Data Security Assessment Form



Date: FORMTEXT ?????Principal Investigator: FORMTEXT ????? Student Investigator (if applicable): FORMTEXT ?????This form must be completed and submitted to the IRB for protocols that collect, transfer, or store identifiable data. Please review the IRBs Research Data Security webpage for helpful information when completing this form. It is important that all sections are complete for the IRB to assess risks and ensure safeguards are in place to protect human subjects. If you have any questions, please contact the RCS office at 860-486-8802 or irb@uconn.edu. All University owned machines must have encryption enabled by default. A university owned computer or device must be used for all storage of photographic images, or voice recordings, data protected under HIPAA and FERPA, and comply with UConn’s Confidential Data Policy. Additionally, research data may be stored on UConn secure drives, such as P and R, or the use of university authorized cloud services, such as UConn Office 365 (e.g. OneDrive/SharePoint). UConn does not recommend the transmission of identifiable datasets by email due to the inherent risk of compromise. Identifiable data should be transmitted via a secure service, such as Office365, FileLocker, a secure website, or by using secure protocols, such as a File Transfer Protocol (FTPS). Data collection software, data analysis software, and cloud compute/storage used for research must be approved for university use by Information Technology Services and procured through University Procurement prior to use. Contact your department administrator to obtain authorization for software not vetted by UConn ITS and Procurement prior to use.All faculty, students, and staff engaged in human subjects research must follow UConn ITS standards and policies.Part A – Identifiers to be collected (check any that apply):Check any identifiers that will be collected during any phase of the research FORMCHECKBOX Name FORMCHECKBOX Electronic mail address FORMCHECKBOX Social security number FORMCHECKBOX Telephone or Fax Number FORMCHECKBOX Internet protocol (IP) address or Web universal resource locators (URLs) FORMCHECKBOX Medical record number FORMCHECKBOX Any information about a person’s past or present physical or mental health condition; provision of health care to an individual, or past, present, or future payment for the provision of health care to the individual-protected health information (PHI) FORMCHECKBOX Electronic protected health information (ePHI): emailed lab results, stored X-rays/MRIs on computer, health information stored on a mobile device FORMCHECKBOX Device identifiers/serial numbers FORMCHECKBOX Biometric identifiers (e.g. fingerprints, identifiable images/photos, retinal scan) FORMCHECKBOX Video or Audio recordings FORMCHECKBOX Account numbers FORMCHECKBOX Driver’s license numbers or identification (alien registration, state ID or passport ID number) FORMCHECKBOX Vehicle identifiers and serial numbers, including license plate numbers FORMCHECKBOX List any other unique identifying number, characteristic, or code to be collected. Include any data considered identifiable private information (information for which the identity of the subject is or may readily be ascertained by the investigator or associated with the information): FORMTEXT ????? FORMCHECKBOX Any geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes. FORMCHECKBOX Any geolocation data (use of latitude and longitude geographic coordinates that can be used to identify the physical location of a device)Please specify: FORMTEXT ????? FORMCHECKBOX All elements of dates (except year) for dates directly related to an individual, including birth date(mm/dd/yyyy), admission date, and discharge date.Please Specify: FORMTEXT ????? FORMCHECKBOX Any data other than self-reported that falls under the Family Rights and Privacy Act (FERPA), which may include but not be limited to the following: grades/transcripts/test scores, courses taken, schedule, advising records, educational services received, disciplinary actions, student financial aid, grants, and loans, admissions and recruiting information including high school grade point average, high school class rank, etc., or student personnel records.Please refer to the University's FERPA policy for additional information.Please list the specific FERPA covered variables used for this research: FORMTEXT ?????Will this research collect electronic informed consent (eIC)? FORMCHECKBOX Yes FORMCHECKBOX NoIf yes, describe the process of obtaining an electronic signature in Part B.As a reminder, please clearly describe all data collection methods and how data will be stored and transmitted in the informed consent form. Include the risks of each method and a clear description of how information about participants