Tips for Completing the Data Security Assessment Form

This document was developed to provide additional clarification to support the completion of the data security assessment form. Think about the data you will be collecting and remember to only collect the data needed to answer your research questions to minimize the risk to participants. Before completing this form, you will need to determine: what is collected, how it is collected, where is it transmitted, and how it is stored.  This form is used as tool to aid the IRB in conducting a risk assessment. Ideally, these guidelines and assessment efforts will help you better understand risks so you can develop a plan to protect data privacy with our assistance. There is no one right answer on how to secure your data and protect participant privacy. 

We strongly encourage researchers to talk with their data managers to see how the data is being protected.  It is the Principal Investigator’s responsibility to ensure the person managing the data has the appropriate qualifications or expertise to function in this role.  This may a good time to sit down with your research team to discuss how this is being done.

Follow these tips to avoid a delay in the review process:

  • Ensure you are using the most current “Data” security assessment form (A-Z Guidance)
  • All the sections applicable to your study are completed
  • Includes all activities specific to the research study
  • Consult with your IT or data manager if unsure how to answer any of the questions
  • Contact us at irb@pitt.edu for clarification or consultation if needed

Part A

  • This section reflects what the university considers as identifying information and includes a separate section to list any other unique identifying labels.  Be sure to check all that apply and if no identifiers are collected, select anonymous.  As technology advances, so does the type of identifiers that may be collected. For example, many devices or apps collect the participant’s location using geo location that can be considered an identifier. In some instances, a person's mobile phone in itself could potentially be an identifier.
     
  • We are often asked to better define sensitive data but it must be determined by the Principal Investigator who knows the type of information to be collected and population to be studied.

Part B

This section relates to the technology that will be used to collect data during the course of your study. There are specific questions to be addressed in order for the risk assessment to be conducted.  You may need to contact the vendor or developer of the tool to obtain the information.  Due to variability in tools being used, these issues need to be addressed per technology being used. It is important that if you are going to be using these technologies, you or your data manager understand how the technology functions, and the options available to secure the data collected.

  • Mobile App
    • You may choose to utilize a commercial mobile app available publicly from the Apple App store, or from the Google Play Store.  Or you may wish to develop your own custom application, or have one developed specifically for your study. 
    • The answers to the questions in this section will assist the IRB in understanding the risks to the study participants in their use of the mobile app. 
    • Please be aware that data stored on mobile devices is often automatically backed up to cloud storage systems such as Apple’s iCloud, or to Google services.  If data is sensitive and identifiable, encryption should be used to prevent the data from being stored and potentially accessible to those cloud service providers. 
       
  • Web-based site, survey or other tool
    • Many researchers have created their own websites to interact with participants so it is important that these sites are behind Pitt or UPMC firewalls.  Under limited circumstances, other sites may be used to host the sites but only after careful consideration.  The goal is to minimize the risk of inadvertent disclosure of participant’s information and to know who may have access to the data.
    • It is highly recommended that Pitt researchers use the Pitt licensed version of Qualtrics when possible to conduct survey research.  It is not required but since already Pitt has already vetted the security controls for this software, additional information is not required.  If you choose to another survey tool, be prepared to contact the vendor for detailed information on their security controls to complete the form.
       
  • Wearable device
    • Technologies such as fitness trackers, for example Apple watch, FitBit, Jawbone, Microsoft Band, Garmin and other devices that are worn by study participants and collect information regarding data such as footstep counts, sleep monitoring, heartrate/pulse, and other biomedical information are being used more and more in research. 
    • While this data may seem innocuous and non-sensitive, as these devices advance and collect more detailed information on the study participant’s activities, including geo-location data and biomedical information, the need to properly secure the privacy of this information will become increasingly important. 
    • It is strongly encouraged when possible to have the research team register devices instead of the participant themselves.  This limits the exposure of the participant’s identifying information being shared with a third party.  You will notice this selection available in the wearable device section.
    • Please fully document how data will be transmitted from the wearable device to the research study team.  For instance, if you plan to have the device sync wirelessly with an app running on a mobile device, such as the study participants mobile phone, you should make that clear in this section.
      • Note that if you are planning to use a mobile app for syncing and transmitting data, that the Mobile App section needs to be filled out as well. 
         
