Electronic Data Security

We offer our thanks to the University of Pittsburgh for its generous contribution to this guidance.

Introduction

Federal regulations require IRBs to determine the adequacy of provisions to protect the privacy of subjects and to maintain the confidentiality of their data. To meet this requirement, federal regulations require researchers to provide a plan to protect the confidentiality of research data.

Today, the majority of data is collected, transmitted or stored electronically at some point. UCSF offers a wide range of information technology services for all faculty, staff and students to safeguard this data.

Read the guidance below and develop standard best practices for managing electronic data by collaborating with your school, department or center IT staff, who have the expertise to evaluate the security methods most appropriate for the sensitivity of the research data. These best practices will need to adapt as technology evolves, so review this page and the Information Technology site on a regular basis.

Policies, Guidance and Laws

All investigators and research staff should be familiar with information security policies and procedures of their department or unit, UCSF and the University of California, the state of California laws and federal privacy laws. In addition, because research is now a global enterprise, you should understand the international laws or regulations that may apply when conducting research outside the United States.

Policies, guidance and laws related to information security

Below are policies, guidelines and laws of note. This is by no means a complete list.

  • UCSF Information Security Policies and Guidelines
  • UCSF Administrative Policy 650-16, each member of the campus community is responsible for the security and protection of electronic information resources over which he or she has control.
  • UCSF Minimum Security Standards for Electronic Information Resources
  • UC Office of the President policies and guidelines
  • California Law AB 1298, which requires that residents be notified when their electronic medical information or health insurance information has been exposed. The costs of notification can be significant and departments may be at risk for notification costs if identifiable medical data are lost, stolen or otherwise exposed.
  • HIPAA, a federal law designed to protect health information privacy.
  • Children’s Online Privacy Protection Act (COPPA), which applies to the online collection of personal information from children under the age of 13. This Act requires websites to display a privacy policy, obtain verifiable parental consent, and disclose how the information will be used. It is important that researchers who plan to collect data from children online carefully review the provisions of the Act and contact the UCSF Office of Legal Affairs with any questions. It is the responsibility of the researcher to ensure they are fully compliant with the COPPA regulation.

Contacts and resources

Assessing the Data Security Methods Needed

In the IRB application, you must address issues related to subject privacy and confidentiality, HIPAA and information security. Based on the type of data involved in the study, the IRB is required to 1) assess potential risks to participants, and 2) evaluate the researchers’ plan to minimize risks. The researcher has the responsibility to mitigate the risk of improper disclosure.

What is the risk?

  • Is sensitive information being collected that could result in harm to participants?
  • What is the risk of harm to the subject or others?
  • Have you consulted with information security experts to make sure your research and/or clinical data are secure from both physical and electronic theft?

Do the methods meet the IRB's minimum standards for the collection, storage, use and transmission of subject identifiers for human subjects research?

1. Do not collect any subject identifiers you do not need.

2. Remove/destroy subject identifiers as soon as they are no longer needed, subject to UCOP guidance on records retention.

3. Restrict physical access* to any area or computer system that contain subject identifiers.

4. Restrict electronic access* to any computer system that contains subject identifiers.

5. Subject identifiers should never be stored on laptops, PDA’s, flash drives or other portable devices. If there is a necessity to use portable devices for the initial collection of subject identifiers, the data files must be encrypted*, and the identifiers must be transferred to a secure system as soon as possible.

6. Subject identifiers must be removed from data files, and must be encrypted if stored electronically. Identifiers must be stored in a physically separate and secure location from the data files, and associated with data files through a code that is also stored in a separate and secure location.

7. If subject identifiers must be retained in the data files because of the specific needs of the research study, additional explanation must be provided by investigators to justify such retention. If the data are electronic, the information must be encrypted during storage and decrypted only during the limited time it is needed for matching or other similar purposes. Exceptions may be made for databases that serve both research and clinical purposes, but in these cases the server must be configured to comply with Medical Center Information Security policies.

8. Subject identifiers transmitted over public networks must be encrypted.

9. Subject identifiers and contact information may not be distributed outside of UCSF without the specific informed consent of the subjects, and approval by the IRB.

