The document provides guidelines for securely managing human subject data in research. It defines key terms related to anonymity, confidentiality, and de-identification of data. The core guidelines recommend password protecting devices and files, limiting access to identifiers, encrypting data stored on portable devices, and deleting identifiers as soon as possible. Researchers should follow institutional standards for tools, cloud services, and third party vendors when handling sensitive data. Maintaining appropriate anonymity, confidentiality or de-identification is important to protect participants and ensure low risk.
1. Data Security Guidelines
RELATED KEY TERMS: SUBJECT PARTICIPATION
Anonymous
An individual's participation in a research project can be described as anonymous if it is
impossible to know whether or not that individual participated in the study. For example,
participation in an online survey would be considered anonymous if that survey could not
be linked in any way to the individual.
Confidential
When participation is confidential, the research team knows that a particular individual has
participated in the research but the team members are obligated not to disclose that
information to others outside the research team, except as clearly noted in the consent
document.
Maintaining human subject data securely with the appropriate level of
anonymity, confidentiality, or de-identification is a key factor in ensuring
a low risk threshold for the participants, the researchers, and the
university.
As such, principal investigators (PIs) and their study teams may be required to outline
the data management and security procedures in the eResearch IRB application for IRB
review. In addition to the information provided in responses to specific eResearch
application questions, you may be required to provide a Data Management and Security
Protocol. IRB-HSBS recommends that research teams consistently follow the core data
security controls, whether or not the research involves the collection of personally-
identifiable data.
Core Controls
1. Details on what tools can be used for which institutional data types can be found in
the Sensitive Data Guide. This includes cloud computing & encryption standards.
2. All data collection and storage devices must be password protected with a strong
password. A strong password requires a level of complexity. Please follow the link
for crafting a strong password.
3. All sensitive research information on portable devices must be encrypted.
4. Access to identifiable data should be limited to members of the study team.
5. Identifiers, data, and keys should be placed in separate, password
protected/encrypted files and each file should be stored in a different secure
location.
6. If it is necessary to use portable devices for initial collection or storage of identifiers,
the data files should be encrypted and the identifiers moved to a secure system as
soon as possible after collection. The portable device(s) should be locked up in a
2. secure location when not in use. The PI should consult with their departmental
IT Security Unit Liaison (SUL) to discuss how to correctly configure desktop
computers, laptops, and other devices for safe use in the collection and storage of
research data.
7. U-M +Google Mail and Calendar services may not be used to collect, store, or
transmit confidential or sensitive human subjects research data or protected health
information (PHI). The Sensitive Data Guide provides information on what specific
IT resources may be used with sensitive human subjects research data and
protected health information.
8. If utilizing any cloud-computing services, the PI must follow the U-M safecomputing
guidelines (see Resources below) and UM IT policies.
9. All data collected on portable devices should be transferred to an approved
service as soon as possible after collection, and deleted from the portable collection
devices.
10. If research includes sensitive identifiable data, outside consultants or vendors
should be required to sign a confidentiality agreement. Ensure that you are
compliant with all institutional Third Party Vendor requirements.
11. If the research design allows, the PI should delete or destroy identifiable information
as soon as possible after collection.
Key Definitions
The IRB often finds that the terms anonymous, confidential, and de-identified are used
incorrectly. Knowing the correct use of these terms can help you determine the appropriate
data management and security procedures for your project.
ANONYMOUS
Data are anonymous if no one, not even the researcher, can connect the data to the
individual who provided it. No identifying information is collected from the individual,
including direct identifiers such as name, address or student identification number.
Researchers should be aware that collection of indirect identifiers (i.e., information
regarding other unique individual characteristics) might make it possible to identify an
individual from a pool of subjects. For example, a study participant who is a member of a
minority ethnic group might be identifiable from even a large data pool.
CONFIDENTIAL
Confidential data has a link between the data and the individual who provided it. The
research team is obligated to protect the data from disclosure outside the research
according to the terms of the research protocol and the informed consent
document. Methods to reduce the risk of inadvertent disclosure include:
3. Storing the subject’s name and/or other identifiers separately from the research
data
Replacing the subject's name and other identifiers with a unique code and using this
code to refer to the subject data. Note that coding the data does not make that data
anonymous.
Storing the code key separately from the subject's identifiers
DE-IDENTIFIED
Data are considered de-identified when any direct or indirect identifiers or codes linking
the data to the individual subject's identity are stripped and destroyed.
INSTITUTIONAL DATA
Institutional data is defined as any data that is owned, licensed by, or under the direct
control of the University, whether stored locally or with a cloud provider.
References and Resources
Protect Sensitive Data U-M Safecomputing website providing best practices for
accessing, working with, and storing sensitive data. Includes information for managing
your devices and reporting data breaches.
Safely Use the Cloud U-M Safecomputing guidelines regarding use of U-M's Google
services and sensitive university data, including research data.
Sensitive Data Presentation
From U-M Information Assurance, this presentation covers sensitive data classification;
sensitive data and U-M IT standards; and third party vendor security review process