Data and Participant Information (Section 10)

Data  Standards

10.1.1: University Data Handling Guide. Review and adhere to the data handling guide, which establishes the University's expected minimum standards. The IRB may require stricter control.  

• Use KSU owned systems and software. Non-KSU software should only be used if absolutely necessary and be reviewed by IT Security.
• Use the KSU VPN.  
• Do not transmit non-public data via email; email is not secure. 
• Default to the strictest level of control based on your data type. 
• Proctor data access, when somebody leaves a study, revoke their access.
• Deidentify/code data as soon as allowed by the research. 
• Only those with "need to know" should have access to identifiers. 
• Limit the use of unnecessary indirect identifiers and avoid narrow subject pools. 
• Never leave data unattended or unsecured. 
• Be mindful of phishing and fraudulent message, which include 
  • Unsolicited emails or text messages asking for credentials or calls to action
  • Attachments and links from unknown/unverified senders
  • Unknown or suspicious senders
  • Offers that sound to good to be true
  • Urgent language (e.g. click here or your account will be revoked)

Confidentiality and Privacy

10.2.1: Confidentiality refers to the research team’s agreement with participants about how identifiable, private information will be handled, managed, and disseminated. Privacy addresses behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information that has been provided for specific purposes by an individual and that the individual can reasonably expect will not be made public. You must consider how the study's location, tools, and planned interactions affect your ability to maintain an individual's privacy. The key question to ask yourself about your data collection procedures is “would a reasonable person being studied consider the information to be private.”

10.2.2: Identifiable information should only be collected if needed and only be retained for the minimum time necessary to complete the research. In some cases, it may be challenging or even impossible to maintain confidentiality. The use of direct and indirect identifiers must be carefully considered along with the uniqueness of the study population and the procedures used. The consent form must clearly state any limitations to confidentiality. 

• When planning provisions for confidentiality, consideration should be given to whether data are coded, de-identified or anonymous: 
  • Coded refers to data linked to individual subjects' identifiers using a code. Generally, the data is collected with a "Study ID" and a linkage file is maintained where the Study ID is associated with the subject's identifiers.
  • De-identified refers to data that are not associated with any direct or indirect identifiers or codes linking the data to the individual subject's identity. Data are de-identified when the linkage file has been destroyed or the code has been removed from the dataset and no data can be linked back to an individual. 
  • Anonymous refers to data that no one, not even the researcher or a third-party entity (e.g. Qualtrics), can connect to the individual subject through direct or indirect identifiers. 
  • Indirect identifiers is more than one data element that can be used to ascertain an individual's identity.   

10.2.3: Data is a broad term that consists of information generated by a research study and includes data sets, interview transcripts, media files, field notes, and diaries. The Common Rule does not define information, but uses the term frequently. It is generally accepted that "information" includes data as well as other factors about individuals that may not be considered research data, this includes direct identifiers such as names or email addresses.   

Data Use Agreements

10.3.1 Important: University Counsel (U.C.) is the university’s authority for contractual matters, including data use agreements. U.C. has delegated limited authority to The Office of Research Compliance to help investigators execute most de-identified data use agreements.

10.3.2 Templates:

• De-Identified Data Use Agreement — This can be used if you plan to share de-identified data that is not already publicly available. 
• Data Use Agreement for data containing identifier (not for Limited Data Sets) — This form is to be used if you plan to send data that includes identifiers to another institution.
• Confidentiality agreement - This form is to be used when using non-research personnel (third party) translation or transcription services. 
• IS Secured Use & Confidentiality of University Records and Data — This is to acknowledge that investigators understand the rules associated with university records and data confidentiality. 

10.3.3 What are data use agreements?

• Data use agreements (DUA) are contractual documents that define limitations on a recipient’s use of non-public data or data that is otherwise restricted by the data provider or under applicable law.

10.3.4 When is a data use agreement required?

• Typically, you must use a DUA when sharing identifiable data with a party external to KSU. The terms of a DUA are under the purview of University Counsel. The IRB works with University Counsel to help facilitate DUAs for inter-institutional human subjects research.

10.3.5 When is a data use agreement not required?

• If another fully executed agreement (i.e., sponsored research agreement, grant agreement, or IRB inter-institutional authorization agreement) includes terms for data sharing and supersedes the need for a data use agreement. Data use agreements are not needed to share deidentified data unless the consent form or IRB application, or another agreement prohibit sharing.  

10.3.6 What if the data I am sending to an external party includes Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) or education records protected under the Family Education Rights and Privacy Act (FERPA)?

• You must get approval from the University’s Privacy Officer (PHI) or Registrar (FERPA) and follow their requirements.

10.3.7 Who can sign a DUA on behalf of the University?

• DUAs may only be signed by a University official with the appropriate delegated signature authority. Data use agreements related to research typically need to be signed by the Vice President for Research and Economic Development or an appointed designee. Contact University Counsel of the Division of Research and Economic Development for more information. 

10.3.8 What if I am asked to sign a DUA by an external party?

• Contact University Counsel.
• Once fully executed, abide by the terms and conditions of the agreement.

10.3.9 Do I need to contact the IRB prior to sharing data?

• If the data was collected under the approval of the KSU IRB, you must contact the Office of Research Compliance. The ORC will review your IRB application to ensure sharing of data is not disallowed.

10.3.10 What types of data use agreements exist?

• The two most common types are stand-alone de-identified data use agreements or confidentiality  agreements with data-use provisions. If sharing identifiable data (using a confidential agreement) you must justify to the IRB the need to share identifiers.

10.3.11 Other helpful federal information

• National Science and Technology Council - DESIRABLE CHARACTERISTICS OF DATA REPOSITORIES FOR FEDERALLY FUNDED RESEARCH
• NIH Data Management and Sharing Policies 
• National Institute for Standards and Technology - includes information about Cybersecurity