Data security measures protect the privacy and confidentiality of research subjects. These measures apply to the storage and transmission of all types of data collected for research purposes, including paper and electronic records, biospecimens, audio and video recordings, photographs, etc. To obtain IRB approval, researchers must make adequate plans to protect subject privacy and the confidentiality of study data and describe them in the HawkIRB application and in the Informed Consent Document. Although these terms are commonly used interchangeably, “privacy” and “confidentiality” are two distinct concepts. This guidance document:

  • Explains the distinction between privacy and confidentiality protections
  • Provides best practices:
    • to protect privacy at the point of data collection
    • to protect confidentiality during data storage and transmission

Privacy Protections

Privacy Protections protect the person. These protections apply when data are collected directly from a subject and when the research study uses existing data about a subject for research purposes. Privacy protections respect an individual’s right to keep personal information to themselves. Researchers protect subject privacy by:

  • Collecting data in a private setting
  • Collecting only the amount and type of information necessary to address research questions or hypotheses

    In a HawkIRB application, describe privacy protections in Section X.1. 

    image 1

     

Confidentiality Protections

Confidentiality protections apply to the storage, transfer and transmission of data collected or used for research purposes, including paper records, electronic records, and biospecimens. Data security measures must be appropriate for the sensitivity level of the data and whether the dataset includes subject identifiers or if subjects could be reidentified. Researchers protect data by limiting who has access to it and how it is identified.

In a HawkIRB application, describe confidentiality protections in Section X.4, including: 

  • Plans to use an ID code or pseudonym
  • Plans to maintain or break the link between the ID code and subject identifiers
  • If the study will not record any identifying information about subjects 

The rest of this educational tool focuses on confidentiality protections or data security methods. See below for screenshot examples of how to complete Section X.4.  

image 2

Data Identifiability

In some cases, researchers need to collect and store identifying information about research subjects. These identifiers include name, contact information, date of birth, dates of service, etc. There is a list of 18 identifiers in the Health Insurance Portability and Identifiability Act (HIPAA) regulations. However, this is not an exhaustive list. Other variables or combinations of variables could be used to identify subjects. 

An ID code is considered an identifier if there is a link between the ID code and the identifying information. Identifiable data requires stricter confidentiality precautions. 

 

It is important to use correct terminology to describe how data will be identified:

  • Identified Data – Subject identifiers are stored in the data set
  • Coded Data – There is a link between the ID code and the identifiable information
  • De-identified Data – Subject identifiers were initially collected and have been removed. This could include breaking the link between the code and the identifiers
  • Anonymous Data – No identifying information was ever collected from or about subjects

     

Another consideration is re-identification, the act of identifying subjects from coded, de-identified or anonymous data sets. There are steps researchers can take to prevent re-identification. For additional guidance, see the Visual Guide to Practical Data De-Identification from the non-profit Future of Privacy Forum

Protected Health Information

Researchers must implement additional confidentiality protections for medical records that are used for research purposes. Protected Health Information (PHI) includes health information that:

  • Is transmitted or maintained in any form (electronic, oral, paper) by a covered entity
  • Identifies the individual or could reasonably be used to identify the individual, including name, contact information, date of birth, dates of service, account numbers, and full face photographic images (see the list of 18 HIPAA identifiers).
  • Relates to past, present, or future, physical or mental, health condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual

Describe confidentiality protections for PHI in Section X.4 of the HawkIRB application. 

image 2

Paper Records

Paper records include any paper documents that contain study data or other research-related records. Signed Informed Consent Documents are considered paper records with identifiable information. The research team is responsible for maintaining confidentiality protections for all paper records, including signed consent documents, during transport and storage of these records. Some common confidentiality protections for paper records include: locked file cabinet, locked office, transporting documents in a folder, envelope or locked briefcase. In Section X.4, describe the transfer and storage protections for all paper records. 

image 2

Electronic Records

Electronic records include all electronic files and digital recordings or images that are collected and/or stored for research purposes. The confidentiality protections for these records depends on the sensitivity of the data and can include:

  • Password protected files
  • Limited access folders on a shared drive
  • Encryption

In Section X.4, describe the storage of electronic and digital research records.

image 3

Person Responsible for Maintaining IT Security

The person responsible for maintaining IT security, generally a departmental IT person, is accountable if there is ever a security breach with study data. Researchers should consult with the IT representative to ensure that confidentiality protections follow best practices for storing and transmitting electronic data on hard drives, shared drives, laptops, etc.

image 4

Data Classification Guide

The UI ITS classifies institutional data into four primary data types and specifies the storage standards for each type. Those categories are: Critical, Restricted, University-Internal and Public.

