Accessibility disclaimer: To obtain information contained in document files on this page in an accessible format please contact the IU Human Subjects Office at (317) 274-8289 or via email at firstname.lastname@example.org
HRPP Policy - Research data management
About This Policy
- Effective date:
- Last updated:
- Policy Contact:
IU Human Subjects Office
This policy applies to the conduct of human subjects research under the jurisdiction of the IU Human Research Protection Program (HRPP). This includes research under the oversight of the IU IRBs and research for which IU or its affiliates are relying on an external IRB for oversight.Back to top
The Principal Investigator (PI) has primary responsibility for the collection, management, custody, retention, and destruction of research data and must adopt an orderly system of record keeping which:
- Is followed by all members of the research team
- Enables the reconstruction of the entire study process, including retention of source documents
- Enables verification of the accuracy of all data with sufficient clarity, completeness, and organization that an external reviewer could readily determine that the IRB- approved protocol was followed, institutional policies were followed, data are true and accurate, and regulatory requirements have been met
- Ensures conduct of research without fabrication, falsification, or plagiarism
Research data include, but are not limited to, the following, as applicable:
- Grant application
- Documents related to budget and funding
- Financial disclosure and conflict of interest information
- Correspondence with regulatory agencies and sponsor and/or funding agencies
- Correspondence with review committees (e.g., IRB, Institutional Animal Care and Use Committee, Research & Development Committee) including documents approved by the review committees
- Research protocol and all amended versions of the protocol
- Lists of all subjects entered in the study and codes and keys used to de-identify and re-identify subjects
- Signed and dated informed consent forms and HIPAA authorization forms from each subject
- Data collection or case report forms and all source and supporting data
- Documentation on each subject including informed consent process, interactions with subjects by telephone or in person, observations, interventions, and other data relevant to the research study
- Data collected during the research including photos, video recordings, and voice recording, all derivative data, and derivative databases
- Subject compensation records
- Reports of adverse events, complaints, and protocol deviations
- Records related to the investigational agents such as drug or device accountability records
- Monitoring and audit reports such as Data Safety Monitoring Board Reports and audits by oversight entities
- Data analyses
- Reports (including, but not limited to, abstracts and other publications)
All data must be retrievable and identifiable. Audit trails, if required, must identify who made any changes, when, and why they were made.
Specific obligations with respect to research data ownership, creation, distribution, and retention may be defined by contract or agreement, and apply to the research covered by the contract or agreement.
When research data is generated pursuant to a contract or agreement (e.g., clinical trial agreement with sponsor), ownership of the data is defined by the contract or agreement. The details of the contract should define all policies, procedures, and issues related to ownership and will be the determining document for resolution of disputes.
Research data which is not generated pursuant to a contract or agreement that explicitly details ownership is the property of IU.
If research is completed by individuals who are employees of, or conduct work at, both a federal or state government agency (e.g., Roudebush VAMC) and IU, ownership is generally shared between IU and the government agency. Research personnel should seek guidance from administrative officials at both institutions.
All records produced or collected in connection with a research project, including primary (e.g., laboratory, medical, interview), financial, statistical, supporting, administrative, and regulatory documentation, shall be retained for a minimum of three (3) years from the date of submission of the final expenditure report to the funding agency or the date of study closure with the IRB, whichever is longer.
Records may need to be retained beyond this date, specifically:
- For studies subject to HIPAA, signed HIPAA authorization forms must be retained for a minimum of six (6) years from the date it was obtained.
- For studies conducted under an IND, records must be retained for two (2) years after approval of a marketing application for the drug for the indication for which it is being investigated or, if no application is to be filed or if the application is not approved for such indication, until 2 years after the investigation is discontinued and FDA is notified.
- For studies conducted under an IDE or HDE, records must be retained during the investigation and for a period of two (2) years after the latest of either: the date on which the investigation is terminated or completed, or the date that the records are no longer required for purposes of supporting a premarket approval application, a notice of completion of a product development protocol, a humanitarian device exemption application, a premarket notification submission, or a request for De Novo classification.
- For research subject to VA regulations, records must be retained for six (6) years following the federal fiscal year end (September 30th) after the study has closed by the VA.
- If the research involves intellectual property, data must be kept for as long as may be necessary to protect any intellectual property claims resulting from the work.
- If any charges regarding the research arise, such as allegations of misconduct in research or financial conflict of interest, data must be retained until such charges are fully resolved.
- If the research is being conducted by a student, data must be retained at least until the degree is awarded, or it is clear that the student has abandoned the work.
- If the research is conducted pursuant to a contract or agreement, data must be retained in accordance with the contract or agreement.
After the specified period of time has elapsed, research personnel may dispose of the documentation relating to a research study in an appropriate manner, including encrypting, shredding, incinerating, mutilating, erasing, and otherwise rendering the information illegible or unusable. Source documentation must be retained in its original form until this time.
Studies conducted under the regulation of the FDA (IND, IDE studies) must maintain full audit trails. All original entries made in source documents, case report forms, spreadsheets, or databases and all subsequent modifications must be maintained.
Studies subject' to FDA regulation must also comply with 21 CFR 11: Electronic Records; Electronic Signatures.
