Policies and Procedures for Human Subjects

When conducting or recording interviews using Zoom (whether on or off‐campus):

1.       Provide a meeting password or other Zoom link to invitees and enable the “waiting room.”

2.       Use the “record to this computer” option if you are recording and be sure to save your recordings in a secure location (e.g., encrypted, physically secured computer, college network drive). Do not use “Record to the Cloud”, which places the recordings on Zoom’s servers and is designed for sharing. Be sure to save your recordings.

3.       You must obtain informed consent of all respondents to participate in the interview and to record the interview if your analysis plan requires that you work with a transcript There are several options for obtaining informed consent when you use Zoom: a) send out a blank consent form via mail or email so that you and the respondent can review it together and then record the portion of the consent that gives permission for the respondent to participate in the research and to have the interview recorded, should you need a digital recording for data analysis and b) slowly read the whole consent form to the respondent over Zoom and then turn on the recorder to record agreement to participate in the interview and to be recorded, if the latter is needed.

4.       You can use Zoom and not make a recording, but instead, take notes on the interview. You still need to read through the consent form and record just the respondent’s agreement to participate in the interview (I agree to participate, I do not agree to participate). And you should assure your respondent that you are not recording either audio or video.

5.       Only record the video portion of the interview if ABSOLUTELY NECESSARY for the research and if the procedure has been approved by the IRB and the interviewee. Video recording raises more risks for respondents in terms of confidentiality and privacy threats. In addition to the regular consent form, there is an IRB form for video‐ recording that the respondent must sign and should be given to the respondent at the same time overall study consent is obtained. (See 3 a and b above for possible procedures to obtain video consent).

 6.       If video is not necessary, then the interviewer should either ask the interviewee to turn off their video or the researcher (acting as the Zoom host) should turn off the video for the interviewee. This should be done before the Zoom session begins.

7.       Zoom has a version that is HIPAA compliant. Contact the HELP desk for further information about how to obtain it.

 8.       In a consent form or statement, you should indicate that “Results are stored in a password protected account accessible by only the researchers and system administrators. While no absolute guarantees can be made regarding security, these measures provide safeguards against outside agents accessing the electronic data.”

 9.       Once again, the experience using Zoom does not change whether you are on or off campus. If you record an interview, be sure to save it on the OneDrive or your H drive and delete it from those drives when the study is completed.

STORAGE OF RESEARCH DATA

 Note: Research Data Should Only Collect Identifiers, Essential to the Research

 A.      Bryn Mawr College OneDrive Account

 OneDrive is a secure, cloud‐based storage solution, and Bryn Mawr College’s license gives current faculty, students and staff more control over file security than a consumer license. Your college OneDrive account is a good option for storing and sharing human‐subject research data, audio or video files, or documents with others, as long as you do the following:

1.       Only give access to individuals who need it for research purposes and remove access when they no longer need it.

2.       Give access by sharing with Specific people, rather than getting a link anyone can use. Files and folders shared this way can only be accessed by the designated people; even if they forward a link to others, that link will not work. If the individuals you are sharing with do not need to edit the files you are sharing, you can disable editing and prevent downloads.

B.    BMC Network File Storage – H:// Drive

 The H:// drive is a campus‐based file storage network. Current Bryn Mawr faculty, students and staff have their own H:// drive network storage space, which only the owner and campus administrators can access. (You cannot give others direct access to files stored on your H:// drive; you need to download them to share them.)

 You may need to map your H:// drive storage to your computer the first time you use it, but after this it will show up in your Explorer (PC) or Finder (Mac) like other drives. See Network File Storage and Mapping your Network Drives for more information.

If you’re off‐campus, you will need to log in to the College’s VPN to access the H:// drive.

C.     Storing Research Data on a Laptop, iPad or SmartPhone

If you are storing research date on a computer or mobile device such as an iPad or smart phone, think carefully about data security. Research data in this context means not only databases and spreadsheets, but also notes, documents, transcripts, and photographs, audio recordings and video files used to collect and store research information. Data security includes both protection against data loss if the device is lost or damaged and preventing unauthorized users from accessing your data.

General best practices for data and file storage include:

1.       Physically secure your devices – do not leave them unattended; keep them in locked locations when you aren’t using them.

2.       Password‐protect your devices with strong, unique passwords.

3.       Encrypt your devices so that data cannot be easily viewed by others if a device is lost or stolen and a password cracked.

a.       Device‐level encryption is already enabled on college‐owned computers. For more information contact help@brynmawr.edu.

b.       If you are using a personally owned device for research, consider turning on built‐in encryption.

