Data Security Guidance
How to protect human subjects research data
It is important to ensure the appropriate safeguards are in place whenever data is collected, transferred, and stored for research purposes. The risks associated with research data involving human participants depends on the identifiability and sensitivity of that data. The Human Research Protection Program (HRPP) has worked with WSU Information Technology Services (ITS) to create a data security guidance for researchers to follow. This guidance will continue to develop as new information becomes available. ITS can be contacted for general assistance through their How Can We Help page.
Basics of Data Security
The university retains title to any data that is generated for WSU business and/or research purposes, per BPPM 45.35. The term “Institutional Data” is used in multiple policies and guidance documents regarding data security at WSU; this term also applies to data collected for WSU research purposes. WSU investigators conducting research must adhere to all applicable university policies surrounding data security and retention. In addition, the university must have access to the data through at least one of the following: the Principle Investigator (PI), Data Custodian, Secondary Access Person, or a designated IT staff member that has explicitly agreed to assume this role on the project.
WSU policies related to Data Security
WSU has created policies to ensure proper protection of data used for university operations, including research. Below are the applicable Executive Policies and Business Policies and Procedure Manual (BPPM) references that apply to Human Subjects Research at the university.
Executive Policy #8: “University Data Policies” (EP#8)
Data are valuable institutional assets of Washington State University. Data policies are needed to ensure that these resources are carefully managed, maintained, protected, and used appropriately.
Executive Policy #37: “WSU Information Security Policy” (EP#37)
The purpose of this policy is to establish the authority to develop a University-wide Information Security and Privacy Program and to establish high-level requirements for:
- Safeguarding the confidentiality, integrity, availability, and privacy of institutional data; and
- The protection of institutional information systems and devices that collect, store, process, share, or transmit institutional data.
BPPM 45.50: “Managing Research Records”
This BPPM specifies the policies and responsibilities surrounding research data.
BPPM 87.01: “WSU Information Security Roles, Responsibilities, and Definitions”
This BPPM thoroughly covers the definitions of terms found in the policies and other BPPMs mentioned throughout this page.
BPPM 90.01: “University Records-Retention and Disposition”
This BPPM outlines the requirements regarding the long-term storage of data, as well as the appropriate schedules for data retention.
Key terms
Below are examples of roles and terms seen on our applications:
Anonymous – Data is anonymous only if participants’ identities are unknown to the investigator, not requested, and not shared by participants. Encryption is typically not required for storing anonymous/de-identified data.
Confidential – participants’ names are known to the investigator and are usually coded to a master list and/or kept separately from the data and results. This would include audio/video recordings. Confidential data must be stored using encryption. See also: BPPM 87.01: “Confidential information is defined as information that is specifically protected by law, contracts, third-party agreements, or for other University business reasons as established by information owners.”
De-identified – Data that was initially collected with identifiers but has been stripped of such identifiers. This data can no longer be linked back to an individual. Note: having access to a code and a master list does not constitute “de-identified” data.
Data Storage
There are many options available for storing your research data. However, these options must have the appropriate protections in place, depending on the type of data you are storing. Data with higher sensitivity and identifiability will require stricter protections. WSU offers several options for researchers that can aid in the secure storage of data while complying with applicable policies, laws, and regulations. WSU Central ITS has created a helpful matrix to clarify the best options for the different types of data: WSU Acceptable Use Matrix.
Visit the ITS Policies, Standards and Guidelines page for the most recent version of the matrix and other helpful resources.
Below are the recommended platforms that researchers use to store and collect data:
- WSU OneDrive – This is available to all WSU faculty, staff, and students. Encryption is utilized with this option, making it the most common place to store Confidential or identifiable human subjects research data (e.g. identifiable surveys, interview recordings, consent forms, etc.). Note: Storage of Regulated data here will need additional requirements and approvals.
- WSU Qualtrics – Qualtrics can be used to collect, store, and analyze data. This option is best for minimal risk, anonymous surveys. Surveys that are identifiable and sensitive will need a more secure platform, such as REDCap. More information can be found on the WSU Surveys website.
- WSU REDCap – REDCap is a secure, HIPAA-compliant survey platform that is commonly used to collect and store data for health-related research. This platform is also used for collecting data that is identifiable and sensitive in nature. More information can be found on the WSU Surveys website
- WSU Zoom – Zoom is most common in research that conducts interviews or focus groups. All of WSU’s Zoom is now HIPAA compliant for everyone via a BAA (Business Associate Agreement) with Zoom. This means if you are sharing sensitive data (PHI) and follow proper security guidelines, your meeting is protected.
Data Retention and Management
WSU BPPM 45.35 specifies the policy regarding the retention and management of research data. Investigators need to be cognizant of how their data is stored and secured throughout the course of the research, as well as how to properly dispose of data at the end of the project.
Investigators should also be aware of BPPM 90.01 to ensure adherence to any specific Data Retention Schedules that may apply. This is particularly important for funded research.
To promote participant autonomy, the IRB will need to know how your data is stored, what protections are in place, and how the data will be retained and/or destroyed. It is common that de-identified data are kept indefinitely; in these cases, investigators should inform the IRB of when the identifiers will be removed from the data.
Devices
Studies may require the use of devices, including but not limited to:
- Digital audio recorders
- Smartphones
- Tablets
- Laptops
It is important that these devices, as well as any connections to/from these devices, are secure. In general, personal devices should not be used to handle institutional data, especially Confidential or Regulated data. If the data are completely de-identified, use of a personal device is typically allowed; however, it is important that the data are appropriately maintained and destroyed when no longer needed on that device. Please note that audio and/or video recordings are always considered Confidential data.
