You are here

Data Security Guidelines

Related Key Terms:  Subject Participation


An individual's participation in a research project can be described as anonymous if it is impossible to know whether or not that individual participated in the study.  For example, participation in an online survey would be considered anonymous if that survey could not be linked in any way to the individual.


When participation is confidential, the research team knows that a particular individual has participated in the research but the team members are obligated not to disclose that information to others outside the research team, except as clearly noted in the consent document.

Maintaining human subject data securely with the appropriate level of anonymity, confidentiality, or de-identification is a key factor in ensuring a low risk threshold for the participants, the researchers, and the university.   

As such, principal investigators (PIs) and their study teams may be required to outline the data management and security procedures in the eResearch IRB application for IRB review.  In addition to the information provided in responses to specific eResearch application questions, you may be required to provide a Data Management and Security Protocol.  IRB-HSBS recommends that research teams consistently follow the core data security controls, whether or not the research involves the collection of personally-identifiable data. 

Core Controls

  1. Details on what tools can be used for which institutional data types can be found in the Sensitive Data Guide. This includes cloud computing & encryption standards.
  2. All data collection and storage devices must be password protected with a strong password.  A strong password requires a level of complexity.  Please follow the link for crafting a strong password.
  3. All sensitive research information on portable devices must be encrypted.
  4. Access to identifiable data should be limited to members of the study team.  
  5. Identifiers, data, and keys should be placed in separate, password protected/encrypted files and each file should be stored in a different secure location.
  6. If it is necessary to use portable devices for initial collection or storage of identifiers, the data files should be encrypted and the identifiers moved to a secure system as soon as possible after collection.  The portable device(s) should be locked up in a secure location when not in use.  The PI should consult with their departmental IT Security Unit Liaison (SUL) to discuss how to correctly configure desktop computers, laptops, and other devices for safe use in the collection and storage of research data.
  7. U-M +Google Mail and Calendar services may not be used to collect, store, or transmit confidential or sensitive human subjects research data or protected health information (PHI).   The Sensitive Data Guide provides information on what specific IT resources may be used with sensitive human subjects research data and protected health information.
  8. If utilizing any cloud-computing services, the PI must follow the U-M safecomputing guidelines (see Resources below) and UM IT policies.
  9. All data collected on portable devices should be transferred to an approved service as soon as possible after collection, and deleted from the portable collection devices.
  10. If research includes sensitive identifiable data, outside consultants or vendors should be required to sign a confidentiality agreement.  Ensure that you are compliant with all institutional Third Party Vendor requirements.
  11. If the research design allows, the PI should delete or destroy identifiable information as soon as possible after collection.

Key Definitions

The IRB often finds that the terms anonymousconfidential, and de-identified are used incorrectly. Knowing the correct use of these terms can help you determine the appropriate data management and security procedures for your project.


Data are anonymous if no one, not even the researcher, can connect the data to the individual who provided it.  No identifying information is collected from the individual, including direct identifiers such as name, address or student identification number.  

Researchers should be aware that collection of indirect identifiers (i.e., information regarding other unique individual characteristics) might make it possible to identify an individual from a pool of subjects. For example, a study participant who is a member of a minority ethnic group might be identifiable from even a large data pool. 


Confidential data has a link between the data and the individual who provided it. The research team is obligated to protect the data from disclosure outside the research according to the terms of the research protocol and the informed consent document.  Methods to reduce the risk of inadvertent disclosure include:

  • Storing the subject’s name and/or other identifiers separately from the research data
  • Replacing the subject's name and other identifiers with a unique code and using this code to refer to the subject data.  Note that coding the data does not make that data anonymous.
  • Storing the code key separately from the subject's identifiers


Data are considered de-identified when any direct or indirect identifiers or codes linking the data to the individual subject's identity are stripped and destroyed.

Institutional Data

Institutional data is defined as any data that is owned, licensed by, or under the direct control of the University, whether stored locally or with a cloud provider.

References and Resources

  • Protect Sensitive Data U-M Safecomputing website providing best practices for accessing, working with, and storing sensitive data.  Includes information for managing your devices and reporting data breaches.
  • Safely Use the Cloud U-M Safecomputing guidelines regarding use of U-M's Google services and sensitive university data, including research data.
  • Sensitive Data Presentation

    From U-M Information Assurance, this presentation covers sensitive data classification; sensitive data and U-M IT standards; and third party vendor security review process


For questions regarding IRB data management requirements, contact:

IRB Health Sciences and Behavioral Sciences
Phone: (734) 936-0933
Fax: (734) 936-1852

For questions regarding U-M safecomputing guidelines and practices, contact:

ITS Service Center

(734) 764-HELP (764-4357)
online service request
(login required)