Improved Data Security via Collaboration Between the Information Security Office and the IRB

share

Description of the Research
Prior to 2012, the staff of the IRB and the ISO did not collaborate to review protocols. The IRB simply provided researchers with links to the institutional policies that they were required to follow. In late 2013, the IRB staff contacted the ISO for help in reviewing a protocol involving an app that would include identifiable health information. This protocol launched further communication between the offices to systemize the process of protocol review. The IRB office appreciated the expertise of the ISO and they in turn were grateful to have a connection to the researchers. Both offices determined it would be beneficial for the ISO staff to pre-review certain protocols that might be a greater security risk.

Stumbling Blocks

Determined we needed to:

  • Offices spoke two different languages.
  • ISO not staffed to review all protocols.

Step One
Write a question that would determine which protocols would be reviewed by the ISO.

Will you do any of the following in this study?

  • Develop criteria to determine which protocols would be reviewed by the ISO.
  • Determine what questions to ask.
  • Negotiate the level of detail in protocol questions regarding data collection, storage, transfer, and analysis and agree upon turnaround times for review.

Step Two
Write new questions into the protocol to obtain the information needed by the ISO to review the security measures of the protocol. Presenters will share specific questions from the protocol with the poster.

Lessons learned

  • Collect identifiable data onto an individual use device
  • Collect or store identifiable data via web based format via a non-institution server. Only exception is sharing or storing of data by sponsor or Contract Research Organization in which data will be sent and stored in an encrypted fashion. 
  • Store identifiable data on the Cloud
  • Store identifiable data onto a server managed by the principal investigator’s department or school
  • Store identifiable data onto a server managed by Information Technology Services

Using this information as a guide, other institutions may work to implement similar processes at their institution.

  • Developing this process was long and complicated.
  • Communication has been opened between researchers, ISO staff, and IRB staff.
  • The IRB staff and researchers now have a better understanding of the institutional requirements for securing information.
  • We now have the assurance that data is better protected. 

Using this information as a guide, other institutions may work to implement similar processes at their institution.