Researchers must adhere to the highest standards for protecting subjects’ privacy and the confidentiality of the information they provide. At minimum, researchers must comply with the following:
Only individuals specifically mentioned in the COUHES application may access data with personal identifiers, and they may only do so in ways described in the COUHES application itself.
Any information that contains identifiers must be kept encrypted. Except under extraordinary circumstances, no more than 12 hours may elapse between the collection of information and its encryption. During that interval, any information that contains identifiers or whose release could result in harm to subjects must be kept in a locked bag or carrying case.
If the unauthorized access of data could result in harm to subjects, the vessels containing the data (e.g., computers, file cases, CDs, etc.) must also be locked.
Any security breaches, violations of protocols regarding access to the information collected, or situations where information might have been accessed without the researcher’s permission must be reported to COUHES orally or by email within 10 working days. Depending on the nature of the incident, COUHES may require that the researcher contact subjects in the study
If unauthorized release of data could result in harm to subjects, researchers must notify COUHES either orally or by email within 48 hours. If the prospect of harm is imminent, researchers must also notify all subjects who might be harmed within 48 hours.
Best practices for protecting data include:
- Password-protected computers with locked carrying cases;
- Explicit mechanisms for ensuring that any translators, research assistants, or pollsters contracted are well-versed in COUHES protocols and are fully aware of COUHES procedures for safeguarding privacy and confidentiality;
- Immediately transferring data collected abroad to storage sites outside of those countries, followed by wipes of computers and files that remain in-country;
- Taking appropriate precautions that any systems used for entry or transmission of data be themselves confidential and not vulnerable to hacking.
Depending on the risk of harm to subjects, COUHES may require that some or all of these best practices be followed.