Storage of personal data in REDCap (Research Electronic Data Capture)
All personal data are stored using REDCap (see below)
Only the participant’s email address is entered onto the websites (hosted by wix.com) directly. No other personal data are stored on our websites.
Electronic data via REDCap (Research Electronic Data Capture) https://redcap.cir.ed.ac.uk/
All data collection instruments (including the ‘Sign up form’, online tasks, and participant surveys) of the TASK trial are created using REDCap (Research Electronic Data Capture). REDCap is run by the Surgical and Perioperative Health Research (SPHeRe), University of Edinburgh under licence from Vanderbilt University. REDCap was developed specifically around HIPAA-Security guidelines. It is hosted within the University of Edinburgh Virtual Machine architecture which is physically secured (for technical information see (http://www.ed.ac.uk/information-services/computing/computing-infrastructure/virtual-hosting/technical). Linux web servers running apache2/php5 host the application. Web browser communication to the server is SSL-encrypted by default. All other ports are firewall protected. Data is stored in MySQL databases on a separate server. This server is behind a firewall and can only be accessed from the IP address of the web server. An SSL tunnel encrypts communication between the web and databases servers. File upload is secured between servers using the WebDAV protocol with SSL. "At rest" encryption is in place on the database server. Daily back-ups are made of both servers and stored for two weeks prior to being deleted. Operating security updates are installed automatically. Antivirus software runs to a scheduled protocol on the web server. User passwords are managed directly. Accounts are disabled after 5 failed login attempts. Users are auto logged out after 30 mins of no activity. Users are forced to change password after 42 days. Password strength: AT LEAST 9 CHARACTERS IN LENGTH and must consist of AT LEAST one lower-case letter, one upper-case letter, and one number. Daily audit tracking of users is in place with removal of unused user accounts.
Audit trails are kept automatically to monitor any activity or alterations made to the data and any of the data collection instruments.
Physical records of participant data
All physical records are kept in a locked cabinet in a ‘keypad’-locked office within the Centre for Clinical Brain Sciences (CCBS) which itself has restricted access to pass holders only. The CCBS is a secure and alarmed building. Paper files are stored for 12 months after the end of the study and will then be destroyed confidentially.
Office best practice: Local policies are operated i.e. nightly clear desk, clear screen, locking of computer, password protection on screen savers, locking of file cabinets.
Audio-recorded data and transcripts
Audio-recording of telephone session using a digital recorder takes place within the CCBS. The digital recorder is stored in a locked cabinet in a ‘keypad’ locked office within the CCBS.
Audio-recording is sent electronically to an external transcription service without any personal identifiable information. Transcription data will be held no longer than necessary; when the system has completed its purpose all confidential personal information will be permanently destroyed/erased together with all hard or soft copies of the same. Any storage media will be destroyed using contracted University of Edinburgh service. Only anonymised datasets will be archived indefinitely due to their long-term research value.
Anonymised dataset will be retained/stored in perpetuity in the University of Edinburgh Data Safe Haven (The University is developing a Safe Haven which will be active in July 2017).
Text messages via TASK team mobile phone
Only unique identifier (record ID) is stored with the participant’s telephone number in the ‘Contacts’ of the TASK team mobile phone. When communicating via text messages no additional personal details other than the participant’s name are used. All text messages are erased weekly. At the end of the trial the TASK team mobile will be wiped using factory reset and sim card will be physically destroyed
Wearable device-GENEActiv Original
GENEActiv Original device does not carry any personal identifiable information. We record the serial number of each device given to participant to wear during the study. Any data recorded on the device will be lost in the event of the device being lost or stolen. The serial number can only be linked to the participant’s identity in our RedCap database.
Data recorded on the device is downloaded and analysed at the Usher Institute at University of Edinburgh
Website analytics (Wix & Googleanalytics) collect aggregate anonymised data
Our TASK websites are built and hosted by wix.com—a commercial cloud-based web development platform for website building. Like most website operators, Wix websites collect non-personally-identifying information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request. The purpose in collecting non-personally identifying information is to better understand how visitors use the website. From time to time our TASK websites may release non-personally-identifying information in the aggregate, e.g., by publishing a report on trends in the usage of its website as an aggregated statistic to the website host—wix.com and Googleanalytics.
Security of Wix websites
We developed all of our TASK websites using Wix.com a leading cloud-based development platform.
All three domains of our websites are purchased from Wix.com and connected to the Wix servers. All three domains have private registration in the WHOIS database.
Hyper Text Transfer Protocol Secure (HTTPS)
All of the TASK websites have been enabled for HTTPS. HTTPS is the secure protocol through which browser communicates with sites.
Any data transferred using HTTPS sites is encrypted and authenticated and therefore secured.
All of the TASK websites have a Secure Sockets Layer or SSL certificate. This allows our site visitors to view our sites over an HTTPS connection. It secures the connection between site visitor’s browser and the sites.
During our website development, Wix.com only allowed HTTPS-compatible HTML elements. All links embedded in our websites are HTTPS compatible. Only HTTPS compatible links are embedded in our websites .
Using email as login to the TASK treatment websites: We ask participants to provide only their email address in order to be used as a login for our treatment websites. Our research team can provide an alternative email login if participants do not wish to use their own.
All treatment websites are password-protected.
Wix's login services are completed through a secure server. Additionally, Wix uses cryptography hash functions to protect user’s and visitors information. Password is stored as a hash digest and, in the event of a security breach, the original password cannot be recovered from Wix’s servers.