Human Research Protection Program

The purpose of this SOP is to set forth the requirements and responsibilities of the principal investigator in managing and protecting human subjects research data.

This SOP applies to human subjects research projects conducted under the auspices of Brandeis University.

Anonymous Data

Data collected and recorded such that no identifier whatsoever exists to link a subject's identity to that subject's response.

Coded Data

Data where identifying information has been replaced with a code and a key to decipher the code is available, which can link the identifying information to the data.

Confidential Data

Data that a subject has disclosed to the investigator with the expectation that they will not be divulged to others without the subject's permission.

De-identified Data

Data from which all personally identifiable information has been severed.

Greater Than Minimal Risk Data

Data the disclosure of which could cause greater than minimal harm or distress (such as that not encountered in daily life or during the performance of routine physicals or psychological examinations or tests).

Minimal Risk Data

Data the disclosure of which would cause minimal harm or distress (such as that encountered in daily life or during the performance of routine physicals or psychological examinations or tests).

Research Data

Human subjects' data, documentation of subject eligibility, original signed and dated consent forms (or record of consent if verbal), master keys and findings review logs, as well as ancillary materials such as administrative and financial records.

Sensitive Data

Data the disclosure of which could have adverse consequences or put a subject at risk of criminal or civil liability or be damaging to his/her financial standing, employability, reputation, etc.

It is the standard operating procedure of Brandeis University that the principal investigator is solely responsible for ensuring the proper management and protection of human subjects research data collected in research conducted under the auspices of Brandeis University. The principal investigator is responsible for ensuring that research data is secure when collected, transported, stored, transmitted and shared.

Investigators conducting human subjects research are required to develop and follow protocols to manage and protect the confidentiality and integrity of research data. The risk of harm resulting from a breach of confidentiality varies with the level of sensitivity of the research data.

There are five levels of risk associated with different types of research data:

Level I

• Publicly available data.

• Anonymous data.

• Nonconfidential data.

• De-identified minimal risk confidential data.

Level II

• Coded minimal risk confidential data.

• De-identified greater than minimal risk confidential data.

Level III

• Identifiable minimal risk confidential data.

• Coded greater than minimal confidential data.

• De-identified sensitive confidential data.

Level IV

• Identifiable greater than minimal risk confidential data.

• Coded sensitive confidential data.

Level V

• Identifiable sensitive confidential data

General considerations that apply to research data at all risk levels include:

1. The most restrictive management option feasible should be employed.

2. Only the minimum subject identifiers — direct and indirect — necessary for the research should be collected.

3. Subject identifiers should be removed or destroyed as soon as is feasible for the research.

4. Physical and/or electronic access to any area and/or device where research data are being stored must be limited.

5. Access to all research data must be limited to investigators and key research personnel.

6. Strong passwords must always be used.

7. Only secure/encrypted modes of electronic transmission of research data should be used.

8. Computers must be protected against malware with antimalware software approved by Brandeis University Information and Technology Services, and all software updates and patches applied.

9. The principal investigator must report any breaches in confidentiality to the Institutional Review Board within seven days of the researchers becoming aware of the event.

10. Brandeis University policy holds that human subjects research data must be retained for a minimum of three years.

11. When destroying research data stored on a computer, deleting the files is not enough as the deleted files can still be recovered. The deleted files must also be scrubbed from the computer so that the data are permanently erased. This may be done using commercial software approved by Brandeis University Information and Technology Services. Alternatively, the device may be degaussed or destroyed.

12. If keeping the research data indefinitely, data should be de-identified, at the latest, when the current project is complete.

13. If retaining de-identified research data indefinitely, storage in a data repository should be considered.

14. If conducting an online survey, the Brandeis University preference and default is that investigators use Qualtrics. Amazon’s Mechanical Turk should be used for recruitment purposes only.

15. If traveling abroad, international laws and export controls regulations must be considered as they may limit the movement of research data out of the country, both physically and electronically. The principal investigator must know the applicable laws and regulations of the country in which the research will be conducted before embarking on any research and, if needed, arrangements and agreements must be in place to ensure compliance.

16. As research progresses, so might the risk level; appropriate data management must be used for the level of risk at each stage of the research.

In addition to the general points outlined above, there are a number of security requirements specific to the type and risk level of research being conducted:

Risk Level I Data Management Options

1. Paper documents such as surveys, audio transcriptions or field notes must be stored in a secure place, such as a locked file cabinet.
   
   Any signed consent forms must be stored in a separate locked cabinet from the remaining search data.

2. Digital recording devices, audiotapes and videotapes with recordings of interviews, field notes, etc. must be stored in a secure place such as a locked file cabinet.

3. When scanned or uploaded, paper documents and audio/video files must be stored in one of the following:

   • Brandeis-provided Box.com account.

   • Brandeis-provided and Brandeis-certified file server.

   • Password-protected computer file.

4. Digital system files such as databases, SAS/SPSS data files or custom application record sets must be stored in one of the following:

   • Brandeis-provided Box.com account.

   • Brandeis-provided and Brandeis-certified file server.

   • Password-protected computer file.

Risk Level II Data Management Option

1. Paper documents such as surveys, audio transcriptions or field notes must be stored in a secure place, such as a locked file cabinet in a locked office.
   
   Any signed consent forms and master keys must be stored in a separate locked cabinet from the remaining search data.

2. Digital recording devices, audiotapes and videotapes with recordings of interviews, field notes, etc. must be stored in a secure place, such as a locked file cabinet in a locked office.

3. When scanned or uploaded, paper documents and audio/video files must be stored in one of the following:

   • Brandeis-provided Box.com account.