Note:  Personal Credit Information should not be stored on any of the data storage and transfer services/tools listed below. If you are working with these data, please contact the IT Security Office for guidance. 

(Source: UI ITS Data Classification Guide to IT Services)

Classification Level

Description

Institutional Data Examples

 

Critical

  • Inappropriate handling or disclosure of this data could cause severe harm to individuals and the university, including exposure to criminal and civil penalties, identity theft, personal financial loss, or invasion of privacy.
  • Only selective access (on a need-to-know basis) may be granted.
  • Has the most stringent legal or regulatory requirements and requires the most prescriptive security controls.
  • Patient health, payment/insurance, and treatment data
  • Social Security Number
  • Credit card information
  • Personal identifiers (e.g., passport, driver's license)
  • ITAR data
  • Investigative reports

 

Restricted

  • Disclosure could cause significant harm to individuals and the university, including exposure to civil liability. Because of legal, ethical, or other constraints, this data may not be accessed without specific authorization.
  • Only selective access (on a need-to-know basis) may be granted.
  • Usually subject to legal and regulatory requirements due to data that are individually identifiable, highly sensitive and/or confidential.
  • Financial aid data
  • Student transcripts
  • Identifiable human subject research data

 

 

University-Internal

  • Disclosure could cause limited harm to individuals and the university with some risk of civil liability.
  • This data may be accessed by eligible employees and designated appointees of the University for the purpose of university business. Access restrictions should be applied accordingly.
  • Either subject to contractual agreements or regulatory compliance or is individually identifiable, confidential, and/or proprietary.
  • Financial reports
  • Departmental memos
  • Committee meeting minutes
  • De-identified human subject research data

 

 

Public

  • Encompasses information for which disclosure poses little to no risk to individuals or the university.
  • Few restrictions are placed on this data, as it is generally releasable to a member of the public upon request or is published.
  • Anyone regardless of institutional affiliation can access without limitation.
  • Collegiate and departmental websites
  • News releases
  • Information subject to open records requests (email, financial, etc.)

Subsets of Critical Category

There are two types of Critical data based on specific regulations regarding export control and HIPAA. If you have questions about what data in the Critical category can be stored/used on any of the data storage and transfer services/tools listed below, please contact research-computing@uiowa.edu.

  • Critical - Export-Controlled: U.S. defense-related data where disclosure to a foreign national must be prevented. Examples: military items, space-related technology, technical defense data (e.g., ITAR, EAR)
  • Critical - HIPAA: The Health Insurance Portability and Accountability Act (HIPAA, 1996) applies to protected health information (PHI) from the University of Iowa Hospitals and Clinics or other covered entities (including Student Health, UI College of Dentistry, UI College of Nursing, Department of Athletics, University Hygienic Lab, Wendell Johnson Speech and Hearing, Seashore Psychology Training Clinic, College of Education – UI Belin Blank Center Assessment and Counseling Clinic, LGBTQ+ Counseling Clinic, and Telepsychology Training Clinic, College of Pharmacy). Refer to the list of 18 HIPAA identifiers. Example: Restricted data plus health information from medical record (e.g., name and blood pressure)  

Note: If you intend to store PHI from University of Iowa Health Care on services not managed by UI Health Care, you are responsible for obtaining approval from the UI Health Care Data Governance group.  Please contact icts-bmi-consulting@healthcare.uiowa.edu for more information.

Storage and Transfer Tools

There are many ways to store and transfer data. The PI must choose a program that is consistent with the level of sensitivity and classification of the data. Tools that are not referenced in the UI ITS list, require a Technology Review and Security Review prior to use. 

If you are using a new software, device, eConsent tool, etc. that could potentially require an IT security or technology review, discuss IT security measures with your respective departmental IT representative. Their engagement is imperative and could save the researcher, the IRB, and the UI IT Security team a lot of extra time and work. Ideally, the Technology and Security Reviews should be initiated before the IRB submission. These reviews can sometimes take weeks or months and may delay the start of your project if completed later. If you are unsure who your departmental IT representative is, please contact research-computing@uiowa.edu

See the Data Classification Guide to IT Services page of the UI Information Technology Services website to see what types of data can be used with different IT services and tools. 

