{"id":31612,"date":"2025-02-01T14:48:34","date_gmt":"2025-02-01T18:48:34","guid":{"rendered":"https:\/\/www.bu.edu\/research\/?page_id=31612"},"modified":"2026-05-11T12:52:31","modified_gmt":"2026-05-11T16:52:31","slug":"data-security","status":"publish","type":"page","link":"https:\/\/www.bu.edu\/research\/ethics-compliance\/human-subjects\/data-security\/","title":{"rendered":"Data Security in Human Subjects Research"},"content":{"rendered":"<h2 id=\"purpose\">Purpose<\/h2>\n<p>The purpose of this guidance is to provide general considerations for managing data security in human subjects research reviewed and approved by the Charles River Campus IRB.<\/p>\n<h2 id=\"data-security-requirements\">Data Security Requirements<\/h2>\n<p>University Data is information generated by, owned by, or otherwise in the possession of Boston University that is related to the University\u2019s activities, including research data. University Research data is subject to BU\u2019s <a href=\"https:\/\/www.bu.edu\/policies\/data-protection-standards\/\">Data Protection Standards<\/a>. Under the University\u2019s <a href=\"http:\/\/www.bu.edu\/policies\/data-classification-policy\/\">Data Classification Policy<\/a>, data are categorized as <a href=\"http:\/\/www.bu.edu\/policies\/data-classification-policy\/#public\">Public<\/a>, <a href=\"http:\/\/www.bu.edu\/policies\/data-classification-policy\/#internal\">Internal<\/a>, <a href=\"http:\/\/www.bu.edu\/policies\/data-classification-policy\/#confidential\">Confidential<\/a> or <a href=\"http:\/\/www.bu.edu\/policies\/data-classification-policy\/#restricteduse\">Restricted Use<\/a> with varying <a href=\"http:\/\/www.bu.edu\/policies\/data-protection-standards\/\">standards for protection<\/a> that must be applied.<\/p>\n<h2 id=\"researcher-responsibilities\">Researcher Responsibilities<\/h2>\n<ul>\n<li>Researchers who collect or utilize research data are responsible for accessing, storing, transferring and processing data on systems that have appropriate security measures for the classification of data being used.<\/li>\n<li>Researchers should itemize the kinds of data being collected and\/or utilized as part of their research and determine what level of security is needed for their data.<\/li>\n<li>Researchers should consult with IS&amp;T and\/or their local IT support groups to determine the best way to access, store, and use their data, particularly for data categorized as confidential or restricted use.<\/li>\n<\/ul>\n<h2 id=\"examples-of-research-data-and-corresponding-bu-data-classification\">Examples of Research Data and Corresponding BU Data Classification<\/h2>\n<ul>\n<li>While most research data at BU are not subject to the HIPAA Privacy Rule, the HIPAA <a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/privacy\/special-topics\/de-identification\/index.html\">de-identification standard <\/a>(removal of 18 data elements \u2013 e.g. email addresses, phone numbers, birth dates, zip codes, etc.) is still the gold standard. When data are deidentified in in the manner of the HIPAA Privacy Rule, there are no specific requirements for platform-use at BU, as the data are categorized as <a href=\"http:\/\/www.bu.edu\/policies\/data-classification-policy\/#public\">Public<\/a>.<\/li>\n<li>Similarly under the HIPAA Privacy Rule are data that are considered <a href=\"https:\/\/www.hhs.gov\/hipaa\/for-professionals\/special-topics\/emergency-preparedness\/limited-data-set\/index.html\">Limited Data Sets<\/a>, meaning, they contain protected health information<a href=\"https:\/\/www.bu.edu\/research\/ethics-compliance\/human-subjects\/data-security\/#1\">*<\/a> that excludes direct identifiers, effectively anonymizing data by limiting the elements to dates, cities and zip codes. When BU data are anonymized in the manner of the HIPAA Limited Data Set standard, the BU Shared Computing Cluster, BU Office 365 applications, BU REDCap or Qualtrics, BU Network Drives (NAS1), BU Google apps and others may be used, as these data are categorized as <a href=\"http:\/\/www.bu.edu\/policies\/data-classification-policy\/#confidential\">Confidential<\/a>. <strong>NOTE: BU Google apps <span style=\"color: #ff0000;\">cannot<\/span> be used for Limited Data Sets under HIPAA<\/strong>, as the data are typically provided by HIPAA Covered Entities, such as hospitals, health clinics, health insurers, the MA Department of Public Health, etc. Limited Data Sets from HIPAA Covered Entities require the execution of data use agreements (DUAs). For more information on DUAs, please contact <a href=\"https:\/\/www.bu.edu\/researchsupport\/forms-policies\/data-use-agreement-form\/\">BU\u2019s Corporate Research &amp; Contracting office<\/a>.