Protecting Subject Data

As the level of risk increases (depending on the type of questions being asked, etc.), so will the investigator’s responsibility for protecting study subjects’ information. The following precautionary measures are recommended when dealing with electronic data:

• Whether factors may limit your ability to securely protect human subjects research data (e.g., international travel, budget) in which case it may be more appropriate to collect data without identifiers.
• De-identify private data whenever possible.
• Consider using a study code and use arbitrary codes to link the confidential and anonymized information.
• Securely delete sensitive data and personally identifiable subject information when it is no longer needed.
• Shred any hard-copy forms as soon as possible.
• Store data on UC Santa Cruz secure servers when possible.
• For computer files, note that putting a file in the trash and emptying the trash will not remove it from the system. For information on how to securely delete files, see How can I delete files securely from my computer?.
• Human subjects research data files should be password protected and encrypted. Encryption reduces the risks associated with stored private information. Unencrypted data should never be emailed or otherwise shared.
• Use the UC Santa Cruz ITS standards for electronic data security.
• Use the Campus VPN (virtual private network) to provide a secure (encrypted) connection.
• Adhere to all UC and UC Santa Cruz policies when connecting to the UC Santa Cruz network, or accessing UC Santa Cruz data. Also be aware of restrictions related to export/import control and international travel.
• Restrict access to data. Be sure you know who has access to folders before you put restricted data there. Don’t put sensitive information in locations that are publicly accessible from the internet.
• If you are capturing or accessing human subjects data using your phone, including recording interviews, review UC Santa Cruz ITS Security’s Mobile Devices and Wireless.

Additional Resources:

Information Security: How to Stay Secure

Protecting Electronic Restricted Data

When accessing restricted or confidential data and/or systems (e.g., health information protected under the HIPAA Privacy Rule, social security numbers, etc.) or other sensitive data as informed by the IRB, use Protection Levels for UC Institutional Information to determine the protection levels of your human subjects research data. Be sure to follow appropriate Practices for Protecting Electronic P3 – P4 Data.

• An incident of theft or breach (suspected or otherwise) of a device and/or data should be reported to ITS. Report a Security Incident
• To determine if the incident meets the criteria for reporting to the IRB, review the information found on Incident Submission.

Security Breach Examples and Practices to Avoid Them

UC Santa Cruz requires the principal investigator to keep administrative and study records (approved IRB documents, signed consent forms, data collection documents, etc.) for a minimum of three years after the close of the study.

Longer retention periods may be required, such as for records pertaining to Protected Health Information under the HIPAA Privacy Rule, FDA regulated studies, or based on sponsor contract requirements. Investigators are also required to take measures to prevent accidental or premature destruction of these documents. 

Study investigators should continue to honor any data confidentiality protections outlined in the approved study. Study investigators should also honor any other commitments that were agreed to as part of the approved study. For example, providing information about the study results to research subjects, or honoring commitments for compensation to research subjects for research participation.

For more information see UC Santa Cruz IRB Policy on Records Retention.