Data Security Assessment Form

Date:      

Principal Investigator:      

Student Investigator (if applicable):      

This form must be completed and submitted to the IRB for protocols that collect, transfer, or store
identifiable data. Please review the IRBs Research Data Security webpage for helpful information when
completing this form. It is important that all sections are complete for the IRB to assess risks and ensure
safeguards are in place to protect human subjects. If you have any questions, please contact the RCS
office at 860-486-8802 or [email protected].

All University owned machines must have encryption enabled by default. A university owned computer
or device must be used for all storage of photographic images, or voice recordings, data protected under
HIPAA and FERPA, and comply with UConn’s Confidential Data Policy. Additionally, research data may be
stored on UConn secure drives, such as P and R, or the use of university authorized cloud services, such
as UConn Office 365 (e.g. OneDrive/SharePoint).

UConn does not recommend the transmission of identifiable datasets by email due to the inherent risk
of compromise. Identifiable data should be transmitted via a secure service, such as Office365,
FileLocker, a secure website, or by using secure protocols, such as a File Transfer Protocol (FTPS).

Data collection software, data analysis software, and cloud compute/storage used for research must be
approved for university use by Information Technology Services and procured through University
Procurement prior to use. Contact your department administrator to obtain authorization for software
not vetted by UConn ITS and Procurement prior to use.

The informed consent form must include information regarding any terms of service or end user
agreement for technologies used in the research as well as information about whether a vendor has
access to a participant’s contact list or other information on their device, ability to track location, and
whether there is a possibility that any participant data will be used for marketing or other activities or
sold to a third party.

All faculty, students, and staff engaged in human subjects research must follow UConn ITS
standards and policies.

Part A – Identifiers to be collected (check any that apply):

Check any identifiers that will be collected during any phase of the research
Name
Electronic mail address
Social security number
Telephone or Fax Number
Internet protocol (IP) address or Web universal resource locators (URLs)
Medical record number
Any information about a person’s past or present physical or mental health condition; provision of health care to an
individual, or past, present, or future payment for the provision of health care to the individual-protected health
information (PHI)
Electronic protected health information (ePHI): emailed lab results, stored X-rays/MRIs on computer, health

Page 1 of 6 version February 2021

 Data Security Assessment Form

information stored on a mobile device

Device identifiers/serial numbers
Biometric identifiers (e.g. fingerprints, identifiable images/photos, retinal scan)
Video or Audio recordings
Account numbers
Driver’s license numbers or identification (alien registration, state ID or passport ID number)
Vehicle identifiers and serial numbers, including license plate numbers
List any other unique identifying number, characteristic, or code to be collected. Include any data considered
identifiable private information (information for which the identity of the subject is or may readily be ascertained by the
investigator or associated with the information):      
Any geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their
equivalent geocodes.
Any geolocation data (use of latitude and longitude geographic coordinates that can be used to identify the physical
location of a device)

Please specify:      

All elements of dates (except year) for dates directly related to an individual, including birth date(mm/dd/yyyy),
admission date, and discharge date.

Please Specify:      

Any data other than self-reported that falls under the Family Rights and Privacy Act (FERPA), which may include but
not be limited to the following: grades/transcripts/test scores, courses taken, schedule, advising records, educational
services received, disciplinary actions, student financial aid, grants, and loans, admissions and recruiting information
including high school grade point average, high school class rank, etc., or student personnel records.
Please refer to the University's FERPA policy for additional information.

Please list the specific FERPA covered variables used for this research:      
Will this research collect electronic informed consent (eIC)? Yes No
If yes, describe the process of obtaining an electronic signature in Part B.

As a reminder, please clearly describe all data collection methods and how data will be stored
and transmitted in the informed consent form. Include the risks of each method and a clear
description of how information about participants is protected. Consistency between forms will
help facilitate the IRB’s review of the submission.

Part B – How will you collect research data?

Mobile App Not applicable

1. Name of the app:      
2. Was the app created by a member of the research team? Yes No
3. What device will be used to access the app? Please check all that apply:
Personal phone that belongs to the research participant
A study phone provided to the participant
A designated study phone used by the researcher to collect data
Personal phone that belongs to the researcher
4. Will data be stored on device for an interval of time? Yes No

Page 2 of 6 version February 2021

 Data Security Assessment Form

5. Will the app be able to access other device functionality, such as Location, Contacts, Notifications, etc.? Yes
No
6. Provide any additional information:      
Web-based electronic data collection software, such as survey panels, or another tool Not applicable
UConn Data Storage Options:
UConn licensed Qualtrics UConn REDCap Other
If Other, you are required to answer all 5 questions below:
1. Name the site hosting the survey:      
2. Does the technology utilized allow for the explicit exclusion of the collection of Internet Protocol (IP) address or
geolocation of the participant’s connection?   Yes No
          If Yes, will you utilize this option to exclude the collection (anonymize function)?  Yes No
3. If collecting data from minors (<18 years old), does this site comply with the Children’s Online Privacy Protection Act
(COPPA)? Yes No
4. Provide any additional information:      
Wearable Device Not applicable
* Complete the mobile app section above if a mobile app will be used with the wearable device
1. Name of wearable device:      
2. Is wearable device provided by participant or researcher? Participant device Researcher provides device
3. Is wearable device registered by participant or researcher? Participant registers device Researcher
registers device
4. Will the device collect identifiable information? (please refer to Part A of this form) Yes No
5. Provide any additional information:      
Digital audio or video recording, video conferencing, or photographic images Not applicable
*Refer to the Research Data Security webpage on the UConn IRB’s website for more information
1. Will this research utilize videoconferencing? Yes No
2. If yes, will data from videoconferencing be recorded? Yes No
3. Describe the method of capturing the study recording or image (e.g., digital recorder, study cell phone, WebEx,
Teams, etc.)      
4. Will a transcription service be used to transcribe recordings? Yes No
a. If yes, please provide the name of the transcription service.      
*If using a transcription service, please include the confidentiality agreement with the submission.
5. Provide any additional information:      

