Data Management & Security

Active Projects

A human subjects research project is considered "active" from the time IRB approval is issued until the time personal identifiers linked to the research data no longer exist and the project is closed. Records for active IRB-approved research projects must be stored in some form (paper and/or digital form) in secure locations on campus. For research performed off-campus, the data should be secured and returned to campus as soon after collection as it is practical. Particular care should be taken to protect data on laptop computers, external hard drives and other portable devices. Study information containing personal identifiers stored on these devices should be encrypted to prevent unintentional breaches of confidentiality in the event the storage device is lost or stolen. Similarly, paper records identifying research participants, including consent forms, should be kept in a secure location with access restricted to key study personnel.


Basic Levels of Storage

The level of protection for the data should be commensurate with the sensitivity of the data.

  • Paper Records

    Paper files related to human subjects' participation in research must be securely stored on campus. Access to files should be restricted to key personnel and supervised by the principal investigator(s) of the study. Locked file cabinets ought to be used and preferably located in secured locations (i.e., locked office or laboratory). In the event that research activities are not carried on campus AND it is necessary to maintain the consent forms at the research site, copies of the signed consent form should also be stored in a secure University location (either as a paper copy or in digital form).

    Signed informed consents must not be used as the identifying link to the research data and must NOT contain participant ID numbers or be filed with other research data files.

  • Digital Records

    Digital files containing human subjects data must be stored in password protected files, preferably on University maintained servers (e.g., REDCap, One Drive) with regular and secured back-up. Sensitive data should also be encrypted, stored, and securely erased when appropriate.

    Tapes and other media-supporting devices used for audio and/or video recordings should be stored in the same secure manner as paper records and erased as soon as information has been transcribed or coded and is no longer needed for research.

Closure and Retention

Approved human subject research projects should be closed at the time all data have been collected and identifying information is no longer needed. De-identified data for which no identifying key exists can be kept for further analysis and do not require continuing review and approval by an IRB.

A project closure report should be submitted to the IRB once data are no longer identifiable.

Compliance with 45 CFR 46.115(b) requires that all records relating to IRB-approved research be retained for three years after the closure of the project.

Records to be maintained include: copies of all research proposals reviewed, scientific evaluations (if any), consent documents, progress reports, reports of injuries to subjects and other unanticipated problems. Electronic copies of correspondence between the IRB and the investigator(s) is preserved and stored in the IRBNet system and any other electronic records of a research project in hard copy, electronic or other media form, must be preserved and accessible for audit purposes. Records for the completed project should be stored in secure locations on campus with the same care used when the project was active.

If a researcher (faculty, staff or student) leaves DU, a copy of the research records must remain on campus. Students should coordinate the storage of research records with their faculty sponsor and/or department/college. In the event that the faculty sponsor or department/college are unable to retain the records, they should be sent for secure storage in the University Archives. Records sent to archives will be recalled only in the event of an audit requirement and will be destroyed at the end of the three-year retention period.

Destruction of Records

Destruction of human subjects research records should be performed in a fashion that protects the confidentiality of the research subjects. It is recommended that paper records be shredded, that physical tapes (audio and video) be erased and physically destroyed, and that electronic media used to store data be scrubbed after the fields are deleted.

Researchers may retain de-identified data for future analysis in the context of the project for which the data were collected. Data are considered to be completely de-identified when ALL links between individual identity and the data are destroyed. Research data are not considered de-identified simply because names have been removed if they still contain information that might identify the participants such as date of birth, address, etc.

Contact Us

For further guidance, please contact the Office of Research Integrity & Education at 303-871-2121 or through