Privacy and Confidentiality
When thinking about your security policies, you need to make sure that participant data is secure, but you also need to make sure that your plans are feasible and will lead to good research.
When thinking about privacy and confidentiality, you will need to consider various questions: What types of data do I need to answer my research questions? Do I need to collect identifying information? If so, how will I ensure the security of that information? How long will I retain it? What steps do I need to take to de-identify my data? Should I delete my data after the study or maintain it going forward? Should I share de-identified data with other researchers?
Balancing Risks and Benefits
When answering these questions it is important to balance the risks and benefits of the research. It may reduce the risks (of loss of confidentiality) to participants to delete the study data after a few years, but it may also reduce the benefits of the project if no re-analysis or in-depth analysis of the data can take place.
For studies where data can be de-identified, it is increasingly common for journals or funding agencies to require that data sets be shared with other researchers to allow for study replications and re-analysis. When deciding your research procedures, consider whether this is a requirement of your field. If so, include that information in the application and the consent materials.
Likewise, deciding to what level data will be de-identified or masked, is a matter of balancing risks and benefits. For many studies involving sensitive information, it will make sense to de-identify participants as much and as quickly as possible. But other studies may require identifying information be retained to gain the full benefit of the study.
Digital Security
In the past, data was often collected on paper and stored in a locked cabinet but as more and more data is collected and stored digitally, it is important to keep on top of up-to-date security practices and include them in your research plans. If you need resources, it may be beneficial to reach out to LUC ITS.
When selecting digital data collection, transfer, storage, and analysis solutions, you may need to think about the privacy policies of the companies and how that could affect the risks to participants. For example, if you use a digital transcription service, what is their data retention policy? Do their employees have access to the data? Does their policy create a breach of confidentiality for your participants or does it meet the standards of the IRB?
De-identifying Data
Some research data cannot ever be fully de-identified, but for many projects de-identification is a key step in the security plans. Some data never contains identifiable information (anonymous surveys), while other types can be quickly de-identified as collected (surveys, tests, experiments, transcribed interviews), and other types may be de-identified after the main study is complete (video analysis, completed longitudinal studies).
As long as identifiable information is being analyzed, an approved IRB application is needed, but once data has been fully de-identified, a closure application can be submitted.
There is no strict definition of what are considered identifiers in the IRB regulations, but HIPAA requirements can be applied if guidance is needed.
Retaining information for Compensation and Future Research
In some cases, identifiers such as names and contact information need to be kept for compensation purposes. In others, participants have agreed to let their information be stored for future studies. In these situations, contact information should be collected and kept separately from the study data so that responses to study questions cannot be tied to any identifying information.
University Data Retention Policies and Consent Forms
There are LUC data retention policies that pertain to specific forms of research data which need to be followed. For instance, signed consent forms are required to be kept indefinitely. See here for the policies.
Audio and Video Recordings
Audio and Video Recordings are considered identifiable information, which means that extra care must be taken when storing these types of data.
For some studies, it may not be necessary to retain the audio video recordings once transcribed. If only transcripts are retained (and any identifying references are removed), this data can be considered de-identified, but when audio video recordings are retained, it is important to carefully consider your long-term storage plans for this identifiable data and provide a research justification for retention.
GDPR and Research
If you are doing research in GDPR compliant countries and have questions about how the GDPR might affect your research procedures or data storage plans, please see the LUC GDPR page for more information.
When thinking about your security policies, you need to make sure that participant data is secure, but you also need to make sure that your plans are feasible and will lead to good research.
When thinking about privacy and confidentiality, you will need to consider various questions: What types of data do I need to answer my research questions? Do I need to collect identifying information? If so, how will I ensure the security of that information? How long will I retain it? What steps do I need to take to de-identify my data? Should I delete my data after the study or maintain it going forward? Should I share de-identified data with other researchers?
Balancing Risks and Benefits
When answering these questions it is important to balance the risks and benefits of the research. It may reduce the risks (of loss of confidentiality) to participants to delete the study data after a few years, but it may also reduce the benefits of the project if no re-analysis or in-depth analysis of the data can take place.
For studies where data can be de-identified, it is increasingly common for journals or funding agencies to require that data sets be shared with other researchers to allow for study replications and re-analysis. When deciding your research procedures, consider whether this is a requirement of your field. If so, include that information in the application and the consent materials.
Likewise, deciding to what level data will be de-identified or masked, is a matter of balancing risks and benefits. For many studies involving sensitive information, it will make sense to de-identify participants as much and as quickly as possible. But other studies may require identifying information be retained to gain the full benefit of the study.
Digital Security
In the past, data was often collected on paper and stored in a locked cabinet but as more and more data is collected and stored digitally, it is important to keep on top of up-to-date security practices and include them in your research plans. If you need resources, it may be beneficial to reach out to LUC ITS.
When selecting digital data collection, transfer, storage, and analysis solutions, you may need to think about the privacy policies of the companies and how that could affect the risks to participants. For example, if you use a digital transcription service, what is their data retention policy? Do their employees have access to the data? Does their policy create a breach of confidentiality for your participants or does it meet the standards of the IRB?
De-identifying Data
Some research data cannot ever be fully de-identified, but for many projects de-identification is a key step in the security plans. Some data never contains identifiable information (anonymous surveys), while other types can be quickly de-identified as collected (surveys, tests, experiments, transcribed interviews), and other types may be de-identified after the main study is complete (video analysis, completed longitudinal studies).
As long as identifiable information is being analyzed, an approved IRB application is needed, but once data has been fully de-identified, a closure application can be submitted.
There is no strict definition of what are considered identifiers in the IRB regulations, but HIPAA requirements can be applied if guidance is needed.
Retaining information for Compensation and Future Research
In some cases, identifiers such as names and contact information need to be kept for compensation purposes. In others, participants have agreed to let their information be stored for future studies. In these situations, contact information should be collected and kept separately from the study data so that responses to study questions cannot be tied to any identifying information.
University Data Retention Policies and Consent Forms
There are LUC data retention policies that pertain to specific forms of research data which need to be followed. For instance, signed consent forms are required to be kept indefinitely. See here for the policies.
Audio and Video Recordings
Audio and Video Recordings are considered identifiable information, which means that extra care must be taken when storing these types of data.
For some studies, it may not be necessary to retain the audio video recordings once transcribed. If only transcripts are retained (and any identifying references are removed), this data can be considered de-identified, but when audio video recordings are retained, it is important to carefully consider your long-term storage plans for this identifiable data and provide a research justification for retention.
GDPR and Research
If you are doing research in GDPR compliant countries and have questions about how the GDPR might affect your research procedures or data storage plans, please see the LUC GDPR page for more information.