Text messaging Not applicable

1. Will you use current text messaging available on the device or will a separate application be downloaded (e.g.,
Whatsapp, etc.)? Current text messaging service on device Other
*If the latter, ensure mobile app section above is completed.
2. What device will be used by the participant? The participant’s personal phone Researcher provides phone
to participant
3. What device will be used by the researcher? The researcher’s personal phone A phone not used for
personal use, but designated specifically for the research
4. Will messages be limited to appointment reminders? Yes No
a. If no, what is the content of the messaging?      
5. Will the text messaging communication be one-way or two-way? One way Two way

Page 3 of 6 version February 2021

 Data Security Assessment Form

6. Provide any additional information:      

*When using messaging software such as Whatsapp, Facebook, or others, please be sure to describe the privacy
parameters in the study protocol and consent form.
Hard Copy/Paper Not applicable
1. Will paper copies of documents, (e.g., surveys, data collection forms) be used to record data in this research?
Yes No
a. If yes, will any document include identifiable information (Please see Part A), or will the documents be
labeled with a code or pseudonym? Identifiable information will be recorded on form
Documents will be coded
b. If data will be coded, please provide a response to #5 under Part C of this form.

Provide any additional information:      

Part C – Transmission, processing, and storage of research data (temporary and long term)
*If sharing data outside UConn, it is important that Sponsored Programs Services Contract Office, at
[email protected] be contacted as early as possible to determine whether a Data Use Agreement or Contract is
required.
All identifiable data must be transmitted via a secure service, such as Office365-OneDrive, FileLocker, a secure website,
or by using secure protocols, such as a File Transfer Protocol (FTPS).
Describe where the transmission, processing, and storage of data will take place from each device used for
data collection (e.g., mobile apps, electronic surveys, wearable devices, any recordings and images, text
messages, hard copy, and transcription data). Be sure to include how data will be transmitted and stored in
the consent form.
1. Server
UConn ITS Managed Server.      
Are you or Department operating your own server within UConn for this research?
Other (describe):      
2. Cloud File Storage (Note: UConn Google Drive/Google Apps may not be used to store Confidential UConn Data or
identifiable private information for which the identity of the subject is or may readily be ascertained by the investigator
or associated with the information.
UConn REDCap
UConn Office 365 (e.g. OneDrive/SharePoint)
UConn Google Drive
UConn Enterprise File Server
Other (describe):      
3. Select any computers (laptops or desktop PCs) or devices (tablets, mobile devices, portable storage devices) used to
access data stored on systems identified in questions 1 or 2 above
UConn owned desktop or laptop, or another device
Personal desktop or laptop, or other device (If yes, identify and explain in item 7 below)
*Reminder, UConn Confidential Data or identifiable private information may not be stored on personal
equipment.
4. Storage of hard copy/paper records.
UConn Office - specify building & office number:      
Off-site - describe where:      

Page 4 of 6 version February 2021

 Data Security Assessment Form

Home Office - describe whose and where:      

5. For any identifiable data collected in this research checked in Part A of this form, will the data be coded by removing
all the identifiers and assigned a unique study code or pseudonym? Yes No
a. If yes, describe how the code/pseudonym will be derived.      
b. Will a master key be maintained that links the code to identifiable information? Yes No
c. If yes, where will the master key be stored?      
6. Third-party collaborator or sponsor:      
7. Provide any additional information:      

Part D – Data Management

1. Who will have access to the data?      
2. Describe how access be managed.      
* The Principal Investigator is responsible for all aspects of the research, including the collection, transmission, storage,
backup, and security of any research data.
3. Describe your reporting plan should the data be intercepted, hacked, or breached (real or suspected):      
4. Describe how long the data in this research will be maintained, as described in Part C. Federal Regulations require
that research records be maintained for at least 3 years after completion of the study:      
5. Is this an application where UConn will be the data coordinating center? Yes
6. Provide any additional information:      

Please read important information below if your research is regulated by the FDA:

For FDA Regulated IND research, the FDA requires that sponsors and investigators retain “records and reports required
by this part for 2 years after a marketing application is approved for the drug; or if an application is not approved for
drug, until 2 years after shipment and delivery of the drug for investigational use is discontinued and the FDA so
notified.”

For FDA Regulated IND research, the FDA requires the investigator or sponsor to maintain the records “for a period of 2
years after the latter of the following two dates: The date on which the investigation is terminated of completed, or the
date that the records are no longer required for purposes of supporting a premarket approval application or a notice of
completion of a product development protocol.”

Part E - Provide other research data security information if not addressed above.
     

Please direct any exceptions to University Policy regarding data security or use of platforms to
collect or store data that do not currently have an agreement with UConn to the Information
Security Office [email protected].

Page 5 of 5 version February 2021