This page was created to answer your research questions to minimize the risk to participants. Before completing the Electronic Data Management section in PittPRO, you will need to determine: what is collected, how it is collected, where is it transmitted, and how it is stored. This section is used as tool to aid the IRB in conducting a risk assessment. Ideally, these guidelines and assessment efforts will help you better understand risks so you can develop a plan to protect data privacy with our assistance. There is no one right answer on how to secure your data and protect participant privacy.
We strongly encourage researchers to talk with their data managers to see how the data is being protected. It is the Principal Investigator’s responsibility to ensure the person managing the data has the appropriate qualifications or expertise to function in this role. This may a good time to sit down with your research team to discuss how this is being done.
Follow these tips to avoid a delay in the review process:
- All the sections applicable to your study are completed
- Includes all activities specific to the research study
- Consult with your IT or data manager if unsure how to answer any of the questions
- Contact us at firstname.lastname@example.org for clarification or consultation if needed
This section reflects what the university considers as identifying information and includes a separate section to list any other unique identifying labels. Be sure to check “no” and indicate all identifiers that apply, and if no identifiers are collected, check “yes.” Remember that "anonymous" means that no one can identify the subject at any time. This means that recorded data are not linked to the identity of the individual subjects in any way. If there are linkage codes, data is not anonymous and question #1 must be answered "no".
As technology advances, so does the type of identifiers that may be collected. For example, many devices or apps collect the participant’s location using geo location that can be considered an identifier. In some instances, a person's mobile phone in itself could potentially be an identifier.
Restricted Research Data: Data is considered restricted when protection of the data is required by law/regulation. Further, the loss of confidentiality, integrity, or availability of the data or system could have a severe adverse impact on our mission, safety, finances, or reputation. Examples and additional information about restricted data can be found through Pitt IT Data Risk Classification and Compliance.
Sensitive Research Data: Data is considered sensitive when disclosure of identifying information could have adverse consequences for subjects or damage their financial standing, employability, insurability, educational advancement, reputation or place them at risk for criminal or civil liability. We are often asked to better define sensitive data but it must be determined by the Principal Investigator who knows the type of information to be collected and population to be studied.
Tell us what happens to the data once collected. Where is it stored? It is always best practice to store on a protected server maintained by Pitt or UPMC services.
Depending on the data, it may be acceptable in some circumstances to collect on your personal computer if no personal identifiers or sensitive information are collected, but then you must certify that anti-virus software is installed and up to date.
If you are transmitting data outside the university, how is this being done? Are you encrypting the data or using a secure email service to share this information? If sending to your sponsor, contact them directly and ask them for the security controls. Emails in general are not secure so think before just downloading that file and sending. You cannot get it back once sent.
University approved cloud storage like OneDrive is a good place to store your de-identified data. This allows you to manage access and also to share the data with external collaborators if needed. Some data should not be cloud-stored. Refer to Cloud Collaboration for more information
It is often convenient to store data on USB drive or other removable media but these tools are easily lost or stolen and present a significant risk to the security and availability of your research data. If you do choose to use these tools, it is recommended the tool be password protected and encrypted to decrease the risk of access by others. Data that is identifiable or sensitive should not be stored using these tools unless approved by CSSD, due to the possible risk of privacy for the participants and others.
Pitt’s Information Technology, Computing Services and Systems Development (CSSD), have software and other security resources available, often at no cost, to the Pitt community. For example, there is software available to download to your laptop that allows for remote data deletion or even tracking the device if lost or stolen. Technology evolves and so do the solutions available from Pitt. Go to the Secure Your Data community for information.
This section relates to the technology that will be used to collect data during the course of your study. There are specific questions to be addressed in order for the risk assessment to be conducted. You may need to contact the vendor or developer of the tool to obtain the information. Due to variability in tools being used, these issues need to be addressed per technology being used. It is important that if you are going to be using these technologies, you or your data manager understand how the technology functions, and the options available to secure the data collected.
You may choose to utilize a commercial mobile app available publicly from the Apple App store, or from the Google Play Store. Or you may wish to develop your own custom application, or have one developed specifically for your study.
The answers to the questions in this section will assist the IRB in understanding the risks to the study participants in their use of the mobile app.
