Skip to Navigation
University of Pittsburgh
Print This Page Print this pages

October 13, 2016

Technology Corner

2015-10_UTimes_column-banner_SeanSweeney_ONLINE

Data Security review for human subject research

Both data and technology are proliferating at unprecedented rates of growth.
As researchers begin to use new technologies, the excitement of new potential can sometimes overshadow legitimate questions concerning the risks that may be associated with using that technology with human subject data. Even routine technologies such as email, text messaging and mobile apps could put identifiable human subject research data at immediate risk.

Additionally, with the increasing need to share data in research comes an increased responsibility to make sure it is shared securely. Researchers, and the University, must ensure that human subject data is protected during collection, transmission and storage.

Working with Patty Orndoff of the Research Conduct and Compliance Office and the Human Research Protection Office (HRPO), the CSSD security team has developed a security review process for researchers to minimize these risks.

Data security review

The groundwork for the research data security review process was laid roughly two years ago, and since then we have been actively engaging and consulting with members of the research community. Many of you generously offered your attention and feedback at our presentations on data security awareness and data security solutions. The input you provided at these sessions, and during the numerous departmental sessions we conducted, was invaluable.

We quickly realized that a key challenge was development of a data security assessment method that would provide the necessary information for conducting a risk assessment and that could be used by the HRPO staff, the Institutional Review Board (IRB) committees and the research community. We held numerous focus group sessions with study coordinators and principal investigators (PIs) to address their needs — and to confirm that the assessment form did not present any undue burden. We also developed electronic data security guidelines that are available to researchers on the HRPO website, and formed within the HRPO a new data security task force that focuses on continual process improvements.

A pilot project was conducted this summer using a specific subset of research protocols. HRPO staff applied a set of established rules to determine whether the applicant would be asked to complete the assessment form as part of the specific subset of research protocols. Responses to the assessment form then determined whether the HRPO staff requested a data security review from the CSSD team.

What does this mean for Pitt researchers?

Ideally, these guidelines and assessment efforts will help PIs better understand risks so they can develop a plan to protect data privacy with our assistance.

Some questions PIs may consider:

• Will data in the study ever be stored on a mobile device and, if so, how often? Might it be transmitted through a mobile device?

• If the research group is using a commercial app, are there provisions in the terms of service that could impact participant privacy or data ownership by the University?

• What security controls are in place when data is being transmitted outside the University to a third-party collaborator, vendor or sponsoring agency?

The pilot project helped us to ensure the security form was both effective and user friendly. The form will be uploaded to the HRPO application (OSIRIS). A formal data security review from the CSSD security team then will be requested by the HRPO staff based on risk assessment determined by information supplied on the security assessment form.

The guidelines and the assessment are intended to prompt judicious use of a security review that can provide Pitt researchers with additional confidence that their work will meet regulatory guidelines regarding data security and that their human subject data will remain private. HRPO may make a determination that certain technologies being used by an investigator — such as mobile apps and wearable devices — pose potential privacy risks that require the investigator to complete the assessment form so they can understand and manage risks; the HRPO staff can request a data security review at any time.

We strongly recommend that researchers request that a consultation meeting be held early, before submitting the project for review by the IRB, if the researcher is planning to make extensive or novel use of technology.

Research teams should continue to collaborate with their IT or data manager to address how electronic data related to their work is managed.

Additional information and support

Several services, identified on the HRPO website, support the data security review process. Investigators with questions about how to complete the form can email irb@pitt.edu, for instance. The CSSD (technology.pitt.edu) and HRPO (hrpo.pitt.edu) sites include documentation and information about consultation opportunities and education events.

Given the variety and diversity of research activities at the University, there is no one right answer for how to secure data and protect participant privacy. There are, however, best practices that Pitt researchers can adhere to for collection, transmission and storage of human subject data.

Please take a moment to become familiar with documents outlining those best practices:
• Guidance documents: pi.tt/datasecurityguide.

• Data security assessment form: pi.tt/securityassessment.

We always are willing to meet with your research team or department to discuss risks and how they can be managed.

Sean Sweeney is the University’s chief information security officer. He can be reached at 412-624-5595 or sweeney2@pitt.edu.


Leave a Reply