Date: November 1, 2023
Preamble
The University of Saskatchewan is committed to protecting the research data including privacy and confidentiality of personal information. All research data collected is managed according to USask policies, The Local Authority Freedom of Information and Protection of Privacy Act (Saskatchewan), federal law, funding agency regulation and guidelines. See References & Resources for more information.
Audience
Study Participants, USask Investigators and Study Users.
Purpose
To set forth the standards and expectations for the privacy of data collected using REDCap.
Introduction
REDCap (Application) is a software tool made available by Information and Communication Technology (ICT) to the campus community in support of the USask’s research mission. The Application is hosted in a USask data center, managed by USask staff, and subject to Vanderbilt Terms of Use.
USask Investigators may use REDCap for data collection in pursuit of their research goals. The scope of this policy covers USask’s commitment to the protection of data related to the use and management of the Application; Study design, Study management, and Study data exported from the Application is outside the scope of this policy. As a trusted partner in research, ICT is committed to the highest professional standards and executes its responsibility as a service provider and data custodian with the utmost integrity.
Definitions
- We, us, our: Refers to USask/ICT
- You, your: Investigator, Study User, Participant
- Administrators: ICT staff responsible for providing the Service.
- Application: The licensed software and its respective components (intellectual property - logic, code, algorithms, and database schema), collectively known as REDCap, licensed to USask by Vanderbilt University.
- ICT: Information and Communication Technology is the administrative unit within USask responsible for the provision of information and communication technologies in support of the academic, research, and administrative functions of the university.
- Consent: An ethical commitment to ensure individuals who participate in research do so voluntarily, understanding the purpose of the research, and its risks and potential benefits, as fully as reasonably possible. Where a person has the capacity to understand this information, and the ability to act on it voluntarily, the decision to participate is generally seen as an expression of autonomy. See TCPS 2 for more information.
- Investigator(s)(principal or other): Individual(s)[1] responsible for leading the data collection and analysis for Studies. Investigators are accountable for all aspects of the study including data management at all stages.
- Logging: Logging means the system (server and/or application) will document certain activities (meta-data) and make available for review, support, troubleshooting, or analysis.
- NSID (Network Services ID): The credentials used to access information systems at USask.
- Participants: An individual whose data, biological materials, or responses to interventions, stimuli, or questions by a researcher are relevant to answering the research question(s) (Canadian Institutes of Health Research, Natural Sciences and Engineering Research Council of Canada, & Social Sciences and Humanities Research Council of Canada, 2022, p. 14). This includes individuals that respond to Studies.
- REB: The University of Saskatchewan Behavioral and Biomedical Research Ethics Boards (REB) are responsible for the review of research involving human participants, their data and biological materials as required by the Tri-Council Policy Statement on Ethical Conduct for Research Involving Humans1.
- Service: The collection of elements that bring value to Users comprised of the Application, servers, network, back-up, staff, and other supporting services such as identity management (NSIDs).
- Study: A investigation that involves the collection of data in aid of drawing scientific, theoretical, or administrative conclusions. Research involving human participants, their data, biological materials require REB approval. Research with administrative or quality improvement goals may not require REB approval and may be exempted from REB review by the appropriate REB. A Study is referred to a project in REDCap parlance.
- Study User: Individuals authorized to engage in the design and administration of REDCap Studies. This includes Investigators, and at their discretion, research team members accessing, building, editing, deleting data collection instruments.
Scope of this Policy
This Policy applies to data collected and retained within REDCap up until the point when data is deleted. This policy does not cover data extricated from REDCap (e.g., export, download).
Roles and Responsibilities
As the Service provider, ICT and its professional staff are responsible for configuration, operation, system security, and maintenance of the Application’s infrastructure (e.g., servers, operating systems, databases, software components, etc.), back-up and management of the database within which Study data is stored within the Application, and managing obligations related to the Applications’ license.
Study Users are responsible for managing User access to their Studies and Study data within the Application, as well as the data exported from REDCap.
Security
The security of data under ICT’s custodianship is important to us. We employ industry best practices through administrative, technical, and physical measures to protect systems and data under our care. This includes secure transmission, hosting, access controls, back-up, and other measures.
What Data is Collected
REDCap captures the following activity data based on role:
Study User:
- NSID (only when logged-in)
- Date and time stamp
- Application operations (administrative function such as adding/editing/deleting a Study (project[2]) field, record, use of the application programming interface (API), mobile apps (e.g., MyREDCap, MyApp), user management, setting or other administrative and non-administrative REDCap actions).
Participant:
There two classes of Participant data 1) data collected by Investigators via Study forms, and 2) data collected by the System.
1) Investigators determine the nature and manner of data collected within the forms, guided by research objectives (contact Investigator for more information).
2) The System collects data relating to Participant interactions with the System. This data is anonymous and contains no Participant identifiable (direct or indirect) data (e.g., meta-data such as Internet Protocol (IP) addresses).
How Data is Used
ICT uses Study User data to administer and operate the Application, including troubleshooting and support.
- Study User: ICT uses NSIDs to provision access to Application and to provide User support including troubleshooting and guidance.
- Participant: Investigators use Participant data for the Study’s stated purpose. Contact the Study Investigator for more information. Contact REB if you have any questions on the ethical use or sharing of the Participant data.
Basis of the Processing
Where public participation is involved, collecting and processing Participant data is necessary for the conduct of research in service of the public
How Data is Disclosed
Except as described in this Privacy Policy, ICT does not sell, rent, lease, give away, disclose, or share Study data, and will not disclose Study data unless required to do so by law, in consultation with USask’s Privacy Officer, Research Ethics Board, and other stakeholders as require.
Who Has Access to Study Data
- ICT Administrators have access to all aspects of the Study, including Study However, Study data is not accessed unless requested to do so by the Investigator or Study User for the purposes of support, troubleshooting, or Study design guidance.
- Investigators have access to all study responses, and where configured, identifying information.
- Study Users granted access by the Investigator may have limited or full access to all Study Participant data.
- Additionally, REDCap usernames (NSID) are visible to other Users assigned to the
How Long is Data Kept
- Study User: User login data related to a Study is removed from the Application when the Study is deleted. Logging data is retained indefinitely.
- Participant: Study data is not removed from the Application unless Retention of Participant data within the Application is determined by Study Investigator(s). Once Investigators delete a record(s) or Study data, data becomes irrecoverable after the back-up period has expired. Otherwise, Study data is not removed from the Application. Please note, generally, data retention is determined by Study needs, Responsible Conduct of Research Policy, and regulatory requirements and Investigators are required to make data retention compliance arrangements outside the Application.
Your Rights and Choices
Subject to applicable law and ethical standards, Participants have certain rights regarding the data collected. Contact Study Investigators for more information. Contact REB if you have any questions on the use of Participant data.
Our Breach Notification Process
ICT will work with the Privacy Office, Legal Office, and REB to inform Investigators in the case of a breach related to the Application. Investigators are obligated to inform Participants as appropriate.
Changes to Our Privacy Policy
Changes to this privacy policy may be required from time to time. All changes will be posted on this page with a revision date. In the event of changes that materially alter your rights, ICT will undertake reasonable efforts to notify you.
References & Resources
[1] TCPS2 2022
[2] REDCap refers to Studies as “projects”.