The following questions address several of the best practices related to keeping research data secure. Please contact your IT department or Information Security Officer if you have any questions or needs.  

Anonymous Data: Anonymous data are collected in a manner where the identity of the subject cannot be determined by anyone at any time; not even the researcher. There are no links between the data and the individual person and the researcher has no way to re-identify subjects.   

  • Online surveys where IP addresses are recorded or that require a login to access the survey should not be considered anonymous.  
  • Face to face interviews or surveys should not be considered anonymous.  

Confidential Data: Confidential data is not considered anonymous, even if there is only a code number linking identifiers to the data. If reidentification of subjects by the researcher is possible, the data should be treated as confidential and data safety measures must be in place to protect against the unauthorized disclosure of research data.  

Data is considered sensitive when disclosure of identifying information could have adverse consequences for subjects or damage their financial standing, employability, insurability, or reputation. This includes information related to alcohol or drug use, traumatic experiences, child/elder abuse, or illegal behavior, or where disclosure outside of the research study has the potential to place participants at risk of criminal or civil liability or be damaging to their financial standing, employability, educational advancement, or reputation.  

If your project involves the collection of sensitive data, it might not qualify for exempt review. It will depend on whether the disclosure of the information would put subjects at more than minimal risk and if the privacy and confidentiality protections you have in place limit this risk. You will be asked to describe the steps you are taking to limit risk to subjects on the application. Common procedures include:  

  • Allowing subjects to skip questions that make them feel uncomfortable.  
  • Disclosing in the consent form the type of questions that may induce emotional distress, etc. Also, providing a list of resources subjects can utilize should the need further help dealing with their distress.  
  • Providing subjects with a copy of the questions in advance.  
  • Collecting data anonymously OR using pseudonyms so that identifiers are not stored with their data.  
  • Obtaining a Certificate of Confidentiality 
    • If your project involves the collection of sensitive data that could put subjects at risk of criminal or civil liability, you may be asked to obtain a Certificate of Confidentiality (CoC) from NIH. CoCs are issued to protect identifiable research information from forced disclosure. They allow the investigator and others who have access to research records to refuse to disclose identifying information on research participants in any civil, criminal, administrative, legislative, or other proceeding, whether at the federal, state, or local level.   
    • NIH funded researchers are automatically issued a CoC through their award. Other Department of Health and Human Services (HHS) agencies issue CoCs to researchers they fund. Researchers not funded by HHS can continue to apply to NIH or the FDA as appropriate to request a CoC for HHS-mission relevant research.  
    • Researchers must inform participants in the consent document of the protections and limitations of certificates of confidentiality. Typically, this is added to the “Will information about me be kept private?” section of the consent. See our “Example Consent Text for Study-Specific Items” in the templates section of our Researcher Resources page. 

The IRB staff would notify you if you submitted exempt, but the study needs to be bumped to expedited or full board review.  

De-identified Data: Data that are stripped of all identifying information and there is no way the data could be linked back to an individual through a key or other coding method. Best practice when de-identifying data is to use the safe harbor method where all HIPAA identifiers are removed.    

Coded Data: Identifying information (such as name) that would enable the investigator to readily ascertain the identity of the individual to whom the private information or specimens pertain has been replaced with a code (number, letter, symbol, or any combination) and a key to decipher the code exists, enabling linkage of the identifying information to the private information or specimens.  

PHI: Protected health information means individually identifiable health information protected under HIPAA law. The following identifiers are considered PHI:   

  1. Names;  
  2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000. SOP - Definitions Page 10 of 13    
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;  
  4. Phone numbers;  
  5. Fax numbers;  
  6. Electronic mail addresses;  
  7. Social Security numbers;  
  8. Medical record numbers;  
  9. Health plan beneficiary numbers;  
  10. Account numbers;  
  11. Certificate/license numbers;   
  12. Vehicle identifiers and serial numbers, including license plate numbers;  
  13. Device identifiers and serial numbers;   
  14. Web Universal Resource Locators (URLs);  
  15. Internet Protocol (IP) address numbers;  
  16. Biometric identifiers, including finger and voice prints;   
  17. Full face photographic images and any comparable images; and   
  18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)  