10. All collaborating investigators at UCSF and at other institutions must comply with these standards.

* This is a UCSF policy (Administrative Policy 650-16). Consult with information security experts for specific advice on controlling access and also see the IT Encryption Solutions.​

What are the protections against anticipated threats or hazards (during collection, transmission, storage)?

  • Encryption of data on device to protect against loss/theft of device
  • Strong passwords to protect against unauthorized access
  • Store data behind a secure UCSF firewall whenever possible
  • Ensure strong data security controls on all storage sites
  • Routinely and regularly review and update data security procedures

Continue to assess electronic security throughout the study

Research team meetings should include discussions about topics including, but not limited to, the following:

  • Software on computers to protect against malware
  • Data security to ensure all software updates and patches are being applied
  • Data collection, transmission and storage methods employed
  • Data collected is only that data necessary to answer the research question
  • Codes are not stored with the corresponding de-identified data
  • Encryption methods are being used on all portable devices (laptops, mobile devices and removable storage)

Methods for Securing Data

You have a responsibility to be a good data steward. Simply password-protecting a computer may not be sufficient to meet the rigorous security standards mandated by the University and/or sponsors. The University offers extensive security solutions that can benefit researchers, some of which are described below. 

Encryption

Encryption protects data by encoding information so that only authorized parties may read it. You need to encrypt all of your electronic devices (e.g., laptops, iPads, cell phones, etc.) — whether UCSF-owned or personal — if they are used for any UCSF purpose or to access any UCSF information. See more information about device encryption.

IT Encryption Solutions are available to the UCSF community to deploy proper encryption with appropriate key management.
OnCore

The Online Collaborative Research (OnCore) environment, is a free, comprehensive clinical research data capture system in use at UCSF. There are three components of OnCore designed to meet investigator and program needs:

  1. Clinical research management
  2. Biospecimen management
  3. Unified registries management

All subject information contained in OnCore is strictly confidential and treated as Protected Health Information, as defined in 45 CFR 164.501 (HIPAA Privacy Rule). Data entered into OnCore is stored behind university firewalls in a secure Oracle database.
MyResearch MyResearch was created to provide UCSF research teams with a professionally managed, secure, web based, collaborative environment in which to store files containing sensitive data. It provides application and database services that allow investigators to view, manipulate and save their data entirely in this protected environment without requiring files to be stored on their own computers. Applications such as SAS or Excel run on the MyResearch servers in a secure data center, but they appear as if they are running locally on the user’s computer.
OneDrive OneDrive and SharePoint provide secure cloud storage and collaboration tools. Microsoft Office apps save files to OneDrive for personal storage and SharePoint for Teams file sharing by default. Users can directly manage access permissions on their files and folders, including the ability to create open links to share documents externally without restrictions.
UCSF Secure Box  UCSF Secure Box will allow UCSF Box users to store files that contain Protected Health Information or other restricted data. Each UCSF Box user will get a new secure folder, and restricted data must be stored in the secure folder. Non-UCSF collaborators cannot access the secure folder. Visit the Secure Box page for more info and training.
Survey software

Qualtrics (recommended): Using Qualtrics, you can build, distribute and analyze online surveys — from the very simple to the most complex. Qualtrics can be used to collect and store protected patient and personal data. It is available at no cost to all UCSF faculty, staff and students.

Research Electronic Data Capture (REDCap) (recommended): Web-based system for building and managing research projects, such as surveys and databases. These databases, data entry forms and surveys are intuitive, easy-to-use tools for collecting data, including data validation.

Free tier is approved for electronic consent and provides a self-service electronic data capture platform. Additional support and Part 11 compliance is available for premium tier.

Access permissions are managed by the users directly, after initial REDCap accounts have been created by the REDCap team.

Other Programs: ​If you are using other survey software such as Survey Monkey or other programs, it may first need to undergo a data security review. See the ITS Security Services page.

IP Address Collection: You may wish to collect the IP addresses of survey participants to provide a method of determining whether the user has previously completed the survey. The IRB and some international standards consider IP addresses to be identifiable information. This is important to consider when conducting surveys, especially if the consent process indicates that a participant’s responses will be anonymous.

