Data Security & Storage

Data Security & Storage


The following guidelines will help you employ best practices when handling participants' data.

Questions to consider when developing your protocol application include: Where will the data be stored?  Who will have access to the data? Am I storing the data in the safest manner? Could these data be lost?

At the end of a study, what will you do with your data?  You may choose to delete or destroy the data.  An alternative is to de-identify the data and store them securely.

Student PIs should ensure that faculty advisers have access to any data collected as part of student research projects. All data should be fully deidentified or transferred to the faculty adviser's possession prior to student graduation (which is also when IRB approval expires).

Be sure to review the Seattle University Data Privacy Policy (last updated July 2011).

Paper Data, Audio or Video Tapes

Either scan data into an electronic format or storage, or keep in a locked filing cabinet in a secure office. Once data have been transferred to an electronic format, destroy original paper forms (e.g., by shredding), unless keeping original paper copies is required (e.g., by professional standards). 

Once recordings (i.e., video or audio) are transcribed, destroy the recordings as soon as the accuracy and completeness of the transcriptions have been verified. If using recordings as primary data sources and not transcribing them, take extra precautions to secure the recordings, particularly those containing identifiers. Further, retain such recordings at the end of the study as research data.

Electronic Data

  • Limit access to the data to authorized and identified persons.
  • Free versions of Dropbox, Google Docs, or other 3rd-party servers are not secure. Use Dropbox Business, Box, or another secure server that allows encryption.
  • Do not store data solely on portable media, such as electronic recording devices (e.g., cell phones, tablets), thumbdrives, or laptops). While data may be collected and/or transferred using portable devices, transfer such data as soon as possible to a desktop computer and/or back up the data to secure servers or secure cloud storage.
  • Use two-step verification for data, such as putting passwords on individual documents and folders, as well as the storage site.
  • Back up all electronic data frequently to a secure source.
  • If using Qualtrics, monitor closely who has access to the data. When downloading data from Qualtrics, follow the recommendations above.
  • Maintain a distinct separation of data from identifiers. If identifiers are necessary for editing, analysis, etc., delete them from data as soon as possible.

Terms to Know

CODED:  When a researcher replaces identifying information (names, addresses, etc.) with a code involving letters, numbers or some other combination, AND the researcher maintains a separate list with a code key, so that linking the data with the list would reveal an individual's identity and responses.

NON-IDENTIFIABLE DATA / DE-IDENTIFIED: When the researcher does not collect any direct identifiers (name, address, etc.) OR enough indirect identifiers (age, race, gender, etc.) so that a combination could reveal an individual's identity, and when no code exists to link an individual to responses. Or when all potentially identifiable identifiers have been stripped from the data, so that neither the researcher or any other person could re-identify an individual identify in connection with the data.

See also the guidance section on Anonymity, Privacy, and Confidentiality.