Storage on Laptops, Desktops, or Mobile Devices

UI researchers should use caution and implement appropriate confidentiality protections when storing data on laptops, desktops and mobile devices. UI ITS has core security standards which reflect the minimum institutional expectations for storing data, including research data, on a laptop, desktop, or mobile device. The HSO/IRB require all data be stored in a UI ITS managed service like OneDriveRDSS, or the departmental shared drive. (See the full list of research data storage options.) The UI IRB expects researchers to comply with these institutional standards and to describe the confidentiality protections and data security plans in Section X of the HawkIRB application. The UI IRB will consult with IT Security and/or refer Principal Investigators (PI) to UI ITS to ensure that institutional standards are met. Use the UI ITS Data Classification Guide to establish appropriate plans for data storage and data sharing.    

Storing University of Iowa Health Care Data

There are limitations on where researchers at UI Health Care and the Carver College of Medicine (CCOM) can store UI research data extracts (data extracted from UI Health Care patient records, operational or personnel data). It is not necessary to have approval from the Data Governance Task Force to store patient data extracts on the R:Drive (managed by Carver College of Medicine Office of Information Technology), UI Health Care and CCOM departmental drives, or ShareFile.

To store data on UI Information Technology Services (ITS) servers that are not managed by Health Care Information Systems (HCIS) or shared outside of the University of Iowa, there must be an “external data sharing request” reviewed by the UI Health Care Data Governance Task Force. The following are links to the external data sharing request forms: 

Research Data Storage Options that are HIPAA compliant include: Research Data Storage Service (RDSS), Large Scale Storage (LSS), R:Drive, UI Health Care departmental drives, ShareFile, and OneDrive. RDSS, LSS and OneDrive are stored on managed UI ITS systems and are secure enough for protected health information. However, researchers need approval from the UI Health Care Data Governance Task Force and a Data Use Agreement prior to using them. 

  • Data Use Agreements for UI shared storage are completed between the PI’s department and the UIHC Joint Office for Compliance.
  • Data Use Agreements for external sharing outside of the UI are completed between the PI’s department and the Division of Sponsored Programs. 

Note: OneDrive has an agreement with Microsoft to safeguard UI data. Depending on the amount of data stored, and the researcher’s UI employment appointment, there may be a cost associated with these storage options.    

Describe the storage, transport and transfer of UI research patient data extracts in Section X.4 of the HawkIRB application:

image 5

Audio/Video Recording Best Practices for In-person and Virtual Research Visits

UI ITS and HCIS policy prohibit the use of personal phones/mobile devices for making research-related recordings. It is best practice to store audio/video recordings on the UI One Drive account or approved campus storage solution, rather than directly on a laptop or workstation computer. The rationale for this practice is: 

1) ITS monitors UI One Drive and campus storage servers to ensure there have been no security breaches 

2) UI One Drive provides automatic back up, and most campus storage solutions provide routine backups. 

Section X.4 should describe the security precautions used for audio/video recorded data. If using One Drive or an approved campus storage solution is not possible, provide a detailed and compelling rationale in Section X.4 of the HawkIRB application. 

Cell phones cannot be used for any recording functions – in-person or phone conversations, Zoom, or Skype for Business sessions. When researchers conduct audio and video recordings in-person (via a handheld digital device or a secure recording application on a laptop or desktop computer) or virtual recordings (via Zoom or Skype for Business) the recordings should immediately be transferred to a UI-managed storage service (e.g., UI OneDrive, RDSS, H:Drive) at the conclusion of the research visit. Once securely stored, the audio and/or video recording should be deleted from the recording device. Identifiable and highly sensitive data should be saved directly to a UI-managed location. For additional guidance, see Secure Zoom Meetings and Recordings for Restricted and Critical Data.  

Investigators seeking only audio recordings should take care not to obtain video recordings via Zoom or Skype for Business. To capture only audio content, investigators should ask Zoom participants to disable their cameras before recording sessions begin. Both Zoom and Skype for Business applications have the capability to automatically store local recordings to UI-managed storage drives if the drive is first mapped to the computer and the application settings are updated. In order to set this up correctly, please refer to UI ITS Security and Privacy Tips for Zoom. Contact UI ITS with questions. Once securely stored, the recording must be deleted from the recording device.

