��һ�Թ���

Data  Standards

Research participants grant you the privilege to access and use their information. The following guidance can help you fulfill your obligation to maintain confidentiality and  deidentify information.     

10.1.1: Data is a broad term that consists of “information generated by a research study and includes data sets, interview transcripts, media files, field notes, and diaries.” The Common Rule does not define “information” but uses the term frequently. It is generally accepted that "information" includes data as well as other factors about individuals that may not be considered research data, this includes signatures on consent forms and direct identifiers such as names or email addresses.

10.1.2:  Overall University Standard

University Data Handling Guide. Review and adhere to the data handling guide, which establishes the University's expected minimum standards. The IRB may require adherence to a higher standard.  

• Use KSU owned systems and software. Non-KSU software should only be used if absolutely necessary and be reviewed by IT Security. Personal devices should not be used to store participant information or as recording devices. 
• Use the KSU VPN.  
• Do not transmit non-public data via email; email is not secure. 
• Only those with the "need to know" should have access to identifiers. This is known as the principle of least privilege.  
• Proctor access to information and data, when somebody leaves a study, revoke their access. When granting an individual access to information stored in a shared resource, assigning access expiration dates is strongly recommended. 
• Deidentify data as soon as allowed by the research.
• If data cannot be deidentified, code the data for secure, confidential, storage as soon as possible.  
• Limit the use of unnecessary indirect identifiers. 
• Narrow participant pools should be avoided as they may increase the ability to identify a participant. Multiple recruitment sites and methods can help broaden participant pools.  
• Never leave data unattended or unsecured. Use a lock screen for electronic data and lock doors and cabinets for physical data.

Phishing and fraudulent messaging pose risks to errant disclosure of participant information. Be cautious of: 

• Unsolicited emails or text messages asking for credentials or calls to action
• Attachments and links from unknown/unverified senders
• Unknown or suspicious senders
• Offers that sound too good to be true
• Urgent language (e.g. click here or your account will be revoked)

Confidentiality and Privacy

10.2.1: Privacy, confidentiality, and deidentification. 

• Privacy is the control over the extent, timing, and circumstances of sharing oneself with others. Protecting a person’s privacy typically means asking permission and obtaining consent to conduct any study procedures, allowing them to refuse to answer any questions or complete any study tasks, and ensuring that the study is conducted in a private place.
• Confidentiality refers to the research team’s agreement with participants about how identifiable information will be handled, managed, and disseminated to prevent inappropriate disclosure of participants’ identities and participation in the study even if it cannot be linked to study data. Your plan for maintaining confidentiality must include methods for storage, handling, and data sharing. 
  • See10.1.2 above 
• Deidentification means  that all direct personal identifiers are permanently removed from the data, no code or key exists to link the data to the original source or to the individual, and the remaining information cannot be used to reasonably identify the individual. 
• A single research study may require the use of many different software applications such as Qualtrics, OneDrive, Sona, and NVivo. Ensure participant information has been removed from or deidentified in all resources.  
  • HIPAA deidentification methods are considered the gold standard and can be widely applied to any type of data:  �į&�Բ�����;
  • Data must be deidentified promptly and as soon as the research allows.   

10.2.2: Identifiable information should only be collected if needed and only be retained for the minimum time necessary to complete the research. In some cases, it may be challenging or even impossible to maintain confidentiality. The use of direct and indirect identifiers must be carefully considered along with the uniqueness of the study population and the procedures used. The consent form must clearly state any limitations to confidentiality. 

• When planning provisions for confidentiality, consideration should be given to whether data are coded, de-identified or anonymous: 
  • Coded refers to data linked to individual subjects' identifiers using a code. Generally, the data is collected with a "Study ID" and a linkage file is maintained where the Study ID is associated with the subject's identifiers.
  • De-identified refers to data that are not associated with any direct or indirect identifiers or codes linking the data to the individual subject's identity. Data are de-identified when the linkage file has been destroyed or the code has been removed from the dataset and no data can be linked back to an individual. 
  • Anonymous is when an individual is unidentifiable to everyone, including the researchers. 
    • In general, participants should never be considered anonymous; there may be cases where an individual is anonymous to a researcher, but not a third party. For example, a participant may complete a survey from a public computer or a computer that is infected with malicious software. 
  • Indirect identifiers are more than one data element that can be used to ascertain an individual's identity.   

Data Use Agreements

10.3.1 Important: University Counsel (U.C.) is the university’s authority for contractual matters, including data use agreements. U.C. has delegated limited authority to The Office of Research Compliance to help investigators execute most de-identified data use agreements.

10.3.2 Templates:

• De-Identified Data Use Agreement — This can be used if you plan to share de-identified data that is not already publicly available. 
• Data Use Agreement for data containing identifier (not for Limited Data Sets) — This form is to be used if you plan to send data that includes identifiers to another institution.
• Confidentiality agreement - This form is to be used when using non-research personnel (third party) translation or transcription services. 
• IS Secured Use & Confidentiality of University Records and Data — This is to acknowledge that investigators understand the rules associated with university records and data confidentiality. 

10.3.3 What are data use agreements?

• Data use agreements (DUA) are contractual documents that define limitations on a recipient’s use of non-public data or data that is otherwise restricted by the data provider or under applicable law.

10.3.4 When is a data use agreement required?

• Typically, you must use a DUA when sharing identifiable data with a party external to KSU. The terms of a DUA are under the purview of University Counsel. The IRB works with University Counsel to help facilitate DUAs for inter-institutional human subjects research.

10.3.5 When is a data use agreement not required?

• If another fully executed agreement (i.e., sponsored research agreement, grant agreement, or IRB inter-institutional authorization agreement) includes terms for data sharing and supersedes the need for a data use agreement. Data use agreements are not needed to share deidentified data unless the consent form or IRB application, or another agreement prohibit sharing.  

10.3.6 What if the data I am sending to an external party includes Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) or education records protected under the Family Education Rights and Privacy Act (FERPA)?

• You must get approval from the University’s Privacy Officer (PHI) or Registrar (FERPA) and follow their requirements.

10.3.7 Who can sign a DUA on behalf of the University?

• DUAs may only be signed by a University official with the appropriate delegated signature authority. Data use agreements related to research typically need to be signed by the Vice President for Research and Economic Development or an appointed designee. Contact University Counsel of the Division of Research and Economic Development for more information. 

10.3.8 What if I am asked to sign a DUA by an external party?

• Contact University Counsel.
• Once fully executed, abide by the terms and conditions of the agreement.

10.3.9 Do I need to contact the IRB prior to sharing data?

• If the data was collected under the approval of the KSU IRB, you must contact the Office of Research Compliance. The ORC will review your IRB application to ensure sharing of data is not disallowed.

10.3.10 What types of data use agreements exist?

• The two most common types are stand-alone de-identified data use agreements or confidentiality  agreements with data-use provisions. If sharing identifiable data (using a confidential agreement) you must justify to the IRB the need to share identifiers.

10.3.11 Other helpful federal information

•  
• - includes information about Cybersecurity