Record-Keeping and Data Security: Insights for IRB Administrators and Researchers

Since the National Archives in Washington were founded they have solved historical mysteries, provided key information, and unlocked a great deal of forgotten knowledge. The power of records and record keeping is influential at all levels of human existence, but also may be harmful to the least empowered individuals in society (such as refugees or the elderly).

Speakers Ada Sue Selwitz, MA, Lisa Buchanan, MOAM, and Janet Donnelly, RAC at the 2018 Advancing Ethical Research Conference (AER18) offered insights into essential documentation and stressed the importance of good record keeping and data management.

“An Institution, or when appropriate, an IRB, shall prepare and maintain adequate documentation of IRB activities, including copies of…(§§ 46.115(a) and 56.115(a)) research proposals reviewed; scientific evaluations, if any; approved sample consent documents; progress reports submitted by investigators; and reports of injuries to subjects (§§ 46.115(a)(1) and 56.115(a)(1))”

The panelists described some of the records IRB administrators should maintain.

IRB Records

  • The IRB should maintain IRB meeting minutes, actions taken by the IRB, the vote on IRB actions, basis for requiring changes in or disapproving research, a written summary of controverted issues, discussions, and resolutions (§§46.115(a)(2) and 56.115(a)(2)).
  • IRB’s should also maintain records of continuing review activities, correspondence between IRB and investigators (§§46.115(a)(3)(4) 56.115(a)(3)(4)), list of IRB members, written IRB procedures, and statements of significant new findings provided to subjects (§§46.115(a)(5)-(7) 56.115(a)(5)-(7)).

How Long Shall Records Be Kept?

  • Records must be retained for a minimum of three years after the closure of the study.

New Documentation Requirements in the Revised Common Rule

  • Rationale for conducting continuing review of research that otherwise would not require continuing review.
  • Rationale for expedited reviewer determination that research on expedited review list is more than minimal risk.
  • Responsibilities that an organization operating an IRB each will undertake to ensure compliance with reliance requirements in (§§46.103(e)).

The conference panelists also described the importance of good record keeping and data management by emphasizing that every record or archive in the world is vulnerable to unauthorized access regardless of security measures.

Unauthorized access to records or archives may result in the theft of records, their alteration or destruction, and the manipulation of information. Data management is a group effort and comprised of planning, developing, implementing, and administrating consistent storage, security, retrieval, archiving, and disposal of data.

Below is a brief summary of some general data management practices and a general data security plan:

Data Management Practices

  • Experiences and data management practices varies widely. However, administrators and researchers can institute a data security plan by first
    • Reviewing existing records and determining the relevance of the documents.
    • Reviewing management and preservation challenges within the institution.
    • Refining file naming practices.
    • Protecting the data.

General Data Security Plan

  • Create a record-keeping plan
  • Designate roles and determine who has access to the data
  • To ensure the integrity of the data, access to accounts and security of logins should be regularly reviewed
  • Data administrators should ensure project staff are set up with unique user accounts and personal secret passwords
  • Project staff no longer involved in the project should have access removed immediately
  • Regulate physical access to fixed and removable data (e.g., hard drives, laptops, paper files, etc.).
  • Individual files on computers in shared offices should be secured and encrypted.

Effective record keeping, (physical and digital) data storage, and authentication offer great help in securing all holdings. Emboldening administrators and researchers to adhere to good data security practices and record keeping protects vital information for the future.

Myra Luna-Lucero, EdD, is a Research Compliance Manager at the Teacher’s College of Columbia University. As a researcher and teacher, people are her highest priority and she instinctively communicates personal concern with others. She is an adept communicator who thrives on face-to-face interactions with a diverse body of students, faculty, and staff. She brings these qualities to her work to empower others to make informed decisions and reach their goals. She encourages researchers to ponder the roles they might play in the alleviation of the troubling inequities that continue to shape our world. She guides researchers on how to treat everyone as autonomous decision-makers who possess unique opinions. I present campus workshops on the importance of ethics, confidentiality, and protecting vulnerable populations. She meets individually with researchers to strategize ways to protect human subjects and do good work in the world.

Members of PRIM&R’s Blog Squad and other guest contributors are valued members of our community willing to share their insights. The views expressed in their posts do not necessarily reflect those of PRIM&R or its employees.

PRIM&R’s next AER Conference (AER19) takes place November 18-20, 2019 in Boston, MA; you also have the option attend either the AER19 Preconference Programs or our biennial SBER Conference on November 17.  Visit to explore this year’s conference agendas and register!