Sensitive and/or Identifiable Human Subjects Research Data
Research that obtains individually identifiable private information* about living individuals through intervention or interaction with the individuals and uses, studies, or analyzes the information; or obtains, uses, studies, analyzes, or generates identifiable private information (known as human subject research) requires protections against unauthorized access.
* Identifiable private information includes medical records, education records, and any other information that an individual believes is private.
IRB Review Process
The UCSC IRB reviews research involving human subjects to ensure (1) there are adequate protections for the study participants; and (2) the research is compliant with UCSC standard operating procedures and applicable regulations and guidance (federal, state, etc). In some instances, the UCSC IRB will allow an external IRB to review research conducted at UCSC. During the review, the IRB is required to determine whether the study participants’ privacy and confidentiality are protected. The IRB will review the protocol to see if this requirement is met, so the protocol must clearly describe how the research will protect data about the participant from unauthorized access or disclosure. The level of protection required depends upon the sensitivity of the information being accessed or created during the research.
In many instances, the IRB will determine that the risk of inadvertent access or disclosure can be minimized if the data can be accessed, collected or created in an anonymous, coded or de-identified format.
- Anonymous: The data collected does not include any identifying information such that there is no way to identify an individual subject.
- Coded: The data collected are stripped of all identifying information (names, dates relating to the individual, account numbers, phone numbers, email addresses, etc.) and labeled with a code. The code can be linked to the individual’s identity, but the key linking the code to identifying information is held separate from the research data
- De-identified: The data collected are stripped of all identifying information (names, dates relating to the individual, account numbers, phone numbers, email addresses, etc.) such that there is no way to re-identify an individual subject.
- HIPAA De-identified: Under HIPAA, protected health information (PHI) data can be de-identified by removing all 18 elements that could be used to identify the individual or the individual's relatives, employers, or household members; these 18 elements are described in the Privacy Rule, or by use of statistical methods to establish de-identification.
- HIPAA Limited Data Set: A limited data set is protected health information (PHI) data that excludes certain, listed direct identifiers (see Privacy Rule) but that may include city; state; ZIP Code; elements of date; and other numbers, characteristics, or codes not listed as direct identifiers, that is released by a disclosing “covered entity” once the entity and the recipient of a limited data set enter into a data use agreement that establishes the ways in which the information in the limited data set may be used and how it will be protected.
If the research cannot be conducted unless the data accessed, collected or created are identifiable, the IRB will look at the sensitivity of the data and whether the information is confidential or private.
- Sensitive information includes information about health, grades, mental status, sexual preferences, substance abuse, personal finances, etc. For example, the National Institutes of Health (NIH) defines “sensitive information” as information relating to:
- Illegal behaviors
- Drug or alcohol abuse
- Sexual behavior
- Mental health or other sensitive health or genetic information
- Confidential information is secret, meaning there are laws or agreements that prohibit the information from use and/or disclosure without meeting specific requirements such as consent from the individual. See Laws/Regulations/Policies below.
Private information is information that an individual does not believe would be made public such as emails, texts, other correspondence, or their location (GPS coordinates) at specific times.
If the identifiable data accessed, collected or created includes information that is sensitive, confidential or private, then the IRB will require the data to be maintained in a secure manner and will require protections such as data encryption, use of authentication mechanisms such as user names and passwords, audit trails, staff training, etc. The IRB/ORCA works with the UCSC Information Security Office and Privacy Officer to determine whether security measures are adequate. For more information about data security you can:
- Review the information found on the ITS How to Stay Secure and IT Policies and Guidelines sites.
- Contact your ITS Divisional Liaison
- Contact someone from information security via email (help@ucsc.edu) or submit a SlugHub ticket
Laws/Regulations/Policies
Health Human Services Human Subjects website
Federal Policy for the Protection of Human Subjects or Common Rule
Health Information and Portability Act (HIPAA) Privacy Rule and Security Rule
Family Educational Rights and Privacy Act (FERPA)
Protection of Pupil Rights Amendment
FDA Regulations for Information Consent and Protections for Children
Additional Resources
UCSC IRB Procedures and Policies
UCSC Human Research Protection Program
Protection Level
- IT Policies
- Data and IT Resource Classification
- Protection Levels for UC Institutional Information
- Security Web Site
- Availability Levels for UC Institutional Information
- IT Policy Glossary
- IS-3: Information Security Policy
- IS-12: IT Recovery Policy
Need Help?
Call: (831) 459-HELP (9-4357)
Email: help@ucsc.edu
