Researchers must adhere to the highest standards for protecting subjects’ privacy and the confidentiality of the information they provide. At minimum, researchers must comply with the following:
Only individuals specifically mentioned in the COUHES application may access data with personal identifiers, and they may only do so in ways described in the COUHES application itself.
Any information that contains identifiers must be kept encrypted. Except under extraordinary circumstances, no more than 12 hours may elapse between the collection of information and its encryption. During that interval, any information that contains identifiers or whose release could result in harm to subjects must be kept in a locked bag or carrying case.
If the unauthorized access of data could result in harm to subjects, the vessels containing the data (e.g., computers, file cases, CDs, etc.) must also be locked.
Any security breaches, violations of protocols regarding access to the information collected, or situations where information might have been accessed without the researcher’s permission must be reported to COUHES orally or by email within 10 working days. Depending on the nature of the incident, COUHES may require that the researcher contact subjects in the study
If unauthorized release of data could result in harm to subjects, researchers must notify COUHES either orally or by email within 48 hours. If the prospect of harm is imminent, researchers must also notify all subjects who might be harmed within 48 hours.
Depending on the risk of harm to subjects, COUHES may require that some or all of these best practices be followed.
Best practices for protecting data include:
- Password-protected computers with locked carrying cases;
- Explicit mechanisms for ensuring that any translators, research assistants, or pollsters contracted are well-versed in COUHES protocols and are fully aware of COUHES procedures for safeguarding privacy and confidentiality;
- Immediately transferring data collected abroad to storage sites outside of those countries, followed by wipes of computers and files that remain in-country;
- Taking appropriate precautions that any systems used for entry or transmission of data be themselves confidential and not vulnerable to hacking.
Information Protection (BETA)
In conjunction with COUHES, IS&T developed data or information security tasks based on the potential risk posed by research data. The information security version is not required for new applications at this time, unless requested by COUHES, but will be implemented in the near future. When preparing for new protocols or making changes to existing protocols, investigators are highly encouraged to check their information risk level through the link provided below and implement information security tasks appropriate to the assigned information risk level.
To determine the appropriate information risk level for your research, complete the following Qualtrics survey:
The risk level associated with your research information will display at the end of the survey along with a link to the appropriate information security tasks.
Please note: At this time, investigators are not required to submit the Qualtrics survey or the assigned information security printout to COUHES, unless specifically requested by COUHES staff.
If you already know the information risk level for your research, below are quick links to the information security tasks:
- Low Risk Information: https://infoprotect.mit.edu/tasks/low-risk
- Medium Risk information: https://infoprotect.mit.edu/tasks/medium-risk
- High Risk Information: https://infoprotect.mit.edu/tasks/high-risk
Upon review of the protocol, COUHES may require that some or all of these controls be implemented, congruent with the risk to subjects, or request investigators adhere to a high level of data security.
To submit feedback related to information security tasks, please follow the link: https://infoprotect.mit.edu/feedback