When using Qualtrics, check the option to anonymize the data collection process and do not collect the IP address. If IP addresses are necessary to the research, include in the consent process that you will be recording this information.
Cloud storage solutions

MyResearch, OnCore or UCSF Secure Box and OneDrive are among the acceptable cloud storage solutions.

Some UCSF faculty and staff use other programs like Dropbox, Google Drive, Salesforce.com, Evernote or Amazon to exchange files with co-workers or collaborators. Using such storage solutions poses a possible liability for official use at UCSF, particularly for research data.

There are potential security risks, export control restrictions and data ownership issues (research data belongs to the UCSF, not the researcher). 

If you are considering the storage of any data outside of UCSF, working through IT will help you address the following questions.

  • Does the agreement with the vendor stipulate the University owns the data?
  • How will the vendor make the data available in the event of a disaster?
  • What security controls are in place to prevent the inadvertent or malicious disclosure of the data?
  • What happens if a subpoena is issued?
  • Does the vendor have Information Security/Cyber Liability insurance?

Collecting or storing research data using the internet results in additional complexity as one must consider the jurisdictional authority: is it the jurisdiction of the researcher, the location of the study participants, or the location where the data is stored? Data may be collected in one jurisdiction but then stored in another. Researchers need to be aware that there may be differing data security privacy policies. It is important that researchers consider the laws, including international laws and export controls regulations, and if needed have agreements in place to ensure compliance.
Mobile apps

Many researchers are purchasing mobile apps or building their own app to interact with study participants. Seek expert IT review at UCSF.

If you are developing a mobile app or other type of digital health innovation, contact the UCSF Office of Innovation, Technology & Alliances. You may also wish to consult with the Center for Digital Health Innovation at UCSF, which collaborates with innovators from UCSF and beyond to envision, realize and evaluate digital health technologies.

Even if the participant is asked to download a free app or provided funds for the download, the researcher is still responsible for disclosing potential risks. It is possible that the app the participant downloaded will capture other data stored or linked to the phone on which it is installed (e.g., contact list, GPS information, access to other applications such as Facebook). The researcher has the responsibility to understand known or potential risks and convey them to the study participant.

Commercially available apps publish “terms of service” that detail how app data will be used by the vendor and/or shared with third-parties. It is the researcher’s responsibility to understand these terms, relay that information to participants and monitor said terms for updates. Additionally, it is important that the researcher collect from the app only the minimum data necessary to answer the research questions.
Data transmission

The process of transmitting data is often overlooked as a risk. The plan to protect confidentiality should describe the methods to protect the data during collection and sharing both internally and externally to the University. It is advisable to utilize a secure transmission process even if the data is anonymous, coded or non-sensitive information. If the research team develops a best practice on using a secure data transmission process, then it is less likely a data breach will occur. 

Email notifications are generally not secure and generally not be used to share or transmit research data. See more information on sending secure email at UCSF. Text messages are stored by the telecommunications provider and therefore are not secure.
Securing paper records

This guidance focuses on methods for securing electronic data, but you must also safeguard paper research records.

  • Keep data in a locked file cabinet in a locked office or suite
  • Code data and keep the key in a separate and secure location

Consent Forms and Permission to Share Data/Information

Data or information* that will be shared with others requires additional oversight to uphold the privacy of the research participant and the confidentiality of their data. If study data will be shared outside the research team, it is important that you obtain the appropriate consent from study participants.

In the past, many consent documents had language that limited sharing of the data more so than was necessary or intended. It is important to think about future data use and to tailor the consent language and permissions to meet your future data sharing needs.

Some researchers may request permission to share identifiable data, but the majority will be sharing de-identified data. Many sponsors, including federal agencies, require data sharing as a condition of funding, and this must be reflected in the consent document and in the consent process (discussion). This includes the acknowledgement of the data sharing practices and the possible risk of re-identification when applicable. One should never guarantee that de-identified data cannot be relinked and the participant’s identity subsequently disclosed. As technology evolves, so does the potential risk of re-identification.

UCSF generally does not allow the disclosure of identifiable data outside of UCSF Health or UCSF Campus without the participant’s explicit consent and, when applicable, HIPAA authorization. The IRB will not approve waivers of consent or HIPAA authorization for sharing identifiable data except under extraordinary circumstances. Additionally, sharing identifiable data with external entities might require review by the IT Governance Committee on Enterprise Information & Analytics, which may disallow the disclosure regardless of any IRB approvals. 

