 |
 |
As with all security there are trade-offs to be made. Dedoose appears to have fairly robust security based on Eli's description. I would be inclined to agree that the system described is likely to provide greater data security that what most research teams are likely to implement if left to do their own thing or left to depend on their institution's IT services. A lot of data that is stored locally now moves around on mobile devices and storage in a way it didn't a few years ago. A recent study in the US suggested that over a three year life expectancy 7% of laptops would be lost or stolen. Very few are recovered. Any confidential information stored on a laptop, smartphone, USB drive or any type of portable media or device needs to be encrypted. Ideally encryption is implemented that allows for backup and key recovery which generally involves some type of centrally managed solution. However, many institutions and users are way behind the curve on security issues in general never mind implementation of encryption. And then there's data that has to move between locations or be shared between collaborators at different locations. There often aren't secure, readily available, and easy ways of doing this. I serve on an IRB and we frequently require encryption of identifiable data. Sometimes this is required by contract, or US Federal or State regulation so the IRB doesn't have much discretion. But if the data is sensitive, we'd require encryption regardless and might impose other restrictions as well (e.g. no network connectivity, must remain in a locked office, etc). This type of data is never going to make it into the cloud without a very robust security model, including user control over the encryption keys. That said a lot of social science data falls into the no greater than "minimal risk" category. My guess is that most IRBs have no problem with existing online data collection tools like Survey Monkey for minimal risk research providing it is set up properly (uses https, etc.) so I'm not sure online data analysis tools raise new issues. And a lot of social science research probably meets a requirement for exemption from IRB review in any case. One other thought: a provider of a cloud service hosting research data may have good reason for not holding the encryption keys. Say someone uploads data from a sociological study of some activity that gets dragged into a legal case. This happens occasionally and it's not always obvious in advance. What are you going to do if you are issued a subpoena? This isn't going to happen every day but if you host enough studies for long enough there's probably a chance it will happen eventually. Better for you as the cloud service provider if you can say: "Sorry, we store the data but it's encrypted and we don't have access to the keys." Alan.