OIT Public Knowledge - Data Access and Security Plan Requirements for IRB Approval

Introduction

This article is intended for researchers conducting human subjects research who are required to submit a Data Access and Security Plan as part of their Institutional Review Board (IRB) approval process.

Why the study needs to have a Data Access and Security plan?

A Data Access and Security Plan is necessary when the IRB Office classifies the study’s data as Highly Sensitive (Red) or Ultra Sensitive (Purple). This data classification is based on the potential risks associated with unauthorized disclosure or loss of the data. Below are the scenarios where such a plan is necessary:

The IRB office identified the data as highly sensitive or “Red” due to its content.
Highly sensitive data includes data where unauthorized disclosure or loss poses a high risk or impact to the university, or its affiliates. Examples include driver’s license, mother’s maiden name, passport, and immigration number, admitted unlawful behavior that is not considered purple. Other examples of qualitative data that should be treated as “red” data include information that could lead to persecution, harassment or retaliation, information that may or likely will irreparably harm relationships, information that will likely lead to stigmatization where physical or psychological harm may occur as a result of both primary and third party participants, or any data where unauthorized disclosure or loss poses a high risk or impact to all human subjects. Data Access and Security Plan required to be submitted to the IRB for review and approval.

The IRB office identified the data as ultra sensitive or “Purple” due to its content.
Ultra-sensitive data includes data where unauthorized disclosure or loss poses the highest risk or impact to the human subjects, university, or its affiliates or where specific data categories require special privileged access management. Examples include social security numbers, passwords, encryption keys, and biometrics (such as fingerprints and iris scans), admitted behavior that could be considered a felony. Other examples of qualitative data that should be treated as “purple” data include data that will likely lead to arrest, detention, incarceration, deportation, physical injury, or death of both primary and third party participants. Additional access and handling requirements are required for Ultra-sensitive data because it may be impossible to repair damage caused by its unauthorized disclosure. Data Access and Security Plan required to be submitted to the IRB for review and approval.

The data associated with this project is classified as 'Red' or 'Purple' due to state, federal, or international laws.

The data associated with the project is contractually obligated to be treated as “Red” or “Purple” through agreements.
These agreements include a Data Use Agreement (DUA), Memorandum of Agreement (MOA), or Sub Award.he data associated with this project is contractually obligated to treat the data as “red” or “purple” through an agreement such as a Data Use Agreement (DUA), Memorandum of Agreement (MOA), or Sub Award. A Sub Award is a portion of a grant or contract provided to a secondary organization (sub-recipient) by the primary award recipient. This arrangement ensures that the secondary organization complies with the same data security standards stipulated in the primary agreement.