<\/li>\n<li>The research is health-related<a href=\"https:\/\/www.bu.edu\/research\/ethics-compliance\/human-subjects\/data-security\/#1\">*<\/a> and includes some personally identifiable information such as email addresses, phone numbers, facial images in pictures\/videos (even if there is no name associated with the image), etc. In this case, BU Restricted Use network drive (nas-RU1 or BUMC Y Drive); BU Office365 apps, such as SharePoint, OneDrive, Teams; BU REDCap or Qualtrics and others may be used, as this data is categorized as <a href=\"http:\/\/www.bu.edu\/policies\/data-classification-policy\/#restricteduse\">Restricted Use<\/a>. Note, however, that if the research is not health-related (e.g., amount of texts sent\/day) it is classified as <a href=\"https:\/\/www.bu.edu\/policies\/data-classification-policy\/#confidential\">Confidential<\/a> even when identifiable information is included.<\/li>\n<\/ul>\n<h2 id=\"considerations-for-irb-applications\">Considerations for IRB Applications<\/h2>\n<p>As part of the IRB\u2019s role in protecting the rights and welfare of human subjects, researchers must identify which electronic platforms, data transfer methods, data\/document storage plans, etc. are being proposed in the research. This information can be documented in the Confidentiality of Data section of the IRB application. <a href=\"https:\/\/www.bu.edu\/tech\/support\/information-security\/security-for-researchers\/dua-security-language\/\">BU\u2019s InfoSec<\/a> has provided sample language that can be used in the Confidentiality of Data section of the IRB application.<\/p>\n<p>Researchers are encouraged to consult with IS&amp;T on the use of third-party data collection, storage or analysis applications proposed for their research. Providing the IRB with correspondence with BU IS&amp;T verifying the appropriateness of novel or third-party applications can facilitate the IRB\u2019s review of the Confidentiality of Data plan.<\/p>\n<h2 id=\"faqs-answered-by-bu-s-information-security\">FAQs, Answered By BU&#8217;s Information Security<\/h2>\n<h3 id=\"data-storage-security-questions\">Data Storage &amp; Security Questions<\/h3>\n<ul><\/ul>\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h4 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">I have completed my research study and need to save the data for 7 years. How do I do this?<\/h4><div class=\"bu_collapsible_section\" style=\"display: none;\">The purpose of the 7-year retention requirement for research data is both to (1) comply with a federal requirement and (2) enable the University to respond to litigation\/legal\/subpoena requests. As such, the data should be maintained at BU.  BU\u2019s IS&amp;T offers storage for archiving <a href=\"http:\/\/www.bu.edu\/policies\/data-classification-policy\/#confidential\">Confidential<\/a> and <a href=\"http:\/\/www.bu.edu\/policies\/data-classification-policy\/#restricteduse\">Restricted Use<\/a> data. Please refer to <a href=\"https:\/\/www.bu.edu\/tech\/support\/storage-options\/\">their website here<\/a>, for more information.<\/div>\n<\/div>\n\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h4 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">I want to store my data on a password-protected computer that will be stored in a locked office, but someone mentioned BU requires encryption as well. Is that true?