy to the extent possible.When possible, any registration required to use the device should be completed by the researchers instead of the participant. This limits the exposure of the participant’s identifying information being shared with a third party. Please fully document how data will be transmitted from the wearable device to the research study team. For instance, if you plan to have the device sync wirelessly with an app running on a mobile device, such as the study participant’s mobile phone, you should make that clear in this section. Note that if you are planning to use a mobile app for syncing and transmitting data, that the Mobile App section needs to be filled out as well.?Mobile apps may require review by the FDA as a medical device (mHealth). Be sure to be aware of the following guidances - Mobile Medical Applications and Cybersecurity. ?Electronic audio, photographic, or video recording or conferencing Consider where photographs, video recordings, and audio recordings are stored in the short and in the long-terms. Most mobile apps used for recording or photography have cloud based storage where the information recorded on a device such goes directly to their site.? Who has access to recording, how will they use the information, who will they share it with, and when if ever will it be destroyed. Take the time to understand the privacy policy of the products you are using to maintain control of the research data and the ability to protect it. Due to all the technology available, it is possible to easily record conversations. Carefully, review Connecticut State Laws and UConn policy as you consider this procedure. Remember even data stored on legacy technologies such as audio tape, photographic film, or even VCR need to be have physical protections to protect against loss or theft.??Text messagingShould you choose to use text messages to communicate sensitive research data, first consider providing the study participants a device provided by the researchers to limit the risk of breach of confidentiality. As the use of the study participant’s own personal device would be tied to their telephone number, which is easily tied back to the participant’s identity. In addition, messages may be stored by the study participant’s cellular service provider, further increasing the risk of breach of confidentiality of the study text messages.Part C Indicate what happens to the data during data collection. Where is it stored? Remember the first option should be a solution provided by UConn. ?Depending on the data, it may be acceptable in some circumstances to collect on your personal computer if no personal identifiers or sensitive information are collected but then you must certify that anti-virus software is installed and up-to-date.?If you are transmitting data outside the university, how is this being done? Are you encrypting the data or using a secure email service to share this information? If sending to your sponsor, contact them directly and ask them for the security controls. Keep in mind that email messages are not secure. It is often convenient to store data on a USB drive or other removable media but these tools are easily lost or stolen and present a significant risk to the security and availability of your research data. If these tools are used be certain it is password protected and encrypted to decrease the risk of access by others. Review the resources UConn provides to secure data. Part DIndicate what happens to the data once collected. Where is it stored? Remember the first option should be a solution provided by UConn. ?Depending on the data, it may be acceptable in some circumstances to collect on your personal computer if no personal identifiers or sensitive information are collected but then you must certify that anti-virus software is installed and up-to-date.?If you are transmitting data outside the university, how is this being done? Are you encrypting the data or using a secure email service to share this information? If sending to your sponsor, contact them directly and ask them for the security controls. Keep in mind that email messages are not secure. It is often convenient to store data on a USB drive or other removable media but these tools are easily lost or stolen and present a significant risk to the security and availability of your research data. If these tools are used be certain it is password protected and encrypted to decrease the risk of access by others. Review the resources UConn provides to secure data. Part EReview the Confidential Data, Information Technology policy before completing this section. Who will have access to the data and who is going to be responsible for providing this access? Depending on the sensitivity of the data, an IT or experienced data manager may be need to be responsible for ensuring the data is protected. Regulations require that the data be stored for a minimum of three years after the study has ended. Plan for the long-term storage of the data. Depending on the sponsor (e.g. NSF, USDA), FDA regulations (drug and device) and population being studied, additional retention may be required.Terms of Service or End User License Agreement (EULA)The researcher has the duty and responsibility to carefully review in detail the EULA to understand potential known and unknown risks to participants. Note that many of these agreements state gives the vendor permission to capture information from personal devices (e.g., contact list, emails). This data may be used for marketing or other activities or even sold to another party. If you do not understand the language in the agreement, consult with your department’s IT staff, UITS and, if necessary, legal. Please note that the PI is ultimately responsible for ensuring that participants are informed of any possible risks with regard to the EULA. For example, if the EULA gives the vendor permission to access data, participants may not be told that only members of the study team will have access to the study participant's information.The IRB gratefully acknowledges the University of Pittsburgh IRB for providing the template for this document. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download