For more information regarding HIPAA and protected health information, see the HIPAA FAQs or HHS website:   

PII: Personally Identifiable Information: any information that can be used to distinguish or trace an individual’s identity and does not include protected health information under HIPAA, including:  

  • Name  
  • Social security number  
  • Date and place of birth   
  • Mother’s maiden name  
  • Biometric records  
  • Any other information that is linked to an individual, such as medical, educational, financial, and employment information

Visit the UM Data Security website to learn best practices on:  

  • Data Storage  
  • Encryption  
  • Server Administration  
  • Commercial Cloud Services  
  • Desktop/Laptop/Mobile Devices  
  • Portable Media  
  • Travel/Foreign Data Storage  
  • Legal considerations  

The data classification levels (DCL) and associated requirements are key to the entire data classification system (DCS). All data (regardless of format) must be classified to determine what security measures are necessary to adequately protect the University's information assets. Visit the UM Data Classification website to find the DCL definitions and examples of each along with other definitions that may clarify the DCS. 

Approved for DCL4 and below (this includes protected health information - HIPAA, social security numbers, and other highly restricted data)   

  • Microsoft Teams   
  • Microsoft OneDrive   
  • REDCap  
  • Protected Zoom (Protected Version)   

Not Approved for DCL4 (highly restricted) but Approved for DCL3 (restricted) and below (sensitive & public)   

  • Qualtrics   
  • Google Survey   
  • Microsoft Forms/Survey   
  • Unprotected Zoom 
  • STORE PAPER FORMS SECURELY in locked file cabinets when not in use.  
  • USE SECURE STORAGE FOR DETACHABLE MEDIA: Confidential data stored on transportable media such as CDs, DVDs, flash memory devices, or portable external drives must be stored securely in a safe or locked file cabinet.  
  • PROTECT PASSWORDS: Passwords should be difficult to determine and treated as confidential data, never shared or left on slips of paper at workstations or desks.   
  • TRAIN AND MONITOR RESEARCH ASSISTANTS: Principal Investigators must ensure that research assistants and other key personnel are familiar with data safety procedures and practices. 
  • RESTRICT THE USE OF SHARED ACCOUNTS OR GROUP LOGIN IDs: Anyone who has access to confidential research data should have a unique password that personally identifies them before they can access the data.     
  • ACTIVATE LOCK OUT FUNCTIONS FOR SCREEN SAVERS: Computers used for data analysis should be configured to "lock out" after 20 minutes of inactivity.  
  • USE SECURE METHODS OF FILE TRANSFER: The method used to transfer files should reflect the sensitivity level of the data.  Research files with PII or other confidential information should always be compressed and encrypted before they are transferred from one location to another.  Other secure and convenient methods of file transfer include SharePoint and University-supported OneDrive.  
  • USE EFFECTIVE METHODS OF DATA DESTRUCTION: All paper files or CDs with PII should be shredded and any electronic files on memory drives, PCs, laptops and file servers should be permanently deleted.

According to UM policy, research records must be retained for seven (7) years after the final report on the research project has been submitted, then destroyed. Visit the UM Research Records website for more information on this policy. If the study has an executed contract outlining a specific requirement for destruction, that must be followed in lieu of this policy.  

The IRB may require the destruction of identifiers, after they are no longer needed to carry out the research under certain circumstances prior to seven years.  

If your study involves audio or video that records sensitive information, you may request the full board approve the destruction of those tapes before the record retention period of seven years following the completion of the study. No research information or recordings can be destroyed before the MU Collected Rules retention period without IRB approval. This is rare, and it is expected all recordings are maintained for inspection.  

Any record that is determined to be a University Record is property of the University of Missouri. This includes research records created, developed, or otherwise maintained under the auspices of employment, contract, or grant with the University. Original research records must remain at the University even if the researcher has left the institution. The researcher’s department must provide a means of securing and storing the research records in connection with all applicable rules relating to this and Records Management policies. A researcher may, however, make copies of the original research records to take with them if they leave the institution for continued analysis and future research. This applies to student-led research projects as well.