Data collected as part of research is property of the institution (e.g. UF). The institution pays you (or in the case of a student permits you) to produce the work and as a result the work/data is the institution's property. As such researchers may not remove, copy, or destroy the data without explicit written permission from the institution. For example, if a researcher leaves the university you cannot take a copy of the data unless you obtain written permission from the institution.
At UF this policy is formalized in the Intellectual Property Policy (http://research.ufl.edu/otl/pdf/ipp.pdf ). Contact the Office of Technology and Licensing (OTL) and your Department Chair in order to receive written permission to take a copy of any data.
The VA specifies this in the VHA Handbook 1200.5, 10.i (http://www.va.gov/vhapublications/ViewPublication.asp?pub_ID=2326). Contact the VA Research Service Administration to receive written permission to take a copy of any data.
Data/record security is critical. You should insure that all hard copy and electronic data is securely stored to prevent unauthorized access, disclosure, or loss. Hard copy records should be stored in a manner that limits access to only authorized individuals. For example, filing cabinets/areas should be locked and placed in secured/locked rooms.
Electronic data should be saved on a device that has the appropriate security safeguards such as unique identification of authorized users, password protection, encryption, automated operating system patch (bug fix) management, anti-virus controls, firewall configuration, and scheduled and automatic backups to protect against data loss or theft (http://security.health.ufl.edu/images/posters/posters.pdf). Researchers possess a strong sense of ownership for their data and consequently often manage their own computers. Security controls necessary for computers can be very intimidating or bothersome, but we know that no one wants to be in the same position as this well-intended researcher:
Names, addresses and SSNs of 600,000 citizens from the state of California were exposed to a hacker who hacked a researcher-in-residence’s computer at UC Berkeley. http://msnbc.msn.com/id/6328575/
Laptops, Personal Digital Assistants, removable hard drives, “jump” or “thumb” drives, CDs, DVDs and other portable devices and removable media are very convenient to ensure your data is always at your fingertips. External hard drives are a cost effective and convenient way to back up your data. However all of these devices require encryption solutions if used to store Restricted or Sensitive data (e.g. identifiable health information). If you need help understanding why, read on:
Names, addresses, medical record numbers and SSNs of 130,000 patients went missing when a hospital employee’s “thumb drive” (small storage drive the size of a pack of gum that plugs into a computer’s USB port) went missing. The records could be read by Adobe Acrobat Reader and were not encrypted. http://starbulletin.com/2005/10/21/news/story05.html
The UF HSC Security Program for the Information and Computing Environment (SPICE) has created and identified several resources to help you secure your research computers. You can discover all of the resources available from the UF HSC SPICE web page for Researchers here: http://security.health.ufl.edu/faculty_researcher/index.shtml. More specifically:
All HSC departments have an Information Security Administrator (ISA) and an Information Security Manager (ISM) who are familiar with the security rules and resources available. Find your Unit ISA and ISM by browsing here: https://security.health.ufl.edu/faculty_researcher/find.php
The HSC has published user friendly and readable one page security guidelines (SPICE EduGuides) on specific Security topics like Laptop, PDA, Removable Media, Password, Malicious Software Prevention and others: http://security.health.ufl.edu/faculty_researcher/training.shtml#EduGuides
In addition, for those researchers who manage their own servers, more technically oriented security material is available on the UF HSC security web site. See the ‘Host Security’ and ‘Portable Device and Removable Media’ training presentations here: http://security.health.ufl.edu/isa_ism/training.shtml
Lastly, the VA also has additional, strict information security standards, such as prohibiting the use of any USB memory devices (you may not use external hard drives or jump drives, even if encrypted).
There are multiple federal regulations that impact your ability to release data outside your institution (to a sponsor, to another researcher, etc). There are a variety of factors that determine whether or not the release is permissible.
- Is there a consent/authorization? If so, what did the research subject consent to/authorize?
- Is the data that you wish to release unequivocally anonymous, or is it possible to trace the data back to the subject? HIPAA standards apply, so dates, diagonsis, location (e.g. Shands @ UF), etc may make the data identifiable.
- If data was obtained under an IRB approved waiver are you tracking disclosures of PHI per HIPAA regulations?
There are a variety of very serious factors that impact your ability to release data to outside parties. You should contact the IRB prior to proceeding with a release of data UNLESS (a) your subject signed an IRB approved consent document with HIPAA compliant authorization language that clearly details what information will be collected, used, and disclosed and (b) the outside party is specified in the document.
Lastly, once you have met the regulatory requirement for how long you must retain records for completed research you cannot destroy any records/data until you comply with the institutional requirements for data destruction.
UF's Records Management office requirements:
VA Research Service Administration
(352) 376-1611 X6069
Disposal of Protected Health Information (PHI)
UF Privacy Office Retention, Archiving, & Disposal of Patient Information
- Record Inventory Log (Form)
- Record Destruction Log(Form)
- UF Records Disposition Request (Form)