4.       Routinely back up your data to a secure location.

a.       College‐owned computers are automatically backed up to secure cloud through CrashPlan24. For more information, contact help@brynmawr.edu.

b.       For personal devices, routinely saving back‐up copies of your data to the H:// drive or your BMC OneDrive account can provide similar protection.

c.       Although most operating systems offer automated back‐up options (e.g., Time Machine, File History, iCloud backup), pay attention to where those backup files are stored. Back‐up files stored on the same device will not help you if the device is damaged or lost and cloud back‐up options may not be secure enough for all types of data.

5.       Do not store files on portable devices like smart phones or laptops any longer than you need them; move them to more secure storage (OneDrive, H Drive) instead.

We encourage you to adopt these practices for all research data, even data that contains no personal identifying or sensitive information.

You must adopt these practices if you are collecting personally identified, confidential or sensitive information; audio and video files; or photographs of research participants.

Researchers conducting studies requiring full review should be particularly conservative when it comes to securing data. If you have questions about securing research data, LITS can provide guidance – email help@brynmawr.edu to set up a consultation.

Informed Consent, Assent

Participants must have sufficient information to make an informed decision to participate in the research study. If participants cannot give informed consent, it must be obtained from their legal representatives. For example, when participants are minors (under 18) or when they are mentally incapacitated, legal representatives are required. Remember that informed consent is a process and is not merely obtaining a signature.

Consent/Assent documents should be clearly written, with short sentences that are understandable to participants. These forms should include language that is nontechnical. Scientific, technical, or medical terms should be plainly defined. Use the second person in the consent/assent form. Guidelines and templates are available on the documentation page in IRB Mentor, including consent for Photo and Video Recordings.

When a Signed Consent Form May Not Be Required

Circumstances in Which a Signed Consent Form May Not Be Required

• Signed consent/assent forms are standard. However, there are some situations, designated in federal regulations, where a signed consent form may not be required; you should specify which condition applies in your IRB application:
  • (1) if the research presents no more than minimal risk (exempt or expedited research) and involves procedures that do not require signed consent when they are performed outside of a research setting and a waiver will not adversely affect the rights and welfare of a subject and the research could not be practically carried out without a waiver and if the consent document is the only record linking the participant with the research; or
  • (2) if the principal risks are those associated with a breach of confidentiality concerning the participant’s participation in the research (e.g., studies on potentially sensitive topics such as illegal drug use, other illegal conduct, or sexual behavior) and the only document linking the subject and the research is the consent document; the principal risk would be potential harm from a breach of confidentiality.
• The respondent will receive a brief script that is either given in writing or provided orally.

All web surveys, developed for research purposes, that are initiated at Bryn Mawr College by Bryn Mawr faculty, students, and/or staff or researchers who are faculty, students and/or staff from other institutions need to be reviewed and approved by the IRB before they are initiated. The Bryn Mawr College IRB adheres to the applicable federal definition of research as “any systematic investigation, including research development (pilot testing) designed to develop or contribute to generalizable knowledge.”

All Web surveys initiated by members of the Bryn Mawr College community or distributed to members of the College community must adhere to the following security conditions:

• The Web based survey system must employ SSL encryption of all transmissions between the respondents and the survey servers.
• The survey results must be secured behind a password protected account with access limited to the study researchers and system administrators.
• The survey system service provider must have a privacy policy that prevents employees of the service provider from accessing survey results without permission granted by the account holder.
• All downloads of data from the survey system must employ SSL encryption for the transmission.

The College has a licensing agreement with Qualtrics.com that grants any member of the community (faculty, staff, and students) an account upon request. Qualtrics.com has the ability to meet the security conditions outlined above. If you are proposing to use web survey software other than Qualtrics, please include a full description of the software’s security protections that need to meet the conditions described in the bulleted section above. At this time, Google Forms does not meet the College’s security measures. It is the researcher’s responsibility to ensure these conditions are being met. Additional security measures may be required depending on the nature and sensitivity of the data being collected.

The College will not provide faculty, students, or staff outside of the Bryn Mawr College community access to email lists for recruitment and/or data collection until the Bryn Mawr College IRB has approved the research protocol. However, IRB approval does not guarantee access. This must be requested separately from the IRB and it is recommended that obtaining this permission be done as part of the protocol design to ensure recruitment can occur as planned.

Web Survey Consent

Use the following consent form language for anonymous or identified web surveys

This is an anonymous (or confidential, if it is not anonymous) survey. The data is being collected using a secure (encrypted) connection to the host survey service provider. Results are stored in a password protected account accessible by only the researchers and system administrators. While no absolute guarantees can be made regarding security, these measures provide safeguards against outside agents accessing the electronic data.

Questions to ask yourself as you prepare your protocol and communicate your plans to your departmental reviewer and the IRB:

1. Am I only collecting data that is absolutely essential to my research? Is there any non-essential data being collected? The most secure data is data that is never collected in the first place. Ask yourself if you really need to collect potentially identifying information to pursue your project. This includes how you collect your data. Do you need to record audio or video? Make sure to explain the necessity of the data collected in your protocol so the IRB understands why all the data points you will request are necessary.

