IRB Data Management Security Tips

• Make regular back-ups of critical data
• Lock your workstation and go offline when not in use
• Turn your computers off when you leave for the day
• Use virus and spyware/adware protection software
• Use a software and/or hardware firewall
• Regularly download software security patches for any software, especially anti-virus, and enable automatic updates for your computer

• Keep confidential documents off your desk
• Do not share your access
• Use laptop locking devices
• Keep a record of make, model, serial number
• Do not store laptops in your automobile
• Store confidential data in a water/fire proof safe
• When traveling, data should be stored in a portable lockbox

• IP addresses can identify an individual's computer
• Use a sophisticated website script that prevents people from abusing and spamming your online data collection (Contact JMU Computing for guidance) 
• Email is not a secure method of data collection. If you must use email, you should use "encrypted" email (e.g., PGP encryption).

• Is SSL utilized to secure the transmission of data?
• What security measures are in place to protect the stored data? Is the data routinely backed up?
• What does the company do with the information gathered from visitors? How long are log files kept?
• What does the organization do with the data at the end of the research project?
• What are their privacy and confidentiality policies?

• Cisco Webex and Zoom are the only conferencing programs recommended by the JMU IRB for online interviews, focus groups, and meetings at this time. Other meeting apps have presented potential security issues and licensing concerns whereas Webex and Zoom have undergone institutional vetting.
• Support answers and information about setting up a Webex meeting or interview can be found at: https://www.jmu.edu/computing/communication-and-collaboration/webex.shtml
• Support answers and information about setting up a Zoom meeting or interview can be found at: https://www.jmu.edu/computing/communication-and-collaboration/zoom.shtml 
• If you plan to record audio or video of your focus group, meeting, or interview, the Webex and Zoom sessions are encrypted as they happen.  However you will need to be sure to save your audio or video files to a JMU-owned computer or storage location that has a file encryption and back-up strategy already in place.

The JMU Office of Research Integrity advises against the use of cloud computing in the research setting for identifiable data.

• Examples include the following types of third party services: Online Backup Services (e.g., SharePoint OnLine), Network Storage, encrypted Web-based Email (e.g. Hushmail).
• Identifiable research information cannot be stored on a third party cloud computing environment unless specifically approved of by JMU Computing and the IRB.
• Information stored in a cloud computing environment may be considered the cloud vendor's data. If you opt to use these services for storing anonymous data, be aware of the vendor's usage policy and privacy policy.
• Alternatives to third party cloud computing services can be configured with JMU Computing on secure JMU managed servers and/or Microsoft SharePoint.

• Financial information
• Medical information
• Personal information (e.g., names, university ID numbers or login, SSN, birthdates, etc.)
• Academic records (e.g., grades, evaluations, etc.)
• Identifiable human subject research
• Industry secrets and defense research
• Patentable research

• Use password protection or encryption to protect confidential files
  • Encrypting data makes it completely unreadable to anyone but you or your intended recipient
  • Encryption is available on most newer devices and is either enabled by default or has to be turned on
• Windows XP Professional has the Encrypting File System (EFS)
• Windows 7 and 10 have the BitLocker Drive Encryption
• Mac OS X Lion or later has FileVault 2
• Android phones running Lollipop (5.x) and higher have encryption enabled out-of-the-box, while on some older or lower-end devices have to be turned on
• iPads and iPhones are generally encrypted by default
• Third party programs can offer high levels of encryption (e.g., AES, Blowfish, 3DES, etc.)
• Store all critical information on removable media (e.g., flash drive, external hard drive, etc.) with encryption
• Keep confidential files off of network drives
• Remove identifiers and randomly code confidential data

• Cross-cut shredders are better than strip-cut shredders to destroy paper-based confidential data.
• Data ARE NOT completely deleted off of your hard drive when you click the delete button, empty the recycle bin, or reformat the hard drive on your computer.
• Data should be securely deleted from your hard drive by using a data erasing software program that is designed to completely remove sensitive data (e.g., Eraser and SDelete)

If you are considering a different storage or transmission location for your research data, review the following technology characteristics and include these details in your research protocol.

• Is SSL utilized to secure the transmission of data?
• What are the vendor’s usage policy, terms and conditions, and/or privacy policy?
• If you are using a third party service, who owns the data you enter into the vendor’s environment?

Examples of other services used by JMU researchers who work with Protected and Highly Confidential Data include:

• HushMail – Encrypted email service
• Windows Encrypting File System (EFS) – File encryption available in Windows 7 and Windows 8
• File Vault 2  – File encryption available in Mac OS X Lion or later

• Remember that to fully anonymize the data gathered via Qualtrics use Survey Options>Survey Termination>Anonymize Response to prevent accidentally gathering identifiable IP addresses.
• Physical objects (signed papers, audio or videotape recordings) need to be in a private location with a unique lock that is only accessible to the researcher(s).
• Do not store laptops in your automobile.
• Password-protect computers and mobile devices.
• Do not use public wireless Internet when working with Protected or Highly Confidential data.
• Master lists of participant codes and participant names should neither be stored in the same place as research data nor the same place of informed consent.

For questions or concerns, please contact the Office of Research Integrity for further assistance.