Data Encryption Requirement
To ensure confidentiality of identifiable, electronic data, the Institutional Review Board (IRB) is now requiring that the electronic key linking participants’ identities to their data be encrypted. This will be accomplished by the use of TrueCrypt, a free, open-source disk encryption software. The accompanying document includes instructions on using and installing the software.
Points to remember:
- This is for ELECTRONICALLY COLLECTED/STORED IDENTIFIABLE DATA.
- If data are collected without identifiers (i.e., anonymous data), encryption is not required.
- Most often, the only data that must be encrypted is the computer file that is the key linking participants’ names to collected data – generally a small file. If data are coded, but the key is in paper format (i.e., handwritten), there is nothing to encrypt (obviously!).
- If electronic, identifiable data are not coded, the entire dataset must be encrypted. This might occur if: a) the dataset includes participants’ names (usually not done), or b) the data could be identifiable because of the type of data collected (e.g., some demographics can identify people).
Instructions on how to use TrueCrypt (Word)
Contact the IRB Office with questions, (firstname.lastname@example.org, 1-1498).
NOTE: Use of a different encryption program is acceptable.
The Institutional Review Board thanks the Department of Information Technologies for assisting in the selection of the encryption program, and Dr. John Koskie for his help (and patience) in developing the accompanying document.