If you are using devices to handle Confidential/Regulated data, encryption must be utilized, a secure network connection (if the device is connected at all) must be used, and they should be securely stored if you are working in the field. When recording interviews, focus groups, or other audio, the secure WSU Zoom client can be used in most situations. If you are using a separate device to record audio (such as a digital audio recorder), it should not be connected to the internet. A personal smartphone should not be used to record audio for research purposes.
ITS has created a general resource page as well as a guidance document regarding device security: WSU Endpoint Security Standard (pdf). WSU IT departments have already implemented these security measures, but additional consultation may be needed for certain research applications. We recommend reaching out to your IT department or ATO to ensure your devices are secure for your research.
Third Party Programs or Services
“Third party” usually refers to a program or service that is external to WSU and will be used to collect, store, or analyze data. For example, a project may have interview recordings that will be sent to an external transcription service. The same data protections required by WSU must apply for that third party program. Encryption and a secure connection are required when transferring Confidential data. Regulated data such as HIPAA or FERPA data may require additional consultation and approval from your IT Department. In regard to our review of protocols, electronic systems maintained by WSU IT including electronic application systems (myResearch, eIRB), OneDrive, Qualtircs, RedCap, Zoom etc. are not considered third party systems.
Central ITS has a support page with policies and guidelines regarding information security.
Regulated Data
Regulated information is defined as information that is specifically protected by federal, state, or industry laws, regulations, or standards for which strict protection, use, and handling requirements are dictated. (BPPM 87.01)
In general, utilizing data that is protected by regulations, such as HIPAA or FERPA, may require additional consultation from your IT Department or ATO to ensure the appropriate measures are in place.
FERPA – Investigators conducting educational research should be mindful of the protections under The Family Educational Rights and Privacy Act (FERPA). This data will fall under Level 4 (see table below) and will require very secure measures. We recommend contacting the WSU Registrar to clarify if FERPA applies to your data. Please also see their FERPA resource page for more information.
HIPAA – The Health Insurance Portability and Accountability Act (HIPAA) applies only to identifiable data that is generated by, transferred to, or transferred from a “covered entity“. A covered entity is generally defined as a health care provider that has a billing department, such as a clinic or hospital. Labs involved in providing analysis or other services for biospecimens are also often considered covered entities. When receiving data from Electronic Medical Records (EMR) or other identifiable data given by a covered entity, HIPAA protections will apply. Please review the following information regarding HIPAA-compliant Zoom options available for WSU researchers:
- Zoom – HIPAA Information and FAQ
- Zoom – Managed HIPAA Compliant Zoom Process, Workflow, and Settings
The HIPAA Privacy Rule is another important section that applies to researchers requesting medicals records and other types of identifiable personal health information. If a researcher is requesting data that will be de-identified prior to them receiving it and cannot link that data back to an individual in any way, contact the HRPP to determine if HIPAA applies. For more information regarding de-identification of data, HHS clarifies the “Safe Harbor Method” in this guidance document: Methods of De-identification for PHI (pdf)
Note: Self-reported information, which may include one or more of the 18 HIPAA identifiers, related to studying a participant’s health does not usually constitute HIPAA-protected data. For example: A Qualtrics survey asking whether a participant has been diagnosed with a condition. While such data may be sensitive in nature and requires secure measures, it does not require HIPAA protections. However, a survey asking for health insurance policy, account, or medical record numbers would be requesting information covered under HIPAA and would require such protections.
Data Agreements and Funded Research
If your project requires a Data Use Agreement (DUA), Data Sharing Agreement (DSA), a Materials Transfer Agreement (MTA), or other agreements due to funding, please check with the Office of Research Support and Operations (ORSO) to determine what is needed. Certain studies that do not have funding may require an agreement to transfer data to or receive data from outside entities. If such agreements are necessary for the study, the HRPP will need a copy of the agreement for our records. If you are unsure whether you need to obtain an agreement from ORSO, you can use their “When to work with ORSO” page to see if these agreements are required for your project.
Risk Levels and Protections
The table below clarifies the type of data, the level of risk for that data, and the protection that should be used. Please refer to the following guidance document that expands on the categories and examples listed in the table:
| Risk Level | Brief Examples | Security Controls |
|---|---|---|
| Level 1 - Low Anonymous/Public | Publicly available data, anonymized data, or de-identified data that cannot be re-identified by the researcher. | Password protected documents and files. Locked filing cabinets and offices for hard copy data. |
| Level 2 - Intermediate Confidential/Internal but Innocuous | Identifiable data (e.g. surveys, field notes video recordings) which, if disclosed would NOT put subjects at risk (reputational, employability, legal, or embarrassment). | Encryption must be utilized. Consult IT as needed. |
| Level 3 - High Confidential but Sensitive | Sensitive data such as medical records with identifiers. Legally protected data (e.g. HIPAA /FERPA) when appropriately protected. Research involving criminal activity that is protected by Certificate of Confidentiality (CoC). | Same as Level 2 but verified by college IT personnel. Encrypted laptops or work stations. Certificate of Confidentiality (CoC) when appropriate |
| Level 4 - Very High Regulated/Restricted | Research records with identifiers of self-disclosed criminal activity or mental health issues. Research that requires or documents violation of federal or state law (e.g. consumption of cannabis). Data that is contractually or legally protected or deemed classified. | Same as level 3 with additional precautions (e.g. non-networked work-station) as determined by college IT Director or designee. |