  • Electronic audio, photographic, or video recording or conferencing
    • It is relatively easy to make use of photographs or record audio and video of study participants.  While it is easy to take photographs or record audio and video imaging, one must think about where this data is being stored even temporarily, and how that data will be protected.  When information is recorded on devices such as smartphones or tablets, consideration must be given to where those recordings are stored.  Most mobile apps used for recording or photography have cloud based storage where the information recorded on a device such goes directly to their site.  Who has access to recording, how will they use the information, who will they share it with, and when if ever will it be destroyed. If you do not understand the privacy policy of the products you are using, you lose control of the data and the ability to protect it.  We are often bad stewards of our data but need to be very good stewards of the participant’s data. 
    • Due to all the technology available, it is very easy to record conversations but one must assure they obey state laws.  Pennsylvania, for instance, has a wiretapping law that requires “two-party consent” and it is a crime to intercept or record a telephone call or conversation unless all parties provide consent. Of course, there may be exceptions when recordings occur in public places and there is no expectation that the communication is private but be sure to consult with legal before engaging in this practice.
    • Remember even data stored on legacy technologies such as audio tape, photographic film, or even VCR need to be have physical protections to protect against loss or theft. 
       
  • Text messaging
    • Unless the text messages are an integral part of your research, it is recommended you limit messages to items such as appointment reminders or tips for day as these messages are in general, not secure and may be viewed by others.
    • Should you choose to use text messages to communicate sensitive research data, you should consider providing the study participants with researcher provided devices to limit the risk of breach of confidentiality in the use of the study participants own personal device.  As the use of the study participant’s own personal device would be tied to their telephone number, which is easily tied back to the participant’s identity.  In addition, messages may be stored by the study participant’s cellular service provider, further increasing the risk of breach of confidentiality of the study text messages.

Part C

  • Tell us what happens to the data once collected.  Where is it stored?  It is always best practice to store on a protected server maintained by Pitt or UPMC services. 
     
  • Depending on the data, it may be acceptable in some circumstances to collect on your personal computer if no personal identifiers or sensitive information are collected but then you must certify that anti-virus software is installed and up-to-date. 
  • If you are transmitting data outside the university, how is this being done?  Are you encrypting the data or using a secure email service to share this information?  If sending to your sponsor, contact them directly and ask them for the security controls.  Emails in general are not secure so think before just downloading that file and sending.  You cannot get it back once sent.
     
  • The Pitt Box is a good place to store your de-identified data which allows you to manage access and also to share the data with external collaborators if needed.  Some data should not be stored on PITT Box, go to http://technology.pitt.edu/service/what-types-of-data-can-i-store-on-box for more information.
     
  • It is often convenient to store data on USB drive or other removable media but these tools are easily lost or stolen and present a significant risk to the security and availability of your research data. If you do choose to use these tools, it is recommended the tool be password protected and encrypted to decrease the risk of access by others.  Data that is identifiable or sensitive should not be stored using these tools unless approved by CSSD, due to the possible risk of privacy for the participants and others.
     
  • Pitt’s Information Technology, Computing Services and Systems Development (CSSD), have software and other security resources available, often at no cost, to the Pitt community.  For example, there is software available to download to your laptop that allows for remote data deletion or even tracking the device if lost or stolen. Technology evolves and so does the solutions available from Pitt so be sure to review their website on a regular basis to see what’s new.
     
  • Go to the Secure Your Data Community on PITT’s Information Technology’s website http://technology.pitt.edu/security/secure-your-data-community for detailed information.

Part D

  • Now you have this dataset of all your research data.  Who is going to have access and who is going to be responsible for providing this access?  It may be the Principal Investigator or another member of the research team has been assigned this task.  Depending on the sensitivity of the data, an IT or experienced data manager may be need to be responsible for ensuring the data is protected. 
     
  • The university has a policy that data will be maintained for at least 7 years after the study has ended and there must be a plan to manage the data storage.  You may need to contact your department administrator for assistance in arranging this long-term storage.  Depending on the sponsor, FDA regulations and population being studied, additional retention may be required.

Terms of Service or End User License Agreement (EULA)

  • The infamous, I agree, box that we often check but do no read before accessing the software.  The researcher has the duty and responsibility to inform the study participants of known and potential risks.  If you do not read the agreement in detail, then you cannot possibly inform the participants of the risks.  Many of these agreements state you give the vendor permission to capture information from your personal device (e.g., contact list, emails) and track your location. This data may be used for marketing or other activities or even sold to another party.  If you do not understand the language in the agreement, consult with your IT team, CSSD, or legal consult.  It is important to remember that it the Principal Investigator’s responsibility to appropriately inform the study participants of these potential risks.
     
  • This action cannot conflict with information that you provide to study participants during the informed consent process.  You cannot state that only members of the study team will have access to the study participant's information, if you are utilizing a product or service whose terms of service allow them access to that data.

Need help

  • Email irb@pitt.edu to ask your question or request a data security consultation
  • Pitt Information Technology at http://technology.pitt.edu/
  • Call the Pitt technology Help desk at 412-624-HELP and let them know the question relates to the data security of a research study
  • Detailed information on file-sharing and storage solution using UPMC MyCloud is available on UPMC INFONET website
  • Contact your department administrator for data storage solutions since the research data must be retained for at least 7 years after the study has ended or, if children are enrolled, until the child reaches the age of 23 (Pitt Policy)