Office of Research | University of Michigan



-2857569215Office of Human Research Compliance Review (OHRCR)Initial Compliance Assurance Review and Education (ICARE)Electronic Data Security Questions for Investigators BackgroundOne area of focus for researchers is data confidentiality. A particular concern is the protection of personal and confidential electronic information of subjects who participate in research studies. Federal human subjects regulations on data confidentiality are broadly written, thereby providing flexibility, but not providing practical guidance. Because of rapid innovation in electronic technology and broadly written regulations, guidance and interpretation of strategies to assure confidentiality for human subjects research are important. This document, was a collaboration between the UM’s Office of Human Research Compliance Review (OHRCR) and UM’s Office of Information and Infrastructure Assurance (IIA), and was reviewed by the University of Michigan Health System (UMHS) Compliance Office. It is designed to assist investigators in assessing the adequacy of data protection mechanisms in place for a given study. Each department, or school, at the university has a Security Unit Liaison (SUL) that may be able to assist investigators with this guidance. A list of SUL's by department is available at: Practices*Although having some limitations, a common method used to assess security of an environment is to compare that environment with best practices. Following is a compilation of best practices: Do not collect personally identifiable information (PII) that is not needed.If using indirect identification, de-identify data as soon as possible after collection if direct identifiers are not needed.Store identifying information separate from research data or encrypt it (or both).Restrict physical access to any system for collection, storage, processing or transmitting identifying information.Restrict electronic access to identifying information.Do not store identifying information on portable devices (e.g. laptops, thumb drives, external hard drives).If it is necessary to store identifying information on portable devices, encrypt it. Recommendations to encrypt data are dependent on risk to subjects if the data are breeched.If identifying information is transmitted over public networks (internet), encrypt it.Ensure that systems storing identifying information are professionally managed.Securely delete identifying information as soon as it is no longer needed.These best practices are presented with four cautions: 1) For FDA regulated studies, do not delete identifiers until the recommended?record storage?time period?has ended. 2) Study risk affects implementation of best practices with higher risk studies implementing more stringent practices. 3) Best practices may need to be adapted to fit the discipline, the study design or the setting of the research. 4) Not all best practices apply to each research study.Data Security/Confidentiality Screening QuestionsThe following questions are designed to help investigators determine their degree of consistency with best practices. In doing so, potential vulnerabilities can be identified and mitigation techniques can be implemented. Additional questions are also provided to identify security issues and trends beyond the scope of best practices listed above. OHRCR reviews study precautions with the IRB approved data security and confidentiality precautions in section 11 of eResearch. Data CollectionAre the research data as collected or as obtained from pre-existing sources directly identified (subject identifiers stored with research data) or indirectly identified (stored with “key” that links identifiers with research data)?DirectlyIndirectlyComments:Are data captured electronically from subjects directly, with no hard copy data collection, for example a subject entering survey responses on a monitor screen?YesNoComments:Data StorageAre research data stored in password protected files?YesNoComments:Are data downloaded, for example to laptops, thumb drives or phones to provide local access to data?YesNoComments:Are subject identifiers and research data backed up?YesNoComments:When and how are subject identifiers destroyed?Notes: (1) This question should be answered in the IRB submission, and is confirmed as part of the OHRCR review process. Educational Note: Link on how to delete data securely: (2) For FDA regulated studies destroying identifiers does not allow the subjects data to be linked to their informed consent. Destroy identifiers according to university policy (OM, Part 11, Section III.G.1) currently has physical access to the system(s) or backups that contain subject identifiers and research data? Please list name and role in research project:Who currently has electronic access to subject identifiers and research data? Please list name and role in research project:TransmissionAre subject identifiers and research data ever transmitted over the Internet, either coming from others or being sent to others? For example:To co-investigators or colleagues at other UniversitiesFrom a collection site back to the UniversityUploaded to an external laboratory or analysis consultancyVia email to oneselfYesNoComments:Are subject identifiers and research data ever accessed remotely (from off campus)? For example:From HomeFrom a coffee shopYesNoComments:When you are in the office or on campus, do you use a wireless network to access (subject identifiers/research data)?YesNoComments:Systems ManagementAre all systems where subject identifiers and research data are stored professionally managed by a University IT department?YesNoComments:Note: If self-managed, provide the link to “Three Security Essentials for Your PC”: you using any 3rd party internet services to access or store research data, (cloud computing)?YesNoComments:Note: If yes, see University of Michigan policy at: members of the research team browse the web or read email from the same machines where they access or store (subject identifiers/research data)?YesNoComments:Note: If this cannot be avoided, provide the link to “How to Browse the Internet and Read E-mail More Securely”: you have policy or standard operating procedure (SOP) to cover a breach in computer security?YesNoComments:Note: You are not required to have unit-specific policies or SOPs on computer security. Below are several web links that can assist you in understanding UM’s policy on computer security. (Information Security Incident Reporting Policy – University-wide) (Proper Use of Information Resources, Information Technology and Networks at the University of Michigan – University-wide) (Quick Reference Guide to Reporting a Security Incident – University-wide. To access the quick reference guide, click on the yellow box in the center of the page.) (Reporting a Compliance Concern - UMHS) (IT Security Unit Liaison List – University-wide)To whom would you report a breach in computer security? Please provide name and position: ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download