Skip to Main Content

Human Subjects - IRB

You are in the main content


IRB Data Management Security Tips

The following list of security tips are recommended to help manage and protect confidential human subject data. For specific information regarding computer security, please consult with Information and Computer Security at James Madison University (JMU).

Computer Security

  • Make regular back-ups of critical data
  • Lock your workstation and go offline when not in use
  • Turn your computers off when you leave for the day
  • Use virus and spyware/adware protection software
  • Use a software and/or hardware firewall
  • Regularly download software security patches for any software, especially anti-virus, and enable automatic updates for your computer


Physical Security

  • Keep confidential documents off your desk
  • Do not share your access
  • Use laptop locking devices
  • Keep a record of make, model, serial number
  • Do not store laptops in your automobile
  • Store confidential data in a water/fire proof safe
  • When traveling, data should be stored in a portable lockbox


Internet Data Collection Security

  • IP addresses can identify an individual's computer
  • Use a sophisticated website script that prevents people from abusing and spamming your online data collection (Contact JMU Computing for guidance) 
  • Email is not a secure method of data collection. If you must use email, you should use "encrypted" email (e.g., PGP encryption).


Internet Web Server Concerns to Consider

  • Is SSL utilized to secure the transmission of data?
  • What security measures are in place to protect the stored data? Is the data routinely backed up?
  • What does the company do with the information gathered from visitors? How long are log files kept?
  • What does the organization do with the data at the end of the research project?
  • What are their privacy and confidentiality policies?


Cloud Computing

The JMU Office of Research Integrity advises against the use of cloud computing in the research setting for identifiable data.

  • Examples include the following types of third party services: Online Backup Services (e.g., SharePoint OnLine), Network Storage, encrypted Web-based Email (e.g. Hushmail).
  • Identifiable research information cannot be stored on a third party cloud computing environment unless specifically approved of by JMU Computing and the IRB.
  • Information stored in a cloud computing environment may be considered the cloud vendor's data. If you opt to use these services for storing anonymous data, be aware of the vendor's usage policy and privacy policy.
  • Alternatives to third party cloud computing services can be configured with JMU Computing on secure JMU managed servers and/or Microsoft SharePoint.


Types of Confidential Information

  • Financial information
  • Medical information
  • Personal information (e.g., names, university ID numbers or login, SSN, birthdates, etc.)
  • Academic records (e.g., grades, evaluations, etc.)
  • Identifiable human subject research
  • Industry secrets and defense research
  • Patentable research


Protecting Confidential Data

  • Use password protection or encryption to protect confidential files
    • Encrypting data makes it completely unreadable to anyone but you or your intended recipient
    • Encryption is available on most newer devices and is either enabled by default or has to be turned on
  • Windows XP Professional has the Encrypting File System (EFS)
  • Windows 7 and 10 have the BitLocker Drive Encryption
  • Mac OS X Lion or later has FileVault 2
  • Android phones running Lollipop (5.x) and higher have encryption enabled out-of-the-box, while on some older or lower-end devices have to be turned on
  • iPads and iPhones are generally encrypted by default
  • Third party programs can offer high levels of encryption (e.g., AES, Blowfish, 3DES, etc.)
  • Store all critical information on removable media (e.g., flash drive, external hard drive, etc.) with encryption
  • Keep confidential files off of network drives
  • Remove identifiers and randomly code confidential data


Disposal of Confidential Data

  • Cross-cut shredders are better than strip-cut shredders to destroy paper-based confidential data.
  • Data ARE NOT completely deleted off of your hard drive when you click the delete button, empty the recycle bin, or reformat the hard drive on your computer.
  • Data should be securely deleted from your hard drive by using a data erasing software program that is designed to completely remove sensitive data (e.g., Eraser and SDelete)

If you are considering a different storage or transmission location for your research data, review the following technology characteristics and include these details in your research protocol.

  • Is SSL utilized to secure the transmission of data?
  • What are the vendor’s usage policy, terms and conditions, and/or privacy policy?
  • If you are using a third party service, who owns the data you enter into the vendor’s environment?

Examples of other services used by JMU researchers who work with Protected and Highly Confidential Data include:

General Tips & Tricks

  • Remember that to fully anonymize the data gathered via Qualtrics use Survey Options>Survey Termination>Anonymize Response to prevent accidentally gathering identifiable IP addresses.
  • Physical objects (signed papers, audio or videotape recordings) need to be in a private location with a unique lock that is only accessible to the researcher(s).
  • Do not store laptops in your automobile.
  • Password-protect computers and mobile devices.
  • Do not use public wireless Internet when working with Protected or Highly Confidential data.
  • Master lists of participant codes and participant names should neither be stored in the same place as research data nor the same place of informed consent.

For questions or concerns, please contact the Office of Research Integrity for further assistance.