Guidelines and considerations for planning to secure your data, especially for IRB proposals.

- By Paula Lackie, 2015.

For most smaller research projects, a successful data management plan should be explicit but not elaborate.  Most simply put, having a plan for every imaginable step in the data life-cycle for your project will help you to recognize where there are gaps or when you need to make a detour in the plan. Having a plan equals basic security for your access to your own research data as well as minimizing the risk of exposure for your subjects.

The essence of any IRB application is to assess whether any of your data may be harmful to your research subjects if used inappropriately. After that it’s a matter of breaking down precisely which components and in what formats these data will be created and managed. With that in mind, the basic elements of good data security for protecting your research subjects include:

• First, do not capture more information than you need to answer your research question. For instance, simply having a list of some club memberships and an email address can easily lead to identity theft.

• There’s an added burden when working in a region or country for which you are not deeply familiar. Issues vary culturally with what may be sensitive information. In this case, it is best to assume it is all sensitive and act accordingly.

• Immediately remove all names and contact information from your working data files. (Qualitative and Quantitative.) Just replacing names in a file is usually not enough. Identity theft is just one thing to consider; it is not just the information isolated in research data but a shred of information there can be combined with data elsewhere to provide complete profile information about your subjects.

• Lock up any paper and/or backup copies of your data in a location that only researchers working on this project have access.

• Have your computer password protected and also password protect any documents with PII material in them. Set your computer to go to a password protected screen-saver (or blank) when it is idle for some time (the length depends on the kind of work you are doing with that computer, where you are working, and how sensitive the PII (Personally Identifiable Information) are. This is only a minimum security step as it is not difficult to bypass these passwords.

• Password-protect individual files with any sensitive information.

• Set up a working firewall on your computer.

• Pre-verify that any computer you will be working on is free of any spyware, trojan malware, or viruses.

• For very sensitive material work in a separate, more secured account on your computer and do not access the internet from that account.

• When the project is completed* be sure to securely shred/destroy all original data. See IT support for secure destruction of digital copies.  Deleting files is not a secure way to destroy digital copies of your research data or working files.

*Knowing when a project is actually finished is one of the most challenging aspects of academic research data protection. But for your own wellbeing, be sure to make a determination and destroy all sensitive or potentially sensitive data.

Additionally, there are a number of excellent resources in the world of research data management for data security.  

This site at Georgia Tech’s Scholarly Communication & Digital Curation office (within their library) has an excellent, concise & to the point primer on what to think about: http://www.library.gatech.edu/research-data/security

The Interuniversity Consortium for Political and Social Research (ICPSR) has a nice primer on preparing quantitative & quliatative data for archival purposes: http://www.icpsr.umich.edu/icpsrweb/content/deposit/guide/chapter3qual.html

The MANTRA site for research data management training is a full course in data management for students and advanced researchers.  

http://datalib.edina.ac.uk/mantra/