IRB, Human Subjects and Data Security Vipin Awatramani Staff Training, Mahabalipuram 2012

Presentation format Group Exercise (30 minutes) Quiz (15 minutes) Q&A (10 minutes) Presentation/ Lecture (40 minutes)

Agenda Presentation Ethics, IRB, PII, IRB applications Data security Data handling at various stages Quiz Three questions (Poll) Group Exercise Scenario Q&A Connecting to experts

Have you worked on ANY IRB documentation for your study? (created a new protocol, renewed or amended it?) A.Yes B.No

Have you completed a Human Subjects training certificate (via CITI or NIH)? A.Yes B.No

Have YOU, a new project staff interacting and handling data of human subjects, been added to your IRB protocols as a project member? A.Yes, I did it myself B.Yes, someone else did it C.No, not yet D.I don’t know

Ethics in Research Studies involve human subjects Under U.S. Federal Policy for the Protection of Human Subjects, all studies involving human subjects must meet institutional guidelines of ethical research Approved by an accredited IRB (Institutional Review Board) Image Source:

What is IRB and what studies require these approvals? Institutional review board A group designated by an institution (such as a university or non-profit) to approve, monitor, and review research involving human subjects to assure appropriate steps are taken to protect the rights and welfare of those subjects. Studies that require IRB approval include: Studies interacting with human subjects Studies collecting data on individuals including personally identifying information

Why do you need IRB approval? Protection of human subjects —Ensure ethical research design —Field projects often collect personally identifiable information (PII) from respondents Non-compliance can jeopardize —Funding —Research progress —Organization’s reputation

What is PII? Personally identifiable information: Information that can be used to identify an individual or households with a reasonable level of confidence. Names, telephone numbers, addresses, account numbers, photographs, Government identification numbers, GPS coordinates Smaller geographical subdivisions/units, elements of date related to an individual

Four Questions that you need to address 1.When do you need IRB approval? Renewal/updates? 2.How do you prepare IRB applications? 3.What about my field staff? 4.What about data security (storing, transmission)?

When do you think you need to update you IRB committee? A.Significant additions to survey, design Should get approval B.New PI/RA/expansion C.Grants awarded D.All

When do you need IRB approval? Renewal/updates? Before starting any field activity IRB Protocol Updates: – Renew every year – Submit modifications for: Significant additions to survey, design or field activities? Changes in security management Grants awarded New PI/RA/expansion All IRB applications should be submitted 1-2 months in advance.

How do you prepare for IRB application? Explain that risks to participants, if any, will be minimal Emphasize that no one in the study will be worse off Explain why the project is withholding the program from the control group Explain how participation in the study may leave to improvement in the subjects’ lives and any other benefits How security of the data will be maintained Names of all Key Study Personnel with access to data

How do you prepare for IRB application? Human Subjects training certifications of all Key Study Personnel (Citi/NIH) Questionnaires and Consent form – English and translated into language of use – Certification of translation – Consent form as a separate document MOU or letter of support from partner organizations Additional requirements (No PII on Dropbox (even if it’s encrypted)

Know your IRB coordinators JPAL Global: Heather McCurdy IPA Global: Zahra Niazi — JPAL SA: Vipin Awatramani CMF: Shahid Anup Roy Check with your field office for any local IRB requirements, you can get in touch with responsible person at the field office to get support for these applications

Where to go for more information? 1.Sharepoint! -> Resources --> Human Subjects

What about my field staff Train field staff on fair treatment of human subjects, importance of confidentiality and data security Ensure that sessions on these issues are well delivered (Experienced staff/trainers) Ensure that the training covers all aspects of data protection and ethical concerns Get Data Confidentiality Agreement signed by field staff. (Add it as an annexure in their contract)

What about data security? Data security is a key component of protecting personal data and related IRB approval Secure procedures ensures that private information of human subjects is being protected Required reading Data Security Protocol Approved IRB protocol (additional requirements) for the project, levels of data security Level 1Level 2Level 3Level 4 Not confidential PII: No material harm, embarrassment(confidentiality) PII: Embarrassment, harm reputation HRCI (High risk confidential data)

What about data security? HRCI Social security, credit/debit card, individual financial account, driver’s license, ID (passport/state ID) Medical information including biometric information Risk of civil/social liability, moderate psychological harm Level 1Level 2Level 3Level 4 Not confidential PII: No material harm, embarrassment(confidentiality) PII: Embarrassment, harm reputation HRCI (High risk confidential data)

Five Principles of data security Obtain Confidentiality agreement Ensure physical security Store, transmit and use PII separately Encrypt all PII Secure Devices handling decrypted PII (password)

Research Associates on IRB Ensure all individuals handling PII have certifications Draft IRB application or renewals or IRB updates Ensure accurate implementation of IRB guidelines at field level Report any IRB breaches to your human subjects coordinator immediately

