IRB Approval for Sharing Sensitive Data
Common concerns about sharing human subject research data include:
The release of information that may identify an individual research participant or organization. Examples of disclosive information include:
- Direct identifiers or Personally Identifiable Information (PII), such as name, address, social security number, or phone number.
- Indirect identifiers, such as zip code, birthdate, education, or race/ethnicity, which could be used in combination to uniquely identify an individual.
- Information in a dataset that can be linked with outside information, from sources such as social media, administrative data, or other public datasets, that results in identification of an individual.
An individual's control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others. In a research context, the concerns are primarily about the methods used to obtain information about subjects.
The treatment of information disclosed in a relationship of trust with the expectation that it will not be divulged without permission.
Restrictions that apply to some types of sensitive data. Examples include:
- Family Education Rights and Privacy Act (FERPA) protected educational records data, such as grades
- Health Insurance Portability and Accountability Act (HIPAA) protected medical or healthcare data
Any information that may cause harm, legal jeopardy, or reputational damage to the subject if disclosed. This data may or may not be legally protected. Examples include:
- Criminal or illegal behaviors, such as drug use
- Mental health information
- Sexual behaviors
- Information about minors or other vulnerable populations
Visit the Office of Research Compliance's Human Research Protection Program site for information on research that involves human subjects. To determine whether an IRB application is required for your project, complete the tutorial "Does my project require IRB Approval?" or contact the HRPP at email@example.com or (662) 325-3994.
For projects that require IRB approval, the informed consent should maintain participant confidentiality without overly restricting future use of the data. Overly restrictive language will make future sharing or archiving of the data more difficult or impossible later.
If your data contains legally protected or sensitive data, or if the removal of identifiers limit the usefulness of your data, consider sharing through archives with restricted access repositories, such as the Inter-University Consortium for Political and Social Research (ICPSR).
In addition to the content of the data, the agreement made with participants in your IRB can also limit the extent to which human subjects' data can be shared.
More Guidance on Sharing Human Subject Research Data
- Our institutional procedures which govern research at MSU. Two specific policies pertaining to data management are our SOPs on Data and Safety Monitoring Plans and Research Data Security.
- The Federal Code of Regulations (45 CFR 46) the following sections apply to privacy and confidentiality: 101(b)(3)(i), 111(a)(7), 116(a)(5), and 117(c)(1).
- The Office of Human Research Protections provides guidance on Coded Private Information or Biological Specimens: Issues to Consider in Research Use of Stored Data or Tissues, Operation of Biological Repositories and Coded Private Information or Biological Specimens: OHRP Guidance on Research.