The following list of security tips are recommended to help manage and protect confidential human subject data. For specific information regarding computer security, please consult with Information and Computer Security at James Madison University (JMU).
Computer Security
- Make regular back-ups of critical data
- Lock your workstation and go offline when not in use
- Turn your computers off when you leave for the day
- Use virus and spyware/adware protection software
- Use a software and/or hardware firewall
- Regularly download software security patches for any software, especially anti-virus, and enable automatic updates for your computer
Physical Security
- Keep confidential documents off your desk
- Do not share your access
- Use laptop locking devices
- Keep a record of make, model, serial number
- Do not store laptops in your automobile
- Store confidential data in a water/fire proof safe
- When traveling, data should be stored in a portable lockbox
Internet Data Collection Security
- IP addresses can identify an individual's computer
- Use a sophisticated website script that prevents people from abusing and spamming your online data collection (Contact JMU Computing for guidance)
- Email is not a secure method of data collection. If you must use email, you should use "encrypted" email (e.g., PGP encryption).
Internet Web Server Concerns to Consider
- Is SSL utilized to secure the transmission of data?
- What security measures are in place to protect the stored data? Is the data routinely backed up?
- What does the company do with the information gathered from visitors? How long are log files kept?
- What does the organization do with the data at the end of the research project?
- What are their privacy and confidentiality policies?
Online Conferencing, Interviews, and Focus Groups
- Zoom and Microsoft Teams are the only conferencing programs recommended by the JMU IRB for online interviews, focus groups, and meetings at this time. Other meeting apps have presented potential security issues and licensing concerns whereas Zoom has undergone institutional vetting.
- Support answers and information about setting up a Teams meeting or interview can be found at: https://www.jmu.edu/computing/communication-and-collaboration/microsoft-teams.shtml
- Support answers and information about setting up a Zoom meeting or interview can be found at: https://www.jmu.edu/computing/communication-and-collaboration/zoom.shtml
- If you plan to record audio or video of your focus group, meeting, or interview, the Teams and Zoom sessions are encrypted as they happen. However you will need to be sure to save your audio or video files to a JMU-owned computer or storage location that has a file encryption and back-up strategy already in place.
Cloud Computing
The JMU Office of Research Integrity advises against the use of cloud computing in the research setting for identifiable data.
- Please see Guidelines for Data Storage andCollaboration.
- Identifiable research information cannot be stored on a third party cloud computing environment unless specifically approved of by JMU Computing and the IRB.
- Information stored in a cloud computing environment may be considered the cloud vendor's data. If you opt to use these services for storing anonymous data, be aware of the vendor's usage policy and privacy policy.
- Alternatives to third party cloud computing services can be configured with JMU Computing on secure JMU managed servers and/or Microsoft SharePoint.
Types of Confidential Information
- Financial information
- Medical information
- Personal information (e.g., names, university ID numbers or login, SSN, birthdates, etc.)
- Academic records (e.g., grades, evaluations, etc.)
- Identifiable human subject research
- Industry secrets and defense research
- Patentable research
Protecting Confidential Data
- Use password protection or encryption to protect confidential files
- Encrypting data makes it completely unreadable to anyone but you or your intended recipient
- Encryption is available on most newer devices and is either enabled by default or has to be turned on
- Windows 10 and 11 have built-in BitLocker Drive Encryption
- Mac OS has FileVault built-in Encryption
- Android phones running 7.0 and later have encryption enabled out-of-the-box, while on some older or lower-end devices have to be turned on
- iPads and iPhones are generally encrypted by default
- Third party programs can offer high levels of encryption (e.g., AES, Blowfish, 3DES, etc.)
- Store all critical information on removable media (e.g., flash drive, external hard drive, etc.) with encryption
- Keep confidential files off of network drives
- Remove identifiers and randomly code confidential data
Disposal of Confidential Data
- Cross-cut shredders are better than strip-cut shredders to destroy paper-based confidential data.
- Data ARE NOT completely deleted off of your hard drive when you click the delete button, empty the recycle bin, or reformat the hard drive on your computer.
- Data should be securely deleted from your hard drive by using a data erasing software program that is designed to completely remove sensitive data (e.g., Eraser and SDelete)
If you are considering a different storage or transmission location for your research data, review the following technology characteristics and include these details in your research protocol.
- Is SSL utilized to secure the transmission of data?
- What are the vendor’s usage policy, terms and conditions, and/or privacy policy?
- If you are using a third party service, who owns the data you enter into the vendor’s environment?
General Tips & Tricks
- Remember that to fully anonymize the data gathered via Qualtrics use Survey Options>Survey Termination>Anonymize Response to prevent accidentally gathering identifiable IP addresses.
- Physical objects (signed papers, audio or videotape recordings) need to be in a private location with a unique lock that is only accessible to the researcher(s).
- Do not store laptops in your automobile.
- Password-protect computers and mobile devices.
- Do not use public wireless Internet when working with Protected or Highly Confidential data.
- Master lists of participant codes and participant names should neither be stored in the same place as research data nor the same place of informed consent.
For questions or concerns, please contact the Office of Research Integrity for further assistance.