Data and Participant Information (Section 10)

Data  Standards

Research participants are granting you the privilege to access and use their information. The following information can help you fulfill your obligation to maintain confidentiality and help deidentify information. In general, participants should never be considered anonymous; there may be cases where an individual is anonymous to a researcher, but not third parties. For example, a participant may complete a survey from a public computer or a computer that is infected with malicious software.    

10.1.1: University Data Handling Guide. Review and adhere to the data handling guide, which establishes the University's expected minimum standards. The IRB may require stricter control.  

• Use KSU owned systems and software. Non-KSU software should only be used if absolutely necessary and be reviewed by IT Security. Cellphones and other personal devices should not be used to store participant information or as recording devices. 
• Use the KSU VPN.  
• Do not transmit non-public data via email; email is not secure. 
• Default to the strictest level of control based on your data type. 
• Proctor data access, when somebody leaves a study, revoke their access. When granting an indicial access to information stored in a share resource, assigning access expiration dates is strongly recommended. 
• Deidentify/code data as soon as allowed by the research. 
• Only those with the "need to know" should have access to identifiers. This is known as the principle of least privilege. 
• Limit the use of unnecessary indirect identifiers. 
• Narrow participant pools should be avoided as they may increase the ability to identify a participant. Multiple recruitment sites and methods can help broaden participant pools.  
• Never leave data unattended or unsecured. Use a lock screen for electronic data and lock doors and cabinets for physical data.

Phishing and fraudulent messaging pose risks to errant disclosure of participant information. Be cautious of: 

• Unsolicited emails or text messages asking for credentials or calls to action
• Attachments and links from unknown/unverified senders
• Unknown or suspicious senders
• Offers that sound to good to be true
• Urgent language (e.g. click here or your account will be revoked)

10.1.2: Deidentification 

• Deidentified means that all direct personal identifiers are permanently removed from the data, no code or key exists to link the data to the original source or to the individual, and the remaining information cannot be used to reasonably identify the individual.
• A single research study may require use of many different software applications such as Qualtrics, OneDrive, Sona, and NVivo. Ensure participant information has been removed from or deidentified in all resources.  
• Review the HIPAA deidentification guidance: https://www.hhs.gov/hipaa/for-professionals/special-topics/de-identification/index.html  

Confidentiality and Privacy

10.2.1: Confidentiality refers to the research team’s agreement with participants about how identifiable, private information will be handled, managed, and disseminated. Privacy addresses behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information that has been provided for specific purposes by an individual and that the individual can reasonably expect will not be made public. You must consider how the study's location, tools, and planned interactions affect your ability to maintain an individual's privacy. The key question to ask yourself about your data collection procedures is “would a reasonable person being studied consider the information to be private.”

10.2.2: Identifiable information should only be collected if needed and only be retained for the minimum time necessary to complete the research. In some cases, it may be challenging or even impossible to maintain confidentiality. The use of direct and indirect identifiers must be carefully considered along with the uniqueness of the study population and the procedures used. The consent form must clearly state any limitations to confidentiality. 

• When planning provisions for confidentiality, consideration should be given to whether data are coded, de-identified or anonymous: 
  • Coded refers to data linked to individual subjects' identifiers using a code. Generally, the data is collected with a "Study ID" and a linkage file is maintained where the Study ID is associated with the subject's identifiers.
  • De-identified refers to data that are not associated with any direct or indirect identifiers or codes linking the data to the individual subject's identity. Data are de-identified when the linkage file has been destroyed or the code has been removed from the dataset and no data can be linked back to an individual. 
  • Anonymous refers to data that no one, not even the researcher or a third-party entity (e.g. Qualtrics), can connect to the individual subject through direct or indirect identifiers. 
  • Indirect identifiers is more than one data element that can be used to ascertain an individual's identity.   

10.2.3: Data is a broad term that consists of information generated by a research study and includes data sets, interview transcripts, media files, field notes, and diaries. The Common Rule does not define information, but uses the term frequently. It is generally accepted that "information" includes data as well as other factors about individuals that may not be considered research data, this includes direct identifiers such as names or email addresses.   

Data Use Agreements

10.3.1 Important: University Counsel (U.C.) is the university’s authority for contractual matters, including data use agreements. U.C. has delegated limited authority to The Office of Research Compliance to help investigators execute most de-identified data use agreements.

10.3.2 Templates:

• De-Identified Data Use Agreement — This can be used if you plan to share de-identified data that is not already publicly available. 
• Data Use Agreement for data containing identifier (not for Limited Data Sets) — This form is to be used if you plan to send data that includes identifiers to another institution.
• Confidentiality agreement - This form is to be used when using non-research personnel (third party) translation or transcription services. 
• IS Secured Use & Confidentiality of University Records and Data — This is to acknowledge that investigators understand the rules associated with university records and data confidentiality. 

10.3.3 What are data use agreements?

• Data use agreements (DUA) are contractual documents that define limitations on a recipient’s use of non-public data or data that is otherwise restricted by the data provider or under applicable law.

10.3.4 When is a data use agreement required?

• Typically, you must use a DUA when sharing identifiable data with a party external to KSU. The terms of a DUA are under the purview of University Counsel. The IRB works with University Counsel to help facilitate DUAs for inter-institutional human subjects research.

10.3.5 When is a data use agreement not required?

• If another fully executed agreement (i.e., sponsored research agreement, grant agreement, or IRB inter-institutional authorization agreement) includes terms for data sharing and supersedes the need for a data use agreement. Data use agreements are not needed to share deidentified data unless the consent form or IRB application, or another agreement prohibit sharing.  

10.3.6 What if the data I am sending to an external party includes Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) or education records protected under the Family Education Rights and Privacy Act (FERPA)?

• You must get approval from the University’s Privacy Officer (PHI) or Registrar (FERPA) and follow their requirements.

10.3.7 Who can sign a DUA on behalf of the University?

• DUAs may only be signed by a University official with the appropriate delegated signature authority. Data use agreements related to research typically need to be signed by the Vice President for Research and Economic Development or an appointed designee. Contact University Counsel of the Division of Research and Economic Development for more information. 

10.3.8 What if I am asked to sign a DUA by an external party?

• Contact University Counsel.
• Once fully executed, abide by the terms and conditions of the agreement.

10.3.9 Do I need to contact the IRB prior to sharing data?

• If the data was collected under the approval of the KSU IRB, you must contact the Office of Research Compliance. The ORC will review your IRB application to ensure sharing of data is not disallowed.

10.3.10 What types of data use agreements exist?

• The two most common types are stand-alone de-identified data use agreements or confidentiality  agreements with data-use provisions. If sharing identifiable data (using a confidential agreement) you must justify to the IRB the need to share identifiers.

10.3.11 Other helpful federal information

• National Science and Technology Council - DESIRABLE CHARACTERISTICS OF DATA REPOSITORIES FOR FEDERALLY FUNDED RESEARCH
• NIH Data Management and Sharing Policies 
• National Institute for Standards and Technology - includes information about Cybersecurity