<\/h4><div class=\"bu_collapsible_section\" style=\"display: none;\">Yes, the <a href=\"http:\/\/www.bu.edu\/policies\/data-protection-standards\/\">BU Data Protection Standards<\/a> require encryption for all non-Public data, including <a href=\"http:\/\/www.bu.edu\/policies\/data-classification-policy\/#confidential\">Confidential<\/a> and <a href=\"http:\/\/www.bu.edu\/policies\/data-classification-policy\/#restricteduse\">Restricted Use<\/a> data, even when a computer or device is stored in a locked office.<\/div>\n<\/div>\n\n<ul><\/ul>\n<h3 id=\"data-transfer-communications-questions\">Data Transfer &amp; Communications Questions<\/h3>\n<ul><\/ul>\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h4 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">As part of my field research, I am recording interviews using my cell phone and uploading to the BU networked shared drive. However, my collaborators do not have access to the BU networked shared drive and wish to text me audio recordings of interviews they have collected. Is there a better way to handle this?<\/h4><div class=\"bu_collapsible_section\" style=\"display: none;\">Consult with IS&amp;T for the latest recommendations; however, most recently they have recommended researchers use BU Office365 OneDrive folders for data transfer. The OneDrive folder can then be shared with collaborators using their professional email account (personal addresses should not be used). Collaborators can download the OneDrive app to their phones.<\/div>\n<\/div>\n\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h4 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">What platforms can I use to share health-related* information?<\/h4><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/p>\n<ul>\n<li>To avoid study staff using their personal cell phones with research participants, BU has a number of recommended options: Study staff can use a BU desk phone, a BU cell phone, or extend a desk phone to a personal device using BU Cisco Webex: <a href=\"https:\/\/www.bu.edu\/tech\/services\/cccs\/phone\/linesequip\/softphone\/\">https:\/\/www.bu.edu\/tech\/services\/cccs\/phone\/linesequip\/softphone\/<\/a>.<\/li>\n<li>BU Microsoft Teams can be used for chatting\/texting or calling (email address) via the Teams app.  Teams is similar to Zoom but has HIPAA compliant recording of video and\/or audio that can be stored and shared on Microsoft Stream.<\/li>\n<li>BU REDCap can be used for sending participant information (such as videos) as well as typical research needs (e.g., consent forms, surveys, reminders, etc.) via email or secure text (Twilio).<\/li>\n<li>BU Qualtrics has similar functionality to BU REDCap but does not have as many features.<\/li>\n<\/ul>\n<p><\/div>\n<\/div>\n\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h4 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">What platforms can I use to send appointment updates with <strong>no<\/strong> disclosure of health-related information?<\/h4><div class=\"bu_collapsible_section\" style=\"display: none;\"><\/p>\n<ul>\n<li>BU Microsoft Outlook can be used for scheduling and sending Teams and Zoom invites.<\/li>\n<li>BU cell phones can be used by researchers who are not part of a BU HIPAA component to text appointment information and reminders.<\/li>\n<li>HIPAA Components cannot send text messages because cell phone carriers do not sign HIPAA Business Associate Agreements.  Cell phone carriers become a business associate when they store text messages, to or from patients.\n<ul>\n<li>If needed for communicating with transient populations, WhatsApp, Gmail Chat, or iMessage can be used for appointment setting or updating by researchers who are not part of at BU HIPAA Component. However, these apps cannot be used to request or send health-related<a href=\"https:\/\/www.bu.edu\/research\/ethics-compliance\/human-subjects\/data-security\/#1\">*<\/a> information.  