is protected. Consistency between forms will help facilitate the IRB’s review of the submission.Part B – How will you collect research data? Mobile App FORMCHECKBOX Not applicableName of the app: FORMTEXT ?????Was the app created by a member of the research team? FORMCHECKBOX Yes FORMCHECKBOX NoWhat device will be used to access the app? Please check all that apply: FORMCHECKBOX Personal phone that belongs to the research participant FORMCHECKBOX A study phone provided to the participant FORMCHECKBOX A designated study phone used by the researcher to collect data FORMCHECKBOX Personal phone that belongs to the researcherWill data be stored on device for an interval of time? FORMCHECKBOX Yes FORMCHECKBOX NoWill the app be able to access other device functionality, such as Location, Contacts, Notifications, etc.? FORMCHECKBOX Yes FORMCHECKBOX NoProvide any additional information: FORMTEXT ????? Web-based electronic data collection software, such as survey panels, or another tool FORMCHECKBOX Not applicable UConn Data Storage Options: FORMCHECKBOX UConn licensed Qualtrics FORMCHECKBOX UConn REDCap FORMCHECKBOX Other FORMCHECKBOX If Other, you are required to answer all 5 questions below:Name the site hosting the survey: FORMTEXT ?????Does the technology utilized allow for the explicit exclusion of the collection of Internet Protocol (IP) address or geolocation of the participant’s connection? ? FORMCHECKBOX Yes FORMCHECKBOX No??????? ? If Yes, will you utilize this option to exclude the collection (anonymize function)?? FORMCHECKBOX Yes FORMCHECKBOX NoIf collecting data from minors (<18 years old), does this site comply with the Children’s Online Privacy Protection Act (COPPA)? FORMCHECKBOX Yes FORMCHECKBOX NoProvide any additional information: FORMTEXT ????? Wearable Device FORMCHECKBOX Not applicable * Complete the mobile app section above if a mobile app will be used with the wearable deviceName of wearable device: FORMTEXT ?????Is wearable device provided by participant or researcher? FORMCHECKBOX Participant device FORMCHECKBOX Researcher provides deviceIs wearable device registered by participant or researcher? FORMCHECKBOX Participant registers device FORMCHECKBOX Researcher registers deviceWill the device collect identifiable information? (please refer to Part A of this form) FORMCHECKBOX Yes FORMCHECKBOX NoProvide any additional information: FORMTEXT ????? Digital audio or video recording, video conferencing, or photographic images FORMCHECKBOX Not applicable *Refer to the Research Data Security webpage on the UConn IRB’s website for more informationWill this research utilize videoconferencing? FORMCHECKBOX Yes FORMCHECKBOX NoIf yes, will data from videoconferencing be recorded? FORMCHECKBOX Yes FORMCHECKBOX No Describe the method of capturing the study recording or image (e.g., digital recorder, study cell phone, WebEx, Teams, etc.) FORMTEXT ?????Will a transcription service be used to transcribe recordings? FORMCHECKBOX Yes FORMCHECKBOX NoIf yes, please provide the name of the transcription service. FORMTEXT ????? *If using a transcription service, please include the confidentiality agreement with the submission. Provide any additional information: FORMTEXT ????? Text messaging FORMCHECKBOX Not applicable Will you use current text messaging available on the device or will a separate application be downloaded (e.g., Whatsapp, etc.)? FORMCHECKBOX Current text messaging service on device FORMCHECKBOX Other*If the latter, ensure mobile app section above is completed.What device will be used by the participant? FORMCHECKBOX The participant’s personal phone FORMCHECKBOX Researcher provides phone to participantWhat device will be used by the researcher? FORMCHECKBOX The researcher’s personal phone FORMCHECKBOX A phone not used for personal use, but designated specifically for the research Will messages be limited to appointment reminders? FORMCHECKBOX Yes FORMCHECKBOX No If no, what is the content of the messaging? FORMTEXT ?????Will the text messaging communication be one-way or two-way? FORMCHECKBOX One way FORMCHECKBOX Two wayProvide any additional information: FORMTEXT ????? *When using messaging software such as Whatsapp, Facebook, or others, please be sure to describe the privacy parameters in the study protocol and consent form. Hard Copy/Paper FORMCHECKBOX Not applicableWill paper copies of documents, (e.g., surveys, data collection forms) be used to record data in this research? FORMCHECKBOX Yes FORMCHECKBOX NoIf yes, will any document include identifiable information (Please see Part A), or will the documents be labeled with a code or pseudonym? FORMCHECKBOX Identifiable information will be recorded on form FORMCHECKBOX Documents will be codedIf data will be coded, please provide a response to #5 under Part C of this form.Provide