“Disclosure” or “data sharing” may include, but is not limited to, sharing individual-level data or information under any of the following circumstances:

  • Sharing with non-UCSF researchers
  • Sharing with research sponsors or funding agencies
  • Sharing with regulatory agenciesExposing UCSF data to external electronic systems, algorithms, artificial intelligence applications, generative AI tools, or any other external environment that might store or manipulate the data in any way.
  • Submitting data to research registries or repositories

Sharing participant data/information with industry sponsors

UCSF almost never allows the disclosure of identifiable data/information to industry sponsors or other commercial entities, even with participant consent, with the following exceptions:

  • Viewing (but not retaining) identifiable data for safety or compliance monitoring purposes.
  • Sharing patient data with device manufacturers for possible recall tracking purposes.
  • Other safety requirements as deemed appropriate by the IRB and UCSF.
  • Other disclosures as required by law,

In most circumstances, industry sponsors will neither expect nor desire identifiable data.

Using participant data/information for future research

The UCSF IRB can generally approve future research use of de-identified data as long as such use is not inconsistent with the original signed consent form. If the original consent form prohibited or placed limits on future use of the data, the IRB may require participants to provide additional consent for the future use. Including the UCSF IRB consent form language regarding future use of de-identified information and biospecimens satisfies the IRB’s requirements to use and share the information and biospecimens outside UCSF. Future research use of identifiable data generally requires reconsenting participants. 

Sharing participant data/information with research repositories or registries

For NIH funded research studies, please refer to the HRPP webpage on the NIH Data Management and Sharing Policy for information about sharing participant data with research repositories or registries. 

For all other studies, inclusion of the UCSF IRB standard sharing language in the consent form satisfies the IRB’s requirements to allow depositing de-identified information in a repository or registry.

​See the consent form templates and the Consent Form Guidelines and Suggested Wording page for suggested language.

*The terms “data” and “information” are used interchangeably throughout this guidance.

Data Security Risk Assessment and Data Transfer Agreement

A Data Security Risk Assessment by UCSF IT Security & Policy AND Data Transfer Agreement by the Office of Sponsored Research (OSR -- Industry Contracts Division) must be completed if your study involves: the collection, transmission, or storage of information when that data will be shared with or be accessible to any non-UCSF entity (e.g., pharmaceutical companies, UCSF Affiliated Institutions) or individual. This includes the use of third-party or vendor-hosted applications. UCSF or department-hosted applications may also need to be assessed in accordance with UCOP Policy IS-3 Electronic Information Security, particularly if they are new applications or have never been reviewed by UCSF IT Security & Policy.

  • Third-party or vendor-hosted applications include cloud-hosted applications and applications hosted by collaborating institutions
  • UCSF or department-hosted applications include any application managed by UCSF or developed by the department

These requirements apply for both identifiable and de-identified data for funded and unfunded research. Questions about these policies must be directed to UCSF IT and OSR, not to the IRB. 

Training

The PI is responsible for ensuring that research data is secure when it is collected, stored, transmitted or shared. All members of the research team should receive appropriate training about securing research data and discuss data security regularly at research team meetings. For example, the research team should understand they need to document their standard practices for protecting research data so that they can provide these details to the IRB, the Privacy Office, IT, etc. if a mobile device is lost or stolen.

The IT Security Awareness and Training program provides programs to educate UCSF faculty, staff and students on the risks associated with using, transmitting, and storing electronic information; how to maintain the confidentiality, integrity, and availability of data; and the roles and responsibilities of each community member in protecting UCSF's data and systems.

National Institute of Health (NIH) Grants

The NIH has specific requirements about ensuring data security when collecting identifiable research data in section 2.3.12 Protecting Sensitive Data and Information in Research.

The NIH also instituted the Genomic Data Sharing (GDS) Policy to promote sharing, for research purposes, of large-scale human and non-human genomic data generated from NIH-funded research. The policy requires investigators to incorporate a genomic data sharing plan in the "resource sharing" section of their application. More information is available here.

Last updated: April 11, 2024