Data Security in Research

 MSU IRB Data Security Considerations for Research‌ 

All Montclair State University information that is stored, processed or transmitted by any means shall be classified into one of four levels of sensitivity: Public, Internal, Confidential and Private. The sensitivity classification identifies information in terms of what it is, and how that information is accessed, processed, communicated, and stored. If more than one sensitivity level could apply to the information, the highest level (most restrictive) will be selected.

MSU Requirements for Electronic Data in Research

 Minimum data security for protocols involving electronic data:

  • All data collection and storage devices must be password protected
  • Non-MSU devices for use in research should have up-to-date antivirus protection software
  • Identifiers or keys should be placed in separate, password-protected or encrypted file
  • Identifiers should not be stored on mobile devices, flash drives or other portable devices [excludes laptop]. If the protocol deems use of a portable device as necessary then the data files should be encrypted. The PI is responsible for consulting with their departmental IT liaison to determine the most secure method(s) for portable devices.
  • If using email for communication the PI should include statement(s) to the participants that email is not secure.
  • No protected health information or highly sensitive information should be transmitted via email. 
  • PI must plan for regular back-ups of data in an encrypted format.

Additional required data security for confidential or private information

  • All data should be transferred onto the PI’s MSUfiles location or access controlled department shared drive, and should not be stored permanently on the local hard drives, flash drive devices, portable devices, or cloud-based services such as Google drive or DropBox.
  • The data file used for data analysis should be free of IP addresses or other electronic identifiers. If IP addresses are collected by the survey tool, the addresses should be deleted from the downloaded data file.
  • The IRB standard and regulations requires maintaining original data for four years after project completion. However, if the risk to the participant is primarily breach of confidentiality through an identifiable data record then the PI should consider, as part of the protocol, a method of deleting or destroying identifiable information (i.e. video files). Data destruction prior to the regulatory requirement must be approved by the IRB. 
  • Standard security measures like encryption and secure socket layer (SSL) must be considered. Additional protections may include certified digital signatures for informed consent, encryption of data transmission, and technical separation of identifiers.

Information Classification Types

Private (most restrictive) All personally identifiable information pertaining to individuals that is protected by Federal or State law shall be Private.  Release of private information in any way other that what is described in your research protocol must be reported to the IRB immediately as an Adverse Event.
Examples:
  • Student and employee ID numbers (CWIDs) combined with full names and/or birth dates
  • Health insurance policy ID numbers
  • Persons' health or mental health records
Confidential

Information of a sensitive nature that is available only to designated personnel. Confidential information is information that is not available to the public under all applicable State and Federal Laws. Release of confidential information in any way other that what is described in your research protocol must be reported to the IRB immediately as an Adverse Event.
Examples:

  • Your own research data
  • Health information, including Protected Health Information (PHI)
  • Email address, Social secrutiy numbers, or unlisted telephone numbers
Internal

Information that is available to business units and used for official purposes but would not be released to the public unless requested pursuant to and authorized by applicable law.
Examples: 

  • Financial accounting information
  • Department project data such as construction plans that do not impact University security
  • Student and employee ID numbers (CWIDs) without any other identifying information
Public (least restrictive)

 Information that has been declared public knowledge by University Counsel in response to a request for records under the NJ Open Public Records Act, or by someone who is duly authorized by the University to do so, and thus may be freely distributed.  Public information in official University publications or University website may be released without special authorization.
Examples:

  • Faculty/Staff bios
  • Course catalogs
  • Press releases & marketing materials

 

Additional Resources for Responsible Data Security

National Human Resources Protections Advisory Committe   Recommendations on Confidentiality and Research Data Protections
Harvard University Data Security Policy
University of California Data Security Guidance
American University IRB Security and Privacy Checklist
Qualtrics-Anonymizing Responses Using Survey Options Anonymizing Responses