Electronic Data Safety and Security Policy

Overview

Federal regulations require IRBs to ensure that participants’ data are kept safe, secure and (if applicable) confidential. Accordingly, applications reviewed by FSU’s IRB will need to describe the intended methods and applications used for electronic data collection, storage and transmission, which must be consistent with these and FSU’s safety and security guidelines. The researcher must explain in Section 6. Confidential of the IRB application how their protocol will follow these requirements, described below.

This policy describes the default applications and methods that are acceptable for electronic data collection, storage and transmission. These applications are free for FSU affiliates, free for participants, supported by the FSU IT department, encrypted, etc.

Researchers who wish to use any other application, including for purposes other than data collection, storage or transmission, must justify this request. Exceptions can be made in certain circumstances, for instance, if a default application does not provide the functionality needed. However, the researcher must justify why a different application will be used and must provide documentation that its security features are consistent with those of the default applications. The scrutiny that the IRB will apply will be comparable to the risk to participants in the event of a data breach (e.g., greater scrutiny for collection of confidential/identifiable data about a high-risk topic; lower scrutiny for collection of anonymous data about a low-risk topic).

The Principal Investigator is responsible for all aspects of research, including the safety and security of electronic data collection, storage and transmission. Should a data breach occur, the PI must notify FSU’s Help Desk and the IRB immediately.

Data Collection

Devices used for electronic data collection must be password protected, or securable in a similar manner. In general, only desktop and laptop computers may be used (i.e., not cellphones).

Microsoft Forms is the default application for collecting questionnaire data. Forms must be downloaded through the researcher’s FSU Outlook account, and the researcher must use their FSU credentials to log in to Forms.

Cisco Webex or Microsoft Teams (whichever application best meets the researcher’s needs) are the default applications for conducting interviews and collecting and recording interview data. The application must be downloaded through the researcher’s FSU Outlook account, and the researcher must use their FSU credentials to log in to it. Moreover, researchers should explain in the IRB application whether recordings and/or transcripts from the interview will be downloaded, the meeting room will be locked, and an anonymous interview option will be used.

Data Storage

Identifiable or confidential data should not be stored on a hard drive, even one that is password protected.

Microsoft OneDrive is the default application for storing identifiable or confidential data. OneDrive must be downloaded through the researcher’s FSU Outlook account, and the researcher must use their FSU credentials to log in to OneDrive.

Completely anonymous data, which contain no identifiable information, may be stored on a password protected hard drive. However, the IRB strongly recommends storing all electronic data on OneDrive.

As a reminder, federal regulations require data to be retained for at least 3 years after completion of the research.

Data Transmission

Email is not an acceptable way to transmit confidential or identifiable data.

Microsoft OneDrive or Microsoft Teams (whichever application best meets the researcher’s needs) are the default applications for data transmission. The application must be downloaded through the researcher’s FSU Outlook account, and the researcher must use their FSU credentials to log in to it. Moreover, the researcher should explain the steps they will take to ensure that only the correct people (e.g., other researchers listed on the IRB application, the participant reviewing their interview transcript) have access to these data (e.g., how will you set up OneDrive or Teams to ensure this happens?).

Completely anonymous data, which contain no identifiable information, may be transmitted via one’s FSU email account. However, the IRB strongly recommends transmitting all electronic data using OneDrive or Teams.

Informed Consent

Researchers must explain in the informed consent document how the electronic data are being collected, stored and transmitted, including which applications will be used. When describing the study’s risks, the possibility of a data breach or inadvertent disclosure of electronic data must be listed as a potential risk, although the researcher may describe the steps they will take to minimize this risk.