Data Collection Storage and Protection
The IRB will review the data you are proposing to collect to ensure it is aligned with the goals of your study/project. You will be asked, on the IRB application, to explain the data you are seeking to collect, how it will be collected, where it will be stored, who will have access to it, how it will be protected, and how and when it will be destroyed. To fulfill privacy requirements, security measures first and foremost aim to assure confidentiality. That is, that information that can identify a participant is accessed only by appropriate persons for appropriate reasons.
One of the best ways to increase protection of data is to code it in a manner so that only you can link the data to individual participants. The log cross-referencing the participant identification number with the name of the participant should be stored in a separate location from the data. If the study involves electronic data, then the log with identifiers should be stored on a separate server or computer system from the data.
While de-identifying the data from the identity of the participants is the ideal method in terms of protecting confidentiality, sometimes this is not possible as doing so would compromise the utility of the data for scientific purposes. In an effort to minimize risk, the IRB may request that data be de-identified as soon as the data analysis is complete and the dissertation or doctoral project has been approved by the university.
Another consideration is the storage and transmission of electronic data. Use care with flash drives or external drives that can be lost or stolen (alternates include cloud-based storage that requires a password and/or two-step authentication).
Studies/projects involving sensitive data such as illegal activities or protected health information (PHI) should have a comprehensive data security plan as this type of data requires additional safeguards. Data are considered sensitive when disclosure of identifying information could have adverse consequences for participants or damage their financial standing, employability, insurability, educational advancement, reputation or place them at risk for criminal or civil liability. The data security plan should minimally include plans for authentication of those who have appropriate access to the data (for example, appropriate password protection), appropriate firewall for the computer system, anti-virus and anti-spyware software, encryption of the data files, and secure location and storage of the computer systems and servers. Additionally, the research/project plan should provide considerations to mitigate risks of storing data on laptops and flash drives.