any additional information: FORMTEXT ????? Part C – Transmission, processing, and storage of research data (temporary and long term) *If sharing data outside UConn, it is important that Sponsored Programs Services Contract Office, at spscontracts@uconn.edu be contacted as early as possible to determine whether a Data Use Agreement or Contract is required. All identifiable data must be transmitted via a secure service, such as Office365-OneDrive, FileLocker, a secure website, or by using secure protocols, such as a File Transfer Protocol (FTPS).Describe where the transmission, processing, and storage of data will take place from each device used for data collection (e.g., mobile apps, electronic surveys, wearable devices, any recordings and images, text messages, hard copy, and transcription data). Be sure to include how data will be transmitted and stored in the consent form.Server FORMCHECKBOX UConn ITS Managed Server. FORMTEXT ????? FORMCHECKBOX Are you or Department operating your own server within UConn for this research? FORMCHECKBOX Other (describe): FORMTEXT ?????Cloud File Storage (Note: UConn Google Drive/Google Apps may not be used to store Confidential UConn Data or identifiable private information for which the identity of the subject is or may readily be ascertained by the investigator or associated with the information. FORMCHECKBOX UConn REDCap FORMCHECKBOX UConn Office 365 (e.g. OneDrive/SharePoint) FORMCHECKBOX UConn Google Drive FORMCHECKBOX UConn Enterprise File Server FORMCHECKBOX Other (describe): FORMTEXT ?????Select any computers (laptops or desktop PCs) or devices (tablets, mobile devices, portable storage devices) used to access data stored on systems identified in questions 1 or 2 above FORMCHECKBOX UConn owned desktop or laptop, or another device FORMCHECKBOX Personal desktop or laptop, or other device (If yes, identify and explain in item 6 below)*Reminder, UConn Confidential Data or identifiable private information may not be stored on personal equipment.Storage of hard copy/paper records. FORMCHECKBOX UConn Office - specify building & office number: FORMTEXT ????? FORMCHECKBOX Off-site - describe where: FORMTEXT ????? FORMCHECKBOX Home Office - describe whose and where: FORMTEXT ?????For any identifiable data collected in this research checked in Part A of this form, will the data be coded by removing all the identifiers and assigned a unique study code or pseudonym? FORMCHECKBOX Yes FORMCHECKBOX NoIf yes, describe how the code/pseudonym will be derived. FORMTEXT ?????Will a master key be maintained that links the code to identifiable information? FORMCHECKBOX Yes FORMCHECKBOX No If yes, where will the master key be stored? FORMTEXT ?????Third-party collaborator or sponsor: FORMTEXT ?????Provide any additional information: FORMTEXT ????? Part D – Data ManagementWho will have access to the data? FORMTEXT ?????Describe how access be managed. FORMTEXT ?????* The Principal Investigator is responsible for all aspects of the research, including the collection, transmission, storage, backup, and security of any research data. Describe your reporting plan should the data be intercepted, hacked, or breached (real or suspected): FORMTEXT ????? Describe how long the data in this research will be maintained, as described in Part C. Federal Regulations require that research records be maintained for at least 3 years after completion of the study: FORMTEXT ????? Is this an application where UConn will be the data coordinating center? FORMCHECKBOX Yes FORMCHECKBOX Provide any additional information: FORMTEXT ????? Please read important information below if your research is regulated by the FDA:For FDA Regulated IND research, the FDA requires that sponsors and investigators retain “records and reports required by this part for 2 years after a marketing application is approved for the drug; or if an application is not approved for drug, until 2 years after shipment and delivery of the drug for investigational use is discontinued and the FDA so notified.” For FDA Regulated IND research, the FDA requires the investigator or sponsor to maintain the records “for a period of 2 years after the latter of the following two dates: The date on which the investigation is terminated of completed, or the date that the records are no longer required for purposes of supporting a premarket approval application or a notice of completion of a product development protocol.” Part E - Provide other research data security information if not addressed above. FORMTEXT ????? Please direct any exceptions to University Policy regarding data security or use of platforms to collect or store data that do not currently have an agreement with UConn to the Information Security Office security@uconn.edu. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download