Privacy Protection

It is the responsibility of the person submitting the request for review to ensure that the research data are collected, stored, transmitted, and shared in the most secure manner possible and communicate the privacy protection plan in the IRB Request for Review document. In addition, researchers must also address risk of reidentification and data breaches in the consent process.

Definitions to keep in mind

Anonymous data are data that have no ability to be traced to the person providing the data and have never had a linked identifier associated with it during the research process.

De-identified data are data that researchers, or others, cannot readily connect to the identity of a specific research participant.

Coded data are data that have personal identifiers, such as name or email, removed and replaces blatant personal identifiers with a code that is used to connect data points about subjects over time.

Addressing Privacy Protections in Your IRB Submission

The questions below should be addressed, at minimum, when applicable to your research methods.

  • What is the specific method(s) you are using to collect data from research subjects?
  • How are the collected data recorded?
  • What steps have you taken to de-identify all electronically gathered data?
  • How are recorded data transferred between locations or devices?
  • Where are recorded data stored?
    • Best practice is to never store or transport electronic data on personal devices.
  • Who has access to the spaces and/or devices where data are stored?
  • Are spaces/devices where data are stored for any amount of time locked and password protected?
  • When is data encryption used?
    • Best practice would be to encrypt any non-anonymous data both during storage and transit.
  • How are data transferred between members of the research team?
  • What data are shared outside of the research team?
  • What privacy protections are in place for ensuring that the code for coded data is not accessed by unauthorized people?
  • How will the research team break the connection between the coded data and the code when the connection is no longer needed?

Special considerations for data collected electronically

  • One should assume that data collected electronically are never anonymous due to data stored by the software provider, such as IP addresses, during the data collection process.
  • One should assume that the use of software provided by a third party, such as Survey Monkey, gives the software provider access to the data collected.
  • It is important to communicate to prospective research subjects the risk of data breach by the software vendor in the consent process and other computer related harms that may be a risk (hacking, phishing, breach, lack of appropriate security measures, etc., as among those risks encountered in daily life).
  • If you are describing your data as anonymously collected, your IRB request for review should provide supporting evidence for how anonymity is secured.
  • Qualtrics and other survey programs may have features or functionality that anonymize responses.

In Qualtrics, the following steps will unlink a survey from a respondent:

  1. Use the “anonymize responses” setting in the survey termination section of the Survey Options menu, and
  2. Distribute the survey via the “anonymous link” option; any other distribution method has the potential to create a link.
  • The survey creator may use the “Prevent Ballot Box” stuffing option. This option does not record computer specific information; it puts a cookie into that browser on that computer than then prevents that browser on that computer from completing a second survey.
  • It is possible to keep survey data unlinked to respondents and offer a reward or raffle that requires an email address. This is done by creating a second survey that the first survey redirects to upon completion and the raffle/reward data is entered into the second survey.
    • You must store the emails of those that opt in to the reward in a separate location from the survey responses in order to ensure the there is no unintentional linking of data.