Home / Research Compliance / Services / Protecting Subject Data

Protecting Subject Data

Overview

The safeguarding of human subjects is of paramount importance to the UCSC Institutional Review Board (IRB) as the IRB is charged with protecting human subjects and their private identifiable information. Human subjects data stored on computers in text, photo, video or other formats can be compromised through theft or hacking, and subjects may be put at risk of harm from a data breach. 

In addition to the risk to subjects, the cost of reproducing, restoring, or replacing stolen or lost data highlights the need for a comprehensive data protection plan. Investigators should specifically address how they will safeguard human subject data stored in electronic and non-electronic formats in their study submissions.

Protection of Electronic Data

Theft and hacking are particular concerns with electronic data. Many research studies involve the collection and maintenance of human subjects data that could become the target of hackers. The following precautionary measures are recommended when dealing with electronic data:

  • Consider study goals and risk levels in the planning stages of your research study. Careful consideration should be given to the type of data needed to achieve the study aims. As the level of risk increases (depending on the type of questions being asked, etc.), so will the investigator’s responsibility for protecting study subjects’ information. Things to consider include:
    • whether factors may limit your ability to securely protect human subjects research data (i.e., international travel, budget), in which case you may want to utilize written documentation or field notes that do not include identifiers. 
    • if using audio/video-recording the study submission will need to describe how the recordings will be coded to protect the subject’s identity, how the recordings will be maintained (i.e., where they will be kept), and when/if they will be destroyed.
  • De-identify private data that you must retain whenever possible. If research designs require IDs to be retained, unlink them from main data sources as early as possible. Use arbitrary IDs to link the confidential and anonymized information.
  • Securely delete sensitive data and personally identifiable subject information when it is no longer needed. Shred any hard-copy forms as soon as possible. For computer files, note that putting a file in the trash and emptying the trash will not remove it from the system. For information on how to securely delete files, see How can I delete files securely from my computer?.
  • Human subjects research data files should be password protected and encrypted. Encryption reduces the risks associated with stored private information. Unencrypted data should never be emailed or otherwise shared.
  • Use the UCSC ITS standards for electronic data security.
  • Use the Campus VPN (virtual private network) to provide a secure (encrypted) connection.
  • Adhere to all UC and UCSC policies when connecting to the UCSC network, or accessing UCSC data. Also be aware of restrictions related to export/import control and international travel.
  • Restrict access to data. Be sure you know who has access to folders before you put restricted data there. Don’t put sensitive information in locations that are publicly accessible from the internet.
  • Don’t forget smartphones. If you are capturing or accessing human subjects data using your phone, including recording interviews, review UCSC ITS Security’s Mobile Devices and Wireless.
Additional Resources:
Information Security: How to Stay Secure
Protecting Electronic Restricted Data

back to top

Access to Sensitive Information

When accessing restricted or confidential data and/or systems (e.g., health information protected under the HIPAA Privacy Rule, social security numbers, etc.) or other sensitive data as informed by the IRB/ORCA, use Protection Levels for UC Institutional Information to determine the protection levels of your human subjects research data. Be sure to follow appropriate Practices for Protecting Electronic P3 - P4 Data.

back to top

Additional Protections

  • Store data on UCSC secure servers. The Principal Investigator/Faculty Sponsor will need to provide UCSC study team members access to the server by providing their UCSC email addresses to their IT department to give access to a study folder on the department’s secure encrypted server

If conducting study surveys, use an approved survey platform (i.e., Qualtrics). If a non-approved platform is to be used, be sure to review their data security measures and discuss with your ITS Divisional Liaison. If appropriate, a backup data source should be stored on a file on a UCSC secure server.

back to top


Report a Theft or Breach

back to top

Researcher Record Retention

UCSC requires the study Principal Investigator to keep administrative and study records (approved IRB documents, signed consent forms, data collection documents, etc.) for a minimum of three years after the close of the study. Longer retention periods may be required, such as for records pertaining to Protected Health Information under the HIPAA Privacy Rule, FDA regulated studies, or based on sponsor contract requirements. Investigators are also required to take measures to prevent accidental or premature destruction of these documents

Once a study has been completed, study investigators may keep the data they collected, including identifiable private data, if consistent with the IRB-approved/exempt certified study. Study investigators should continue to honor any data confidentiality protections outlined in the IRB-approved/exempt certified study.

Study investigators should also honor any other commitments that were agreed to as part of the approved/certified study. For example, providing information about the study results to research subjects, or honoring commitments for compensation to research subjects for research participation.

For more information see UCSC IRB Policy on Records Retention. 

back to top