If phone interviews are used, the research team member should engage the phone’s speaker phone tool. Conversations may be recorded using a separate recording device (such as a hand-held digital recorder or a secure recording application on a laptop or desktop computer). Please contact the IT department to determine what recording applications are acceptable.

Using Zoom for Research with Minors

Zoom can be used for research involving minors. It is best to consult with the research team’s local IT representative to ensure Zoom settings are consistent with IT privacy and confidentiality requirements. Audio and/or video recordings of minors makes the data identifiable. Implement appropriate confidentiality protections. Zoom recordings should be saved directly to a UI-managed location, such as a shared drive or UI One Drive. For additional guidance, see Secure Zoom Meetings and Recordings for Restricted and Critical Data.

Sharing Data Outside the University of Iowa

The University of Iowa owns all data collected at UI by faculty, staff, and student researchers (Researcher Handbook, 7f. Data ownership and transfer). It may be necessary to establish a Data Use Agreement (DUA) to transfer or share data outside of the University of Iowa. A DUA is generally required when:

  1. when PI leaves Iowa and wants to take data
  2. data are shared with former research team members or individuals outside the UI 

Contact the Division of Sponsored Programs (DSP) for assistance with establishing a DUA. To ensure you are in compliance with the DUA terms for data transmission and are using approved transfer mechanisms, contact Research-Computing@uiowa.edu

The UI Health Care Data Governance Task Force must approve the sharing of UI Health Care data. To initiate the request, contact them at icts-bmi-consulting@healthcare.uiowa.edu

Tools Available to Conduct Remote or Virtual Research Related Activities

eConsent (Use of Electronic Consent) options available at the UI

Federal regulatory guidance must be followed if an eConsent (electronic informed consent) tool is used in the conduct of human subjects research. The following eConsent tools are available for research that is not regulated by the Food and Drug Administration (FDA): 

Any eConsent tool used for a human subjects research project must be approved by the IRB of record prior to use. See the following educational tool for additional guidance: Alternatives to an In Person Informed Consent Process. 

For additional assistance, contact the Human Subjects Office via email (irb@uiowa.edu) or call (319)335-6564.

Virtual options for conducting human subjects research visits and procedures

There are several video conferencing options available from the UI ITS that the UI IRBs would find acceptable for conducting virtual research visits. The HSO/IRB strongly recommends using an UI ITS supported video conferencing solution. If you use a tool not endorsed by the UI ITS, the IRB will require you to discuss the tool with UI ITS Research Computing to ensure appropriate security and confidentiality measures are in place prior to submission to the HSO/IRB. If the tool is not approved by UI ITS, a technology or IT security plan will be required. 

For additional guidance, see Secure Zoom Meetings and Recordings for Restricted and Critical Data

Data Security for Research Activities Conducted Virtually or at a Non-UI Site

Remote Access Set up

Principal Investigators/Research Teams should continue to maintain appropriate data security and confidentiality measures to conduct research related activities at an alternate location. If necessary, UI ITS advises the study team establish remote access to study files for team members working at an alternate location. This would require appropriate IT security and confidentiality measures consistent with UI ITS policies (e.g., encryptionuse of VPNuse of OneDrive, etc.). 

PI/Research Teams should also comply with grant or contractual obligations related to data security, storage, and IRB-approved confidentiality measures prior to allowing research team members to work from a location outside of the University of Iowa campus. Check with the Division of Sponsored Programs or UI ITS if you have questions regarding any applicable requirements. Remote study activities may need to be described in the HawkIRB application. If you have any questions about whether remote option study activities are possible or approvable (especially for consent), contact the IRB at irb@uiowa.edu.

Conducting Research from a Remote Location

For any research activities from a remote location, the HSO/IRB recommends applying the security and IT best practices outlined by UI ITS: 

  • Secure your computer with the most up-to-date operating system, anti-virus and anti-malware. Use a strong password. Lock or sign out when not in use.
  • Connect to campus resources, such as the Cisco AnyConnect VPN Client. Do not connect to public wi-fi unless connected to the UI VPN.
  • Follow guidance on using personal computers for research.
  • Do not store data on a personal computer. Use UI-managed network drives described above (RDSS, LSS, ShareFile, OneDrive, Home Drive, etc.) by mounting them on your computer.
  • Do not use personal storage drives (external hard drive, USB flash drive, Box, Dropbox, Google Drive, cell phone, etc.)
  • If a USB flash drive is absolutely necessary, contact the ITS Help Desk to learn how to encrypt it.
  • Follow UI ITS standards for working remotely. 
  • Comply with UI ITS remote work guidelines.   

