The standard content used in approved IRBs can be found below. Feel free to copy and edit as you see fit for your project.
Labfront strives to meet the highest standards for data security, and ensure that your data collection and storage is set up to comply with all relevant laws, regulations, and best practices such as ICH-GCP, HIPAA, PIPEDA, GDPR, ISO 27001, and ISO 9001. Please read the Labfront security statement document, which clarifies which measures have been taken in the design and production of Labfront - in relation to data collection, storage, backup, security, and regulations that must be complied with when handling sensitive health-related data.
How personal accounts (for both researcher and participants) are set up
Researcher accounts have the ability to create and launch projects. In each project, the researcher has the ability to ‘create’ anonymized participant accounts that are tied to that particular project. Participants receive a personalized code from researchers, that enables them to anonymously log into the Labfront App without having to enter any personally-identifying information. This ensures that all participant data on Labfront remains anonymized.
How the data will be uploaded from the devices
Participant wearable devices directly connect to the Labfront Smartphone App (iOS and Android) via a Bluetooth connection. Data is then securely transmitted to the encrypted Labfront cloud through an internet connection. Data travelling between Labfront users and the system is encrypted with the use of the Secure Socket Layer (SSL) and Transport Layer Security (TLS) technologies. This keeps data secure while in transit and ensures it can only be interpreted by the intended parties.
Who will be managing the data and who has constant access to the data
Assurances for data privacy, security, and backup
All participant data is anonymized before entering the Labfront system. Labfront does not save the participants’ personal details. Instead, it creates unique anonymized identification codes for participants, which can be defined by the researcher. The lead researcher will keep a password-protected record of the participant IDs linked to their personal data on a secure computer. After the research is closed, the lead researcher will destroy this record.
For long-term storage of data, Labfront uses Amazon Web Services S3 Glacier, a secure and durable cloud storage service for data archiving and long-term backup. It is designed to deliver 99.999999999% durability and provides comprehensive security and compliance capabilities that can help meet even the most stringent regulatory requirements.
What kind of control do the participants have over the data and whether they have the right to withdraw their data?
Labfront believes that an individual’s personal health data is just that - personal. Participants should have control over their own data and what they do with it. Labfront does not collect any data without first having both the participant’s and the researcher’s consent, enforced through a real-time two-way consent mechanism. If at any time a participant decides they no longer want to be part of the research, they have the right to withdraw. In this case, a participant will contact the researcher, and upon request from the researcher, Labfront will delete all the participant's data from their records.
Labfront also offers study participants the opportunity to download a copy of their collected data.
Future use of study data:
The research data will be deleted from the researchers’ possession 3 years after study completion, following the write-up of the results. GCP prescribes that all medical data are stored for at least two years unless a longer period is required because of local regulations.
For relevant studies, Labfront is also compliant with the NIH Data Management and Sharing (DMS) Policy, effective January 25, 2023.
Labfront has completed the HECVAT (The Higher Education Community Vendor Assessment Tool ) form that many institutions request. Please contact us at firstname.lastname@example.org if you require this documentation.