WhatsApp is a Meta product and while the messages are sent with encryption, Meta has access to information on phones that use their products. Companies such as Meta, Google, and Apple use and share information about their users. For this reason, a study should not require use of these apps unless the Consent outlines how data is collected and shared by the company with third party companies<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><\/div>\n<\/div>\n\n<ul><\/ul>\n<h3 id=\"consent-participants-remotely\">Consent Participants Remotely<\/h3>\n<ul><\/ul>\n<div class=\"bu_collapsible_container \" aria-live=\"polite\" data-customize-animation=\"false\"><h4 class=\"bu_collapsible\" aria-expanded=\"false\"tabindex=\"0\" role=\"button\">I would like to use Google Forms to consent participants. Is that OK?<\/h4><div class=\"bu_collapsible_section\" style=\"display: none;\">If you are <strong>not<\/strong> conducting health-related<a href=\"https:\/\/www.bu.edu\/research\/ethics-compliance\/human-subjects\/data-security\/#1\">*<\/a> research, Google Forms may be OK to use. However, if you are conducting health-related research we suggest using a BU Microsoft app, such as Forms.  Forms can be hosted on a BU website and only the administrators can see the responses. Other Restricted Use\/HIPAA compliant options include collecting participant consent using BU Qualtrics or BU REDCap.  Please note, BU\u2019s REDCap can be used for FDA (21 C.F.R. Part 11) compliance, but additional requirements need to be implemented. Send an email to <a href=\"mailto:rchelp@bu.edu\">rchelp@bu.edu<\/a> to start the process.<\/div>\n<\/div>\n\n<h2 id=\"additional-resources\">Additional Resources<\/h2>\n<ul>\n<li><a href=\"http:\/\/www.bu.edu\/tech\/services\/security\/\">BU IS&amp;T<\/a> offers a wide range of services to ensure the security of Boston University\u2019s information and technology resources. Researchers are encouraged to consult with IS&amp;T<\/li>\n<li><a href=\"https:\/\/www.bu.edu\/tech\/support\/information-security\/security-for-researchers\/\">BU InfoSec for Researchers page<\/a> provides a list of BU-reviewed and cleared services based on Data Classification<\/li>\n<li><a href=\"https:\/\/www.bu.edu\/tech\/support\/storage-options\/\">Data Storage Options<\/a> offered by IS&amp;T<\/li>\n<li><a href=\"https:\/\/www.bu.edu\/hipaa\/\">BU HIPAA Policy<\/a> outlines how covered components must protect HIPAA data<\/li>\n<li><span> <\/span>Email best practices <a href=\"https:\/\/www.bu.edu\/hipaa\/files\/2021\/11\/Oct-2021-Security-Reminder-Email-Best-Practices.pdf\">security reminder<\/a><\/li>\n<\/ul>\n<p><span>&nbsp;<\/span><\/p>\n<div class=\"important notice\"><div class=\"important-wrap\"><p> *Health-related information is very broad, including stress or anxiety related to school, but does not typically include social engagement, decision making, number of texts sent per day, or educational practices, strategies, or effectiveness. <\/p><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Purpose The purpose of this guidance is to provide general considerations for managing data security in human subjects research reviewed and approved by the Charles River Campus IRB. Data Security Requirements University Data is information generated by, owned by, or otherwise in the possession of Boston University that is related to the University\u2019s activities, including [&hellip;]<\/p>\n","protected":false},"author":15731,"featured_media":0,"parent":420,"menu_order":13,"comment_status":"closed","ping_status":"closed","template":"page-templates\/chapter-navigation.php","meta":[],"_links":{"self":[{"href":"https:\/\/www.bu.edu\/research\/wp-json\/wp\/v2\/pages\/31612"}],"collection":[{"href":"https:\/\/www.bu.edu\/research\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.bu.edu\/research\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/research\/wp-json\/wp\/v2\/users\/15731"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/research\/wp-json\/wp\/v2\/comments?post=31612"}],"version-history":[{"count":35,"href":"https:\/\/www.bu.edu\/research\/wp-json\/wp\/v2\/pages\/31612\/revisions"}],"predecessor-version":[{"id":63104,"href":"https:\/\/www.bu.edu\/research\/wp-json\/wp\/v2\/pages\/31612\/revisions\/63104"}],"up":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/research\/wp-json\/wp\/v2\/pages\/420"}],"wp:attachment":[{"href":"https:\/\/www.bu.edu\/research\/wp-json\/wp\/v2\/media?parent=31612"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}