Protecting Research Data
Describing in Your Study How Data will be Protected
For your study protocols, carefully consider and include the following elements for protecting research data and the confidentiality of human research participant's information and specimens:
Data and Specimen Banking
- If data or specimens will be banked for future use, describe where the data or specimens will be stored, how long they will be stored, how the data or specimens will be accessed, and who will have access to the data or specimens
- List the data to be stored or associated with each specimen
- Describe the procedures to release data or specimens, including: the process to request a release, approvals required for release, who can obtain data or specimens, and the data to be provided with specimens
Data Management and Confidentiality
- Describe the steps that will be taken to secure the data (e.g., information security and privacy training, authorization of access, authentication for access, password protection, encryption, physical and administrative controls, certificates of confidentiality (or "CoC"; see our Confidentiality panel under Special Topics on this Consent Process page), and separation of identifiers and data) during storage, use, transmission and sharing
- Describe how data or specimens will be handled study-wide: e.g.,
- Who will extract data or link data/specimens?
- What information will be included in that data or associated with the specimens?
- Where and how data or specimens will be stored?
- How long the data or specimens will be stored?
- Who will have or otherwise be provided with access to the data or specimens, including for future research or data sharing?
- Who is responsible for receipt or transmission of the data or specimens?
- How will data or specimens will be transported?
- When will identifiers, linking keys or data be destroyed or disposed?
Legal and Policy Requirements
Both the Common Rule and FDA regulations require attention to the privacy of research subjects, including the confidentiality of their data. HIPAA adds its appropriate safeguards requirements for most research data derived from health care records.
Data confidentiality requires a secure computing environment. If research data is kept on a personal computer, it is essential to follow basic security steps, such as keeping it physically secured, updating software regularly, using access-protections and individual passwords, and following general cyber-security safety practices.
What FSU data is considered sensitive or confidential and needs to be protected?
Any data containing confidential, personal information related to business, financial, or medical transactions must be protected from loss, misuse, modification, and/or unauthorized access. This includes: name, date of birth, address, telephone number, social security number, personal photograph, amounts paid or charged in financial transactions, or account numbers.
A caveat to this definition is the release of student “directory” information, which includes a student’s name, address, telephone number, place and date of birth, honors and awards, and dates of attendance. Students can request non-disclosure of this information, which would prevent its use.
Each department should have a designated individual in charge of the protection of sensitive or confidential data. All employees who have access to sensitive or confidential data should be informed and trained about the protection of the data.
For more information please refer to applicable University policies (including 4-OP-H-5 Information Security Policy [search for the policy at this link] and 4-OP-F-7 Policy on Safeguarding of Confidential Financial and Personal Information [search at this link].
National Institute of Standards and Technology - Computer Security Resource Center (CSRC)
This is a good overall resource for information security materials.
United States Computer Emergency Readiness Team (US-CERT)
Another good overall resource for information security materials.
This is an educational course about conducting responsible data management.