How do you take care of confidential research material?
As an office manager for an organisation that’s been helping a university collect questionnaires for their research, it’s been my job to keep hold of the questionnaires and every few weeks a researcher comes and takes them away.
There are several questionnaires completed by each person in the study plus a signed consent form with their name, signature, date etc on it. Because I don’t want to lose or muddle these items I clip them all together (putting each person’s questionnaires, consent form etc together). There are several researchers involved in the project and I don’t always know when they’re coming to get the questionnaires. I keep all the questionnaires on my desk in a labelled box file. That way all the researcher has to do is open the file, take the questionnaires, and leave if I’m not around to help.
This week a new researcher came. She asked for the questionnaires. I showed her where they were kept in case I wasn’t available on her next visit. She was really angry and told me I had broken the law by having the file on my desk and that it was illegal to put consent forms with questionnaires. She said I had to keep the forms and questionnaires separately and also lock them in a cabinet otherwise the study could be ruined.
I was really upset afterwards and I asked my manager who said we could have a cabinet that locked but now neither of us know if we need a cabinet for the questionnaires and one for the consent forms. There is more than one questionnaire per person so do we also need separate space for the different questionnaires? What happens if we’re not here when the researcher comes to collect the questionnaires? I am worried if we ask the university they will know we did something wrong and we could be in trouble.
Nobody has mentioned this before. I don’t understand what I have done wrong.
[Image for this post is by artist Stuart Whipps, more information here]
There are two different issues here. Firstly, there is the storing of confidential information. If your organisation regularly handles confidential data, you should have a policy on how this is stored. This might mean locking it up, if you work area is open-plan and reasonably accessible (ie. People from outside the organisation may walk in and out), or it might be that you treat your workspace as a shared secure area, and confidential data is left out but you are careful about who enters the space. If you don’t have a policy either way, or you don’t know what it is, you ought to raise this with your organisation’s managers because it’s kind of asking for trouble. As far as the research goes, though, the storage is the responsibility of the research head and should have been clarified by them (and communicated to you and anyone else involved) when the organisation agreed to help with the research.
Secondly, there is the question of whether the questionnaires and consent forms can be stored together. That very much depends on the type and design of the study: it may be necessary for them to be stored apart, it may be necessary for it to be stored together. Again, that should have been made clear to you when you began helping with the project. The new researcher is wrong to assume that it’s obvious that they should be stored separately.
However, whilst your organisation should probably review its data protection policy if you don’t have one, any problems with the research data are *not your fault*. Whoever is running the research project is responsible for the security of the data, and that means they are responsible for how it is collected, stored and transmitted or passed from one person to another. They have the responsibility for ensuring that the data is responsibly handled, and that means ensuring that the people who handle it are adequately trained. If you haven’t received any training or advice on how the data should be stored, the responsibility for any failures rest with the leader of the research. They are at fault if they’ve just assumed that you know what to do or haven’t really thought about it, and this is exactly the kind of issue that the ethics committee of the university should have raised when assessing the the research proposal.
What you should do: contact the leader of the research team (or your liaison person) and explain that some concerns have been raised about the data protection and confidentiality issues and ask for clarification and/or training. But don’t grovel. You haven’t done anything wrong! And frankly you’d be within your rights to ask for an apology from the new researcher who shouted at you!
NB: not a data professional but I’ve worked with confidential data and research data, and this is my take on it. Happy to be corrected by anyone with greater knowledge!
Hi there,
My background is clinical research, and my speciality is Good Clinical Practice (GCP), so I can only tell you how this kind of data would be stored in a clinical research establishment. Saying that, the regulation that is most relevant to this is The Data Protection Act 1998, which is pertinent to anyone who handles information on other people, so the same principles will apply here.
The issue is with identifiable information. If you hold data (in this case, questionnaires) whereby an individual can be identified by the information in the data, you need to be extremely careful about how you store that data, and who has access to it. If the data is stored in a manner whereby the individual cannot be identified, then The Data Protection Act no longer applies and Good Clinical Practice guidelines are more pertinent.
In a clinical setting, this means that consent forms (always identifiable by the participant’s name) are not kept with data sheets. Consent forms are kept in locked cabinets within a secure unit. Data sheets contain no personal information and are identified by a subject number only. In my experience, these are also kept in a separate locked cabinet in a secure unit. Databases containing subject numbers and personal information are kept very securely and are only accessible by authorised people.
Authorised people are those that are listed on the Delegation Log for that study, with the signature of the Principal Investigator.
Our establishment ensures that each researcher involved in studies held with us has training in GCP. I would recommend it to anyone involved in human research. There are many elements of human research that are carefully regulated, although it may not seem obvious or necessary sometimes.
The responsibility for safe storage of the data for that study is with the Principal Investigator, and more importantly, the Sponsor of the study (often the University). Matters such as how the data is stored and used are usually sorted out before the start of a study, as they are required to be described in the study protocol and ethics application. Training requirements and appropriate storage facilities are usually established with those involved in that process as part of the study set-up.
A critical element of GCP is complete transparency in human research. The way to improve practice is to acknowledge errors, fix them, and then change how things are done so they cannot happen again (corrective action and preventative action, CAPA, a big part of research governance). All deviations from the study protocol, GCP, or any regulations such as The Data Protection Act must be recorded, and reported to the Sponsor of the study, and followed up. This is not a blame exercise in any way, it simply shows processes that failed, or are missing and need work. It is to ensure good research. The ultimate responsibility for what has occurred in this instance is with the Sponsor. I would expect the researcher to be documenting the deviation and informing the Sponsor, who would then implement processes to ensure the data was being held appropriately.
AS far as I remember data protection is far stronger if it is concerning “prejudicial material” as counselling students we were told that all material would come under that, since stigma means even attending counselling could be seen as prejudicial if it was not kept confidential.
As far as I can see, there have been a whole host of very worrying violations here, the consent forms should be totally separate, and locked, no need for them to be out, they identify the respondents, so high level of security needed questionnaires should be in secure place, not sure they need to be locked if they are anonymized.
My advice would be that they confess to be honest, cos they both need training in data protection. Also there seems to be no way of checking who is taking the data. The researchers are also at fault here, and should have addressed this earlier, preferably before the study.