Please be aware that data stored on mobile devices is often automatically backed up to cloud storage systems such as Apple’s iCloud, or to Google services. If data is sensitive and identifiable, encryption should be used to prevent the data from being stored and potentially accessible to those cloud service providers.
Technologies such as fitness trackers, for example Apple watch, FitBit, Jawbone, Microsoft Band, Garmin and other devices that are worn by study participants and collect information regarding data such as footstep counts, sleep monitoring, heartrate/pulse, and other biomedical information are being used more and more in research.
While this data may seem innocuous and non-sensitive, as these devices advance and collect more detailed information on the study participant’s activities, including geo-location data and biomedical information, the need to properly secure the privacy of this information will become increasingly important.
It is strongly encouraged when possible to have the research team register devices instead of the participant themselves. This limits the exposure of the participant’s identifying information being shared with a third party. You will notice this selection available in the wearable device section.
Please fully document how data will be transmitted from the wearable device to the research study team. For instance, if you plan to have the device sync wirelessly with an app running on a mobile device, such as the study participants mobile phone, you should make that clear in this section.
Note that if you are planning to use a mobile app for syncing and transmitting data, that the Mobile App section needs to be filled out as well.
Unless the text messages are an integral part of your research, it is recommended you limit messages to items such as appointment reminders or tips for day as these messages are in general, not secure and may be viewed by others.
Should you choose to use text messages to communicate sensitive research data, you should consider providing the study participants with researcher provided devices to limit the risk of breach of confidentiality in the use of the study participants own personal device. As the use of the study participant’s own personal device would be tied to their telephone number, which is easily tied back to the participant’s identity. In addition, messages may be stored by the study participant’s cellular service provider, further increasing the risk of breach of confidentiality of the study text messages. The consent form should outline the information that will be communicated by text, who is expected to have access to the information and how confidentiality will be protected.
Electronic audio, photographic, or video recording or conferencing
Due to all of the technology available, it is very easy to record conversations, but one must assure they obey state laws. Pennsylvania, for instance, has a wiretapping law that requires “two-party consent” and it is a crime to intercept or record a telephone call or conversation unless all parties provide consent. Of course, there may be exceptions when recordings occur in public places and there is no expectation that the communication is private but be sure to consult with legal before engaging in this practice.
Remember even data stored on legacy technologies such as audio tape, photographic film, or even VCR need to be have physical protections to protect against loss or theft.
Web-based site, survey or other tool
Many researchers have created their own websites to interact with participants, so it is important that these sites are behind Pitt or UPMC firewalls. Under limited circumstances, other sites may be used to host the sites but only after careful consideration. The goal is to minimize the risk of inadvertent disclosure of participant’s information and to know who may have access to the data.
It is highly recommended that Pitt researchers use the Pitt licensed version of Qualtrics when possible to conduct survey research. It is not required but since Pitt has already vetted the security controls for this software, additional information is not required. If you choose to another survey tool, be prepared to contact the vendor for detailed information on their security controls to complete the form.
Terms of Service or End User License Agreement (EULA)
The infamous, I agree, box that we often check but do no read before accessing the software. The researcher has the duty and responsibility to inform the study participants of known and potential risks. If you do not read the agreement in detail, then you cannot possibly inform the participants of the risks. Many of these agreements state you give the vendor permission to capture information from your personal device (e.g., contact list, emails) and track your location. This data may be used for marketing or other activities or even sold to another party. If you do not understand the language in the agreement, consult with your IT team, CSSD, or legal counsel. It is important to remember that it is the Principal Investigator’s responsibility to appropriately inform the study participants of these potential risks.
This action cannot conflict with information that you provide to study participants during the informed consent process. You cannot state that only members of the study team will have access to the study participant's information, if you are utilizing a product or service whose terms of service allow them access to that data.
- Email email@example.com to ask your question or request a data security consultation
- Pitt Information Technology homepage
- Data Risk Classification and Compliance
- Call the Pitt technology Help desk at 412-624-HELP and let them know the question relates to the data security of a research study
- Contact the Pitt IT Helpdesk for questions specific to research data security
- Detailed information on file-sharing and storage solution using UPMC MyCloud is available on UPMC INFONET website
- Contact your department administrator for data storage solutions since the research data must be retained for at least 7 years after the study has ended or, if children are enrolled, until the child reaches the age of 25 (Pitt Policy)