   • Brandeis-provided and Brandeis-certified file server.

   • Password-protected computer file.

   When consent forms and master keys are stored digitally, they must be stored in a separate account from the research data.

4. Digital system files such as databases, SAS/SPSS data files or custom application record sets must be stored in one of the following:

   • Brandeis-provided Box.com account.

   • Brandeis-provided and Brandeis-certified file server.

   • Password-protected computer file.

5. The safety of all research data should be reviewed and the findings logged on a regular basis.

Risk Level III Data Management Option

1. Paper documents such as surveys, audio transcriptions or field notes must be stored in a secure place, such as a locked file cabinet in a locked office.
   
   Any signed consent forms and master keys must be stored in a separate locked cabinet from the remaining search data.
   
   Any master keys should be shredded as early as is feasible.

2. Digital recording devices, audiotapes and videotapes with recordings of interviews, field notes, etc. must be stored in a secure place, such as a locked file cabinet in a locked office.

3. When scanned or uploaded, paper documents and audio/video files must be stored in one of the following:

   • Brandeis-provided Box.com account.

   • Brandeis-provided and Brandeis-certified file server.

   • Password-protected and encrypted computer file.

   When consent forms and master keys are stored digitally, they must be stored in separate accounts from the research data.

4. Digital system files such as databases, SAS/SPSS data files or custom application record sets must be stored in one of the following:

   • Brandeis-provided Box.com account.

   • Brandeis-provided and Brandeis-certified file server.

   • Password-protected and encrypted computer file.

5. The safety of all research data should be reviewed and the findings logged, at a minimum, on a weekly basis.

Risk Level IV Data Management Option

1. Paper documents such as surveys, audio transcriptions or field notes must be stored in a secure place, such as a locked box in a locked cabinet in a locked office, or a locked file cabinet in a lacked office with electronic door access control and/or in sight of a security camera.
   
   When being transported, paper documents must be secured, for example, in a locked briefcase or lockbox.
   
   Any signed consent forms and master keys must be stored in a separate locked cabinet from the remaining search data, preferably in a separate room or building.
   
   Paper documents should be shredded as early as is feasible.

2. Digital recording devices, audiotapes and videotapes with recordings of interviews, field notes, etc. must be stored in a secure place, such as a locked box in a locked file cabinet in a locked office, or a locked file cabinet in a locked office with electronic door access control and/or in sight of a security camera.
   
   When being transported, digital recording devices, audiotapes and videotapes must be secured, for example, in a locked briefcase or lockbox.
   
   Audio/video files should be uploaded, and originals destroyed as early as is feasible.

3. When scanned or uploaded, paper documents and audio/video files must be stored in one of the following:

   • Brandeis-provided Box.com account.

   • Brandeis-provided and Brandeis-certified file server.

   If access to the internet is not possible, use of a password-protected and encrypted USB drive or antivirus-protected, password-protected and encrypted computer file may be allowable. The device (e.g., computer or USB drive) should be stored in a locked box in a locked file cabinet in a locked office, or a locked file cabinet in a locked office with electronic door access control and/or in sight of a security camera.
   
   When consent forms and master keys are stored digitally, they must be stored in separate accounts from the research data.

4. Digital system files such as databases, SAS/SPSS data files or custom application record sets must be stored in one of the following:

   • Brandeis-provided Box.com account.

   • Brandeis-provided and Brandeis-certified file server.

   • Password-protected and encrypted computer file.

5. The safety of all research data should be reviewed and the findings logged on a daily basis.

Risk Level V Data Management Option

1. Paper documents, audiotapes and videotapes should be avoided, and research data collected electronically, whenever possible.

2. Paper documents such as surveys, audio transcriptions or field notes must be stored in a secure place, such as a locked box in a locked file cabinet in a locked office, or a locked file cabinet in a locked office with electronic door access control and/or in sight of a security camera.
   
   When being transported, paper documents must be secured, for example, in a locked briefcase or lockbox.
   
   Paper documents should be scanned and shredded as early as is feasible.

3. Digital recording devices, audiotapes and videotapes with recordings of interviews, field notes, etc. must be stored in a secure place, such as a locked box in a locked file cabinet in a locked office, or a locked file cabinet in a locked office with electronic door access control and/or in sight of a security camera.
   
   When being transported, digital recordings must be secured, for example, in a locked briefcase or lockbox.
   
   Audio/video files should be uploaded and destroyed as early as is feasible.

4. When scanned or uploaded, paper documents and audio/video files must be stored in one of the following:

   • Brandeis-provided Box.com account.

   • Brandeis-provided and Brandeis-certified file server.

   If access to the internet is not possible, use of a password-protected and encrypted USB drive or antivirus-protected, password-protected and encrypted computer file may be allowable. The device (e.g., computer or USB drive) should be stored in a locked box in a locked file cabinet in a locked office with electronic door access control and/or in sight of a security camera.

5. Digital system files such as databases, SAS/SPSS data files or custom application record sets must be stored in one of the following:

   • Brandeis-provided Box.com account.

   • Brandeis-provided and Brandeis-certified file server.

   • Password-protected and and encrypted computer file.
6. The safety of all research should be reviewed and the findings logged on a daily basis.

The U.S. government Code of Federal Regulations for the Protection of Human Subjects (45 CFR 46) contains the following requirements involving human subjects research data management and protection:

In order to approve research covered by this policy the IRB shall determine that all of the following requirements are satisfied: [§46.111(a)]

1. When appropriate, the research plan makes adequate provision for monitoring the data collected to ensure the safety of subjects. [§46.111(a)(6)]

2. When appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data. [§46.111(a)(7)]