Data Security and Storage
Human Research Protections Program
Researcher Resources
You should always be mindful of confidentiality and privacy when conducting human participant research, but the degree to which you need a detailed data management plan (DMP) and heightened data protections depends on the nature of the research and sensitivity of the data.
But even in the graph above, information that might be considered highly sensitive would still depend on whether that data was reasonably identifiable. Examples:
- You interview undocumented citizens and record their citizenship status but do not collect names or other data that could reasonably lead back to a specific individual. The data set would not be sensitive, but you need to take steps to ensure privacy when collecting the information.
- You will collect names and demographics of LGBTQIA+ individuals who are not out to others. The data set is more sensitive and requires additional protections than data from those who have publicly disclosed their orientation. (The same logic applies with medical conditions and other personal information: does a participant wish to keep the information private, or are they publicly open about this information?)
- You want to know your students' opinions on the technical-writing module you developed. If you could know their identities and have not yet submitted grades, that data would be more sensitive than if you gather feedback the next quarter, when the students are no longer in your class.
If disclosure of any information beyond the research team could reasonably lead to embarrassment, discomfort, economic harm (e.g., if an employee discusses unfavorable impressions of a supervisor), or any other negative impact to the participant, you must show care and caution when collecting, maintaining, and storing the data.
If individuals could be swayed to participate or provide certain responses due to a power differential (e.g., instructor/student), you will need to find ways to reduce these factors to make the data (including collection) less sensitive.
Protocol Data Management Plan Information
If anyone other than the primary investigator will be involved with collecting, using, analyzing, and/or storing identifiable data, that person shares the obligation to protect it and needs to comply with best practices in storage and use.
All study team members who will have access to identifiable data must complete CITI training. If you are the PI, you are responsible for ensuring that all CITI certificates are included with the original submission. (The HRPP will not process applications lacking necessary CITI certificates.)
You must keep hard copies of sensitive data in a secure location that no one except the research team may access.
Audio recordings containing sensitive data should be carefully protected if someone’s voice could reasonably be identified.
Video recordings are always identifiable and need the highest level of protection if they contain sensitive information. If you will transcribe recordings, do so promptly, then delete the original recording (unless you need to retain it for some purpose).
The HRPP strongly recommends using WWU-owned equipment and licensed services when collecting and storing research data. For example, collect online survey data only on Qualtrics and store data on secure WWU drives or authorized cloud services like OneDrive or SharePoint.
While you might use your phone to record interviews, you should not use personal devices to store data. Devices—including laptops—can be lost, damaged, and stolen. If you promise confidentiality to participants, and someone steals your laptop, you can’t guarantee that they will not be able to hack through your passwords. To avoid loss or theft, limit how much you transport physical or electronic data.
Create the minimum number of copies of electronic data. If multiple study personnel need access, store data in password-protected shared folders using WWU resources (OneDrive, etc.). Do not send identifiable, sensitive data via email, unless necessary. In such cases, you should not only protect the files and folders with passwords, but also encrypt them.
Will you share your research data through presentations or publications? If so, will you aggregate or deidentify it, or will you obtain permission from participants to use their identifiable data? Using identifiable data usually requires a separate signature line on the consent document.
Increasingly, researchers are engaging in “Open Science” (OS) practices (which many granting agencies require). Through OS, researchers make their processes, data, and resulting writeups available to a broad section of society, from professionals in their fields to regular citizens curious about research (or wanting to know how their tax money is being used!).
Your consent form needs to explain all plans for future data use and the format of sharing—deidentified, aggregated, etc. Use simple language to explain those processes to participants. For example: Deidentified = removing any information connected to you personally. Aggregated = reporting only as a group or cluster.)
De-identification means stripping data of any possible way to figure out a participant's identity. That includes removing direct identifiers (e.g., names), indirect identifiers that combined might identify a specific individual (e.g., demographics), and direct quotes or specific information that could be traced to a specific individual.
Again considering the emphasis on Open Science, researchers are encouraged to deidentify rather than destroy data. An exception would be recordings with sensitive information. In such cases, researchers should consider destroying recordings after transcribing interviews or focus groups.
If you will collect data through a participant’s own activity tracker, a smartwatch, location trackers, or similar technology, your informed consent materials must tell participants whether they will be required to download and agree to terms of service or other agreements applicable to an app.
For highly sensitive data, you should consider using coded data. In this case you would assign each participant a unique number or identifier to be used on all data collection instruments. (Be sure not to record any identifiable participant information as part of the study data.)
Create a master key/list to organize identifying information and data. (Best practices recommend using an electronic format with robust password protections.) Then, enter the identifiable information (including contact information) into the master key and record the corresponding coded study identifiers.
After you conclude data analysis, you should destroy the master key (and any participant contact information). In your HRPP application, explain plans for when and how you will destroy the keys. (If you need to retain the master key for any reason, you will have to justify the reason in your application.) Remaining data should include only the code and no other identifiers.
More researchers are using web conferencing platforms to conduct interviews and focus groups. Use only your WWU Zoom or Teams account for such purposes. You must clarify to participants whether you intend to record (in both recruitment and consent materials) these online sessions. Store recordings on WWU OneDrive or SharePoint.
Establish in advance whether participants must have their cameras on and whether they should use their own names or can use a pseudonym. Clarify all requirements in the consent materials.
Ask individuals to participate from a private location or to use headphones and/or a virtual or blurred background to prevent unconsented individuals from becoming part of a recorded research records. (Pets are exempt from this requirement, as everyone loves cat and dog virtual visits.)
To uphold responsible, rigorous research, always maintain detailed, effective, accurate documentation that promotes both
- Replicability — another researcher's ability to duplicate study results with same procedures and new data
- Reproducibility — when another researcher uses the same raw data and procedures to duplicate study results