The following regulations apply to any research approved by the IRB through expedited or full review. Furthermore, research automatically exempt from review or which received an IRB approved exemption, while not constrained by the following storage and disposal regulations are encouraged to adhere to relevant regulations that protect the confidentiality of research subjects.
Investigators should be cognizant of the fact that any guarantees made to research subjects during the consent process (e.g., limited access to the data, anonymity, confidentiality etc.) remain in force after the study concludes and throughout the data storage process. It is the investigator’s responsibility to ensure secure storage of the data that maintains these guarantees and to demonstrate to the satisfaction of the IRB that these guarantees are being met throughout the conduct of the study and the data storage period.
A) STORAGE OF NON-SENSITIVE DATA
Data is non-sensitive when it has been obtained anonymously from subjects such that no identifiers can link any data to individual subjects (See Note 1 below). In this case, data storage need only be secure to the extent it can be retrieved easily by the principal investigator in response to a request for ethical review by the IRB Executive Committee. If stored electronically, the data file must be backed up on an independent storage device.
B) STORAGE OF SENSITIVE DATA
Data is sensitive when it contains identifiers that can link any data to individual subjects (See Note 1 below). In this case, the investigator has a special obligation to maintain more secure data storage that protects the confidentiality of research subjects. When the principal investigator is not a student, sensitive data may be stored on campus or off campus as regulated below. When the principal investigator is a student, however, sensitive data must be stored on campus by his/her faculty supervisor as regulated below.
On campus – Hard copies of the data must be stored in a locked cabinet in a locked room. Data must be “de-identified” and the identifiers stored in a separate location. If stored electronically as well, data must be stored on a password protected hard drive.
Off campus – Hard copies of the data must be stored in a locked location, under the personal control and supervision of the investigator or to which only the investigator has access. Data must be “de-identified” and the identifiers stored in a separate location. If stored electronically as well, the data must be stored on a password protected and encrypted device.
C) STORAGE DURATION
Both non-sensitive and sensitive data must be stored for a minimum of three years after the conclusion of the study. Principal investigators and faculty supervisors of student research may extend storage duration beyond the minimum for reasonable cause. However, research data in either hard copy or electronic form should not be maintained in perpetuity. The sensitivity of the data and the reasons for maintaining the data should be the primary factors determining the length of retention beyond the minimum.
D) DISPOSAL OF DATA
Following the storage period, both non-sensitive and sensitive data must be destroyed in the manner which protects the confidentiality of the research subjects. Hard copies of the data should be shredded and electronic data files should be deleted from all storage devices including any recycling bins.
Note 1 - Obtained data is deemed sensitive if any of the following identifiers is linked to the responses of individual subjects. Beyond the information noted below, it is the responsibility of the investigator to determine if other solicited information (such as sexor ethnicity) may function as subject identifiers in special circumstances, warranting classification of his/her data as sensitive.1. Names
2. Postal address information, other than town or city, state, and zip
3. Telephone numbers
4. Fax numbers
5. Electronic mail addresses
6. Social security numbers
7. Medical record numbers
8. Health plan beneficiary numbers
9. Account numbers
10. Certificate/license numbers
11. Vehicle identifiers, serial numbers and license plate numbers
12. Device identifiers and serial number
13. Web universal resource locators (URLs)
14. Internet protocol (IP) address numbers
15. Biometric identifiers, including fingerprints and voiceprints
16. Full-face, oblique or full-profile photos and any comparable images
17. Any other unique identifying number, characteristic, or code
18. University ID numbers or login