Data handling at various stages Before data collection (survey) During data collection (survey) After survey Environment for analysis Wrapping up field work Making data public

Before data collection (survey) Educate yourself and others IRB/data security protocol Train field staff Detailed plan on securely handling data Procedure if data security breach occurs Validate physical attributes Ensure Certifications Confidentiality Agreements Storing/handling data securely (metal cabinets) Designing survey instrument and data entry software Separable PII – non PII

During data collection (survey) PII Other Sensitive information Risk Ensure that you have a field for the Unique ID Code on every page of the survey packet. Paper surveys received from surveyors should be physically separated These two sections should be stored and transported separately

After survey: Paper surveys and data entry Designate a safe and secure place for survey storage Surveys should not be left out in the open for extended periods Ensure that data entry operators have signed a Confidentiality Agreement Set up secure data entry system Internet-disabled computers with back-up Remove non-essential programs/software from computer Install an antivirus and analyze each computer Set up user accounts and intranet Continually back up data Data transfers: USB or SFTP (no )

After survey: Transmission and sharing Transfer data to password protected computer as an encrypted file Confirm that data entry operators have removed the data from their computers (if applicable)

Environment for analysis Maintain two separate datasets: first which contains PII and the unique id code and a second which contains the unique id code and the rest of the data (make sure both contain the respondent id code) Keep the dataset containing personally identifiable information encrypted

Wrapping up field work Once data analysis is finished, hardcopies of surveys need to be destroyed in a secure manner (e.g., shredded) within 3-5 years of completion of the study Once all data is received for cleaning and analysis and secure back-up of the files has been confirmed, completely delete the file from any field computers (make sure all data has been transmitted from the field before deleting files)

Making data public Multiple team members need to review the dataset before it is released publicly, preferably ones who are familiar with the survey instruments and data collection The potential negative repercussions of making on mistake and releasing PII on a public database can be huge (imagine leaving a social security number in a public medical procedures database) Always get PI approval before making data public

Data security checklist All project staff have take IRB course and sent certifications* Survey structured with PII-Consent detachable from Main Questionnaire Field staff sign a confidentiality agreement before working with data/surveys* Using IRB approved consent form* Unique ID code written on every page* PII-Consent separated from Main Questionnaire prior to data entry Hard copies stored in a secure location* Use encryption for storage, transmission and access of PII data* Make 2 backup copies (encrypted) of the original data* Store backup copies on a secured server Confirm data entry operators have removed data from their computers* Separate PII from non-PII whenever possible * Required

Quiz

The PI asks a research assistant to download data from a govt website to evaluate potential variables of interest A.Must get approval or can’t proceed B.Should get approval C.Proceed but submit change with modification/ renewal D.IRB approval or update not needed

A small-scale survey is launched to collect data from subjects, including identifiers, to use for power calculations but not for analysis that will be used for the final paper A.Must get approval or can’t proceed B.Should see if approval is needed C.Proceed but submit change with modification/ renewal D.IRB approval or update not needed

The consent form is changed from being written to being verbal, since it has become obvious that many of the respondents can’t read and the additional printed consent forms aren’t being used. A.Must get approval or can’t proceed B.Should see if approval is needed C.Proceed but submit change with modification/ renewal D.IRB approval or update not needed

Group Exercise Scenario 1: You are done with your field work and need to shut down your temporary field office. You are transporting all you surveys on a Truck to a different city for storage. The truck met with an accident and two boxes got lost…What will you do?

Group Exercise Scenario 2 : You just completed data entry and have data ready for cleaning. The drive/USB/Laptop is lost during your visit to field. What will you do?

You are done with your field work and need to shut down your temporary field office. You are transporting all you surveys on a ruck to a different city for storage. The truck met with an accident and one box got lost…What will you do? A.You have that data in soft copy, so no worries B.Inform your PI and IRB coordinator C.You inform IRB committee

You just completed data entry and have data ready for cleaning. The drive/USB/Laptop is lost during your visit to field. A.You have the data on your chains so you can retrieve, You just need to inform your HR/admin about laptop B.Inform PI’s and IRB coordinator, retrieve all the data, store it ‘securely’

FEEDBACK What do you think?

Which of the following best represents how you feel about the length of this presentation? A.Much too long B.Long, but bearable C.Right length D.Not quite long enough E.Much more, please!

Which of the following best represents how you feel about the pace of this presentation? A.Too fast! I couldn’t keep up. B.Somewhat rushed C.Right pace D.Somewhat slow E.Very slow

How likely are you to use the content covered in this lecture/exercise in your work? A.Very unlikely B.Unlikely C.Uncertain D.Likely E.Very likely