Institutional Review Board (IRB) Committee Requirements for Cybersecurity & Privacy Research Proposal Review

Purpose Statement:

The CyberMinds Research (IRB) committee aims to protect human participants in research projects that involve cybersecurity and privacy. Questions related to the security or allowable use of software for collecting, transmitting, and storing research data can be directed to the Cyberminds Research Institute IRB Committee at irb@cybermindsinstitute.org.

  • Composition:

    • The committee shall consist of multidisciplinary members with expertise in cybersecurity, privacy, research ethics, and relevant academic disciplines.

    • At least one member shall have expertise specifically in cybersecurity and another in privacy.

  • Responsibilities:

    • Review research proposals involving data collection, use, or analysis that may impact cybersecurity or privacy.

    • Ensure researchers adhere to applicable laws, regulations, and ethical data protection and privacy guidelines.

    • Evaluate the potential risks to participants' cybersecurity and privacy and recommend mitigation strategies.

  • Submission Requirements:

    • Researchers must submit a detailed research protocol, including a description of data collection methods, data handling procedures, and data security measures.

    • Researchers must provide a data management plan outlining how participant data will be protected throughout the research process.

  • Risk Assessment:

    • Conduct a thorough risk assessment of proposed research projects to identify potential cybersecurity and privacy risks to participants' data.

    • Evaluate the likelihood and potential impact of data breaches, unauthorized access, or other security incidents.

  • Informed Consent:

    • We Will ensure that researchers obtain informed consent from all participants, clearly outlining the nature of the research, potential risks to cybersecurity and privacy, and participants' rights.

    • We require researchers to inform participants about data security measures and their rights regarding using and disseminating their data.

  • Data Protection Measures:

    • Researchers must implement appropriate data protection measures, such as encryption, anonymization, and access controls, to safeguard participants' data.

    • Evaluate the adequacy of proposed data security measures in mitigating cybersecurity and privacy risks.

  • Monitoring and Compliance:

    • Monitor ongoing research projects to ensure compliance with approved protocols and ethical guidelines.

    • Establish procedures for reporting and addressing any breaches of cybersecurity or privacy to the IRB committee and relevant authorities.

  • Training and Education:

    • Provide researchers with training and resources on cybersecurity and privacy best practices, including data security protocols and ethical considerations.

    • Require researchers to demonstrate proficiency in safeguarding participant data before approval of their research proposals.

  • Documentation and Reporting:

    • Maintain thorough documentation of the IRB committee's review process, including meeting minutes, correspondence with researchers, and decisions regarding research proposals.

    • Require researchers to submit regular progress reports and notify the IRB committee of changes to their research protocols or data handling procedures.

    Federal regulations for human subject research require Institutional Review Boards (IRBs) to determine that adequate provisions to protect the privacy of subjects and the confidentiality of data are in place and that researchers include sufficient provisions for monitoring the data collected to ensure the safety of subjects in their research plan. This page will help investigators plan for collecting, transmitting, and storing research data securely in a manner consistent with Cybermind’s Research Institute policies and federal regulations. As a result, periodic updates will be made to this page. Researchers are encouraged to reference this page as information is often updated to reflect new technology and security parameters.

    The Principal Investigator is responsible for all aspects of research, including the collection, transmission, storage, backup, and security of data, and ensuring those listed as crucial personnel are informed and trained on the procedures related to data security. Research team meetings should include documentation of training and discussion about the safeguards to protect research data.  This is particularly important should a breach occur or the loss or theft of a device that stores identifiable data.

    These occurrences must be immediately communicated to the IRB Committee. To assist researchers with documenting these procedures and for the IRB to review and make appropriate determinations, the Data Security Assessment Form.docx must be completed and submitted to the IRB whenever any human subjects research includes the access, use, collection, transfer, or storage of individual of individual-level human data. Any changes regarding the use of technology in research must be submitted to the IRB (via an amendment to an approved protocol) for approval before implementation of the changes.

    HHS Definition of Research (Common Rule) (45 CFR 46.102(l))“A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” In general, activities that contribute to generalizable knowledge are those that attempt to make comparisons or draw conclusions based on the data, seek underlying principles that have predictive value and can be applied to other circumstances, and identify general explanations or themes that a reader can extrapolate to another situation.
     Although publication is often viewed as evidence of research status, it is not the only criterion. In fact, “systematic investigations” usually result in published information, yet they do not qualify as research because they were not designed to contribute to generalizable knowledge.

    HHS Definition of a Human Subject (Common Rule) (45 CFR 46.102(e)) Human subject – A living individual about whom an investigator (whether professional or student) conducting research:(1) Obtains information or biospecimens through intervention or interaction with the individual, and uses, studies, or analyzes the information or biospecimens; or (2) Obtains, uses, studies, analyzes, or generates identifiable private information or biospecimens. Intervention includes physical procedures by which data are gathered (e.g., venipuncture) and manipulations of the subject or the subject’s environment performed for research purposes. Interaction includes communication or interpersonal contact between the investigator and the subject. Private information includes information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, as well as information that has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (e.g., a medical record). Identifiable information means that the subject’s identity is or may be readily ascertained (directly or indirectly) by the investigator (or others) or associated with the information.

    Questions related to the security or allowable use of software for collecting, transmitting, and storing research data can be directed to the Cyberminds Research Institute IRB Committee at irb@cybermindsinstitute.org.