For additional guidance, contact IT Research Services at research-computing@uiowa.edu.     

Best Practices for Data Transfer

If data will be shared outside the UI, use a Secure File Transfer Protocol (SFTP):

  • Provide access to a specific file/folder (e.g., RDSS drive or OneDrive).
  • For large data sets, use Research Data Collaboration Service (RDCS) via Globus for high-speed data transfer.
  • Rather than using email, store the file in OneDrive and email an authenticated link to the recipient.
  • Request a provisional Guest HawkID to access UI resources such as RDSS, HawkIRB, UI VPN, etc.

The UI Health Care Data Governance Task Force must approve the sharing of UI Health Care data. To initiate the request, contact them at icts-bmi-consulting@healthcare.uiowa.edu

Using Zoom to Conduct Virtual Research Visits

The version of Zoom available through UI and UI Health Care is compliant with HIPAA standards as long as the research team follows the instructions for Secure Zoom Meetings and Recordings for Restricted and Critical Data. The HSO/IRB recommends UI ITS recommendations listed below for IT safety, security, best practices for the use of Zoom for research purposes:  

Resource Guide for Data Security

ResourceDescriptionLink(s)
Protecting Sensitive DataA list of IT services and what data types are approved for eachhttps://its.uiowa.edu/protect-sensitive-data   
Data Classification GuideA table comparing all the ITS-provided storage serviceshttps://its.uiowa.edu/dataclassificationguide
ITS Research Storage ServicesArticles about how to work remotely in a secure mannerhttps://its.uiowa.edu/researchstorage
Conducting Research RemotelyComparison guide describing all ITS video conferencing toolshttps://its.uiowa.edu/working-remotely-iowa 
and https://itsecurity.uiowa.edu/resources/everyone/working-remotely
Video Conferencing Tool GuideArticle about how to secure Zoomhttps://its.uiowa.edu/support/article/118416
Zoom Best Practices and Security GuidanceArticle about what is required before using a personal computer for researchhttps://itsecurity.uiowa.edu/zoom-security-and-privacy
Using a Personal Computer for Research HSO guide about how to safely and securely collect sensitive research datahttps://its.uiowa.edu/services/protecting-sensitive-data/guidance-using-personal-computers-research#:~:text=Personal%20computers%20can%20be%20used,if%20gathering%20human%20subjects%20data .
HSO Data Security GuidanceInformation about how to appropriately fill out Section X of the HawkIRB applicationhttps://hso.research.uiowa.edu/get-help/educational-tools/data-security-guidance
HawkIRB Section X GuidanceA list of department IT staff in the College of Liberal Arts and Sciences that can offer data security help and guidance

https://its.uiowa.edu/services/protecting-sensitive-data/irb-application-section-x4-guidance

       HawkIRB Help Messages 

College of Liberal Arts and Sciences IT Departmental AssignmentsWebpage about the Technology Review Processhttps://clas.uiowa.edu/it-group/departmental-assignments
Technology ReviewList of software services and applications that have been put through the Technology Review processhttps://its.uiowa.edu/available-software/technology-review-process
Technology Review - List of Assessed TechnologyLink to the Security Review workflow formhttps://apps.its.uiowa.edu/sec-hq-courier/assessed-technology
Security ReviewSubmit a request to share data outside UI Health Carehttps://workflow.uiowa.edu/form/security-review
UI Health Care Data Governance ReviewAn article explaining how to fill out a Research IT Security Plan for IRB applications and contractshttps://workflow.uiowa.edu/form/external_data_sharing
How to Fill Out an IT Security PlanAn ITS service for transferring large data sets to internal and external collaboratorshttps://its.uiowa.edu/support/article/119986
Research Data Collaboration ServiceUI staff can request guest HawkIDs for external collaborators to access UI resourceshttps://its.uiowa.edu/rdcs
Guest HawkID Account Request FormA list of IT services and what data types are approved for eachhttps://iam.uiowa.edu/accounts  

Used with permission from IT Research Services