2. How damaging would my data be to the research subjects if it were released or accessed by others? Some data isn’t damaging: no one is likely to be harmed if someone else deduces their favorite flavor of ice cream. But if you’re asking questions about more sensitive behaviors, consider what the damage might be to subjects if that data got out. Sensitive data might include information about illegal or sensitive behaviors (drugs, sex, etc.); health records or information about mental or physical illness; or immigration status.

3. From whom am I trying to keep this information? Think about who would be in a position to cause negative consequences for your subjects if they gained access to your data. Sometimes that might be an employer, a landlord, the police, a national government, or a subject’s friends and family. You should also think about  whether you will be crossing any borders during the process, since that exposes you automatically to additional risk.

Working with the answers to (2) and (3), consider what level of protection your data needs.

If your data necessitates a LOW level of protection, make sure you are still taking best-practices precautions as a digital citizen.

• Maintain strong passwords on all devices
• Secure phones used for research data with a numerical code rather than a fingerprint or face ID. Use encryption where possible.
• Minimize the number of machines where data is stored: delete data from a phone within 24 hours.
• Upload data to Bryn Mawr’s H: drive or OneDrive for all individual student research data.
• You can use the S: drive only if you are part of a shared research group that has a specified group S drive file. iCloud and Google Drive should not be used. If using your phone to collect data, be sure that your phone is not automatically duplicating the data onto iCloud or Google Drive. Check with the IRB for other paid, encrypted services (i.e. Dropbox, etc.).
• Do not store research data on public or shared machines.
• Use secure wireless networks (i.e. not airport, Starbucks, or other public connections).
• Turn on full-disk encryption on your personal computer if possible.
• Securely delete data when you are done with the project. See required procedures below based on level of IRB review. 
• Do not transport data on hard drives (phone, computer, tablet, external drive, flash drive) across international borders. Your rights are extremely limited at border crossings.

If your data necessitates HEIGHTENED precautions, make sure you do the above, plus:

• Store and access research material only on devices with full-disk encryption enabled. If you are not using a College-owned computer, what program will you use to encrypt it?
• Researchers working internationally with sensitive data need access to a secure (paid) VPN that they can use to transmit, access, and communicate about their data.
• Make sure you can delete securely. Storing data on Bryn Mawr’s H: drive allows for secure, permanent deletion.

If the data requires EXTREME precautions, add these extra measures:

• If possible, edit and access data only through OneDrive, so that unencrypted versions are never downloaded to a researcher’s computer.
• If using OneDrive, talk to the Help Desk to arrange for secure deletion by someone with admin privileges.
• Add a second layer of encryption: individually encrypt research files or folders using a program like BitLocker (PCs) or Keke (Macs).

Data Management should follow the below procedures, based on level of IRB review:

For Exempt protocols:

Data should be stored on the Bryn Mawr College One Drive and/or approved encrypted S: drives. Access will only be provided to those on the research team. All electronic data will be deleted and destroyed upon completion of the research study. All physical data collection tools, including consent forms, will be permanently deleted and destroyed at the completion of the research study.

For Expedited protocols:

For federal regulation compliance, all data collected from this research study will be maintained within Mawr College’s One Drive and/or approved encrypted S: drives for 3 years after completion of study. Data collected for student research studies must be transferred to Faculty Advisors, and deleted from individual personal computers and encrypted folders. Faculty Advisors will arrange with IRB and/or Department Chair to manage the data for three years, unless otherwise approved by the IRB.

All records must be retained for three years after the completion of the research. Records may include such items as research proposals, informed consent documents, data collection and survey responses, progress reports, reports of any injuries to participants, and all related correspondence concerning the use of human participants.

Student researchers must transfer all materials to their faculty advisor and delete all files from any local devices. Faculty advisors must retain these records for 3 years per federal guidelines. 

Research conducted outside of the United States by Bryn Mawr faculty, students, or staff must be reviewed in accordance with Bryn Mawr College IRB review procedures. Such research must also conform to the standards for research involving human participants of the host country. Students must submit either an e-mail or a letter from an academic or an NGO in the host country indicating that they will provide on-the-ground support for the student. Collaboration with colleagues at a local institution in the host country often provides a good method for ensuring compliance with host country law and human participant conventions in research. Please see the Guidelines for International Researchers and Listing of Social-Behavioral Standards.

A Certificate of Confidentiality obtained from the Department of Health and Human Services (DHHS) provides protection to research participants who are the subject of such research by withholding from all persons not connected with the conduct of such research the names or other identifying characteristics of such individuals. Persons so authorized to protect the privacy of such individuals may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify such individuals. 

Information about obtaining a Certificate of Confidentiality can be found here: https://www.hhs.gov/ohrp/regulations-and-policy/guidance/certificates-of-confidentiality/index.html