Researchers must adhere to the highest standards for protecting subjects’ privacy and the confidentiality of the information they provide. At minimum, researchers must comply with the following:
Only individuals specifically mentioned in the COUHES application may access data with personal identifiers, and they may only do so in ways described in the COUHES application itself.
Any information that contains identifiers must be kept encrypted. Except under extraordinary circumstances, no more than 12 hours may elapse between the collection of information and its encryption. During that interval, any information that contains identifiers or whose release could result in harm to subjects must be kept in a locked bag or carrying case.
If the unauthorized access of data could result in harm to subjects, the vessels containing the data (e.g., computers, file cases, CDs, etc.) must also be locked.
Any security breaches, violations of protocols regarding access to the information collected, or situations where information might have been accessed without the researcher’s permission must be reported to COUHES orally or by email within 10 working days. Depending on the nature of the incident, COUHES may require that the researcher contact subjects in the study
If unauthorized release of data could result in harm to subjects, researchers must notify COUHES either orally or by email within 48 hours. If the prospect of harm is imminent, researchers must also notify all subjects who might be harmed within 48 hours.
Depending on the risk of harm to subjects, COUHES may require that some or all of these best practices be followed.
Best practices for protecting data include:
- Password-protected computers with locked carrying cases;
- Explicit mechanisms for ensuring that any translators, research assistants, or pollsters contracted are well-versed in COUHES protocols and are fully aware of COUHES procedures for safeguarding privacy and confidentiality;
- Immediately transferring data collected abroad to storage sites outside of those countries, followed by wipes of computers and files that remain in-country;
- Taking appropriate precautions that any systems used for entry or transmission of data be themselves confidential and not vulnerable to hacking.
In collaboration with IS&T, OGC, VPR, and Risk Management & Compliance Services, COUHES developed a data classification module that consists of two parts, a data classification questionnaire and information protection tasks based on risk level.
Data classification questionnaire
For each new COUHES application, investigators will be guided to answer a COUHES-specific data classification questionnaire in order to determine the appropriate risk level for their research data. There are three possible risk levels that could be assigned to a protocol based on your survey response: low risk, medium risk, or high risk. If you create a protocol in COUHES Connect, you will see the risk level assigned to your research data after completing the questionnaire. If you create a protocol via the Comprehensive Review Form, you will be able to check the risk level assigned to your data in COUHES Connect after a COUHES staff processes your application.
Please note that after a thorough review of your application, COUHES might adjust the original risk level assigned to your data, and you will be notified if that happens.
Information protection tasks
Once the risk level of your data has been identified, researchers are required to work with their departmental IT support resources or IS&T to undertake reasonable steps to protect the data.
Below are quick links to the information protection tasks recommended for each data classification risk level:
- Low Risk Information: https://infoprotect.mit.edu/tasks/low-risk
- Medium Risk information: https://infoprotect.mit.edu/tasks/medium-risk
- High Risk Information: https://infoprotect.mit.edu/tasks/high-risk
When preparing for new protocols or making changes to existing protocols, investigators are required to check their risk classification and implement information protection tasks appropriate to the assigned risk level. At this time, implementing recommended information protection tasks are not required for all new applications. As we begin this new process, COUHES will select a sample set of protocols that will be required to implement the information protection tasks. A COUHES staff member will contact you if your protocol is selected and required to follow the information protection tasks appropriate to your data’s assigned risk level.
Whom do I contact for questions and comments?
For questions related to this requirement and the data classification questionnaire, Contact COUHES via firstname.lastname@example.org.
For questions related to the specific information protection tasks listed on the IS&T infoprotect website: Contact IS&T via email@example.com or 617-253-1101
How will COUHES decide if the data classification risk level originally assigned to my data needs to be adjusted?
After a thorough review of an application, COUHES might adjust the original data risk level assigned to the protocol taking into consideration data sensitivity, subject population, and the overall risk of the research.
What should I do if one or more of the information protection tasks assigned to my data risk level is not practical to follow?
Please contact COUHES to discuss your specific questions. You can also propose an alternative information protection mechanism. COUHES will coordinate with IS&T and MIT Research Compliance to review this request on a case-by-case basis to ensure the alternative mechanism will hold the same security standards as the original information protection task(s).
For research involving collaboration with outside institutions, does the Data Classification and Information Protection requirement apply to the outside institution(s) collaborating with MIT?
This depends on whether COUHES is the reviewing IRB for the outside collaborators.
If COUHES is the reviewing IRB meaning that the outside institution(s) has signed a reliance agreement for COUHES to be their IRB and oversees their research activities, then outside institution(s) are required to follow MIT Data Classification and Information Protection requirement or a comparable standard at the collaborating institution(s). The MIT PI of the study will need to certify for the outside collaborators. If the outside institution(s) cannot follow the MIT information protection tasks, then they will need to provide an alternative plan that is similar and comparable to MIT information protection tasks. The MIT PI is responsible for mapping the outside collaborator’s plan to MIT Information Protection requirement to determine whether it is acceptable and the MIT PI can consult IS&T and MIT Research Compliance if they have any specific questions.
If COUHES is not the reviewing IRB for the outside institution meaning no IRB reliance agreement is in place between MIT and the outside institution(s), then the outside institution(s) is strongly encouraged to follow MIT information protection tasks or a similar information protection plan
If COUHES cedes IRB review to an outside IRB via a reliance agreement, then MIT investigators are strongly encouraged to follow MIT standards, in addition to following the requirements of the outside reviewing IRB.