When recording source data and/or transcribing source documents to case report or data collection forms, the following procedures should be followed:
- For paper documents, record all observations/data in ink.
- Correct errors by striking through the error, dating and initialing it, and making the correction. Ensure the original entry is not obliterated. If necessary, note an explanation for the correction. Note that in FDA-regulated studies involving electronic data, a similar audit trail must be created to track data corrections(See 21 CFR 11: Electronic Records; Electronic Signatures)
- Complete all fields on the forms according to sponsor or other predetermined specifications.
IU faculty, staff, and students may not disclose social security numbers (SSNs) outside IU except in limited circumstances outlined in IC 4-1-10.
Public access requests seeking documents containing information concerning research must be forwarded to the IU Office of Vice President and General Counsel for further review and analysis, including a determination as to whether the records requested are or are not publicly available.
Certificates of Confidentiality
Certificates of confidentiality protect human subjects by prohibiting disclosure of identifiable sensitive research information. Certificates of confidentiality are automatically applied to NIH-funded research and may be requested for research not funded by the NIH. When a certificate applies, the researcher shall not:
- Disclose or provide, in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding, the name of such individual or any such information, document, or biospecimen that contains identifiable, sensitive information about the individual and that was created or compiled for purposes of the research, unless such disclosure or use is made with the consent of the individual to whom the information, document, or biospecimen pertains; or
- Disclose or provide to any other person not connected with the research the name of such an individual or any information, document, or biospecimen that contains identifiable, sensitive information about such an individual and that was created or compiled for purposes of the research.
If disclosure of research data protected by a certificate is requested, research personnel should immediately consult the IU HRPP.
When VA conducts a study that is protected by a Certificate of Confidentiality, the following health record documentation provisions apply:
- For studies that do not involve medical intervention, no annotation may be made in the health record.
- For studies that involve a medical intervention, a progress note entry should indicate that an individual has been enrolled in a research study, any details that would affect the subject's clinical care, and the name and contact information for the investigator conducting the study. Subjects informed consent forms and HIPAA authorization documents are not to be included in the health record.
NIH Data Sharing Policies
Effective October 1, 2003, NIH requires a written plan to share data with the public and general research community for certain grants.
Effective January 25, 2015, NIH-funded research must comply with the NIH Genomic Data Sharing Policy. Upon request, the IRB reviews the research and assures to the Institutional Signing Official that all of the following are true:
- The data submission is consistent, as appropriate, with applicable national, tribal, and state laws and regulations as well as relevant institutional policies.
- Any limitations on the research use of the data, as expressed in the informed consent documents, are delineated.
- The identities of research participants will not be disclosed to NIH-designated data repositories.
- An IRB has reviewed the investigator's proposal for data submission and assures that:
- The protocol for the collection of genomic and phenotypic data is consistent with 45 CFR Part 46;
- Data submission and subsequent data sharing for research purposes are consistent with the informed consent of study participants from whom the data were obtained;
- Consideration was given to risks to individual participants and their families associated with data submitted to NIH-designated data repositories and subsequent sharing;
- To the extent relevant and possible, consideration was given to risks to groups or populations associated with submitting data to NIH-designated data repositories and subsequent sharing; and
- The investigator's plan for de-identifying datasets is consistent with the standards outlined in the NIH Genomic Data Sharing Policy.
If all of the above are true, the Institutional Signing Official will provide a signed Institutional Certification.
Departing research personnel may take only copies of the data. The original source data must remain with the owner as above unless a specific request is granted by the institution or IU department or school.
Responsibility for compliance with this policy may be transferred to another appropriate person willing to accept responsibility. If the study will remain open with the IRB, transfer must be made via amendment that identifies the researcher who has agreed to become the new PI. Upon approval by the IRB, the new PI will become responsible for all future data management issues pertaining to the study.
If the study will close with the IRB, the PI may withdraw from responsibility with this policy.
- The departing PI is responsible for notifying his/her institution, department, or division who has agreed to accept this responsibility.
- The institution, department, or division then becomes responsible for keeping record of the person who has agreed to accept this responsibility in case of future inquiries, such as requests for inspection by auditors.
- In the absence of someone willing to accept responsibility for the documents, the IU department chairman will become responsible for assuring that documents are stored per regulatory and IU requirements.
For studies subject to FDA regulation, notice of such a transfer of responsibility shall be given to the sponsor and FDA within 10 working days after the transfer occurs.
For Research Subject to VA Regulations
All research records are retained by the VA facility where the research was conducted. If a grant is ongoing and the investigator leaves one VA facility to go to another VA facility, the investigator must obtain approval for a copy of relevant materials to be provided to the new VA facility's research office. The investigator is not the grantee, nor does the investigator own the data.
Individuals found to be in violation of this policy may be subject to sanctions relating to their participation in research with human subjects, up to and including permanent suspension or debarment from engaging in research with human subjects at Indiana University.Back to top
- 21 CFR 11
- 21 CFR 312.62(c)
- 21 CFR 812.140(d)-(e)
- IU Data Management
- IU Guidance for the Management of Research Data
- IU Office of Research Administration Understanding Research Agreements, specifically Other research agreements>Data Use, Data Sharing, and/or Data Transfer Agreement
- International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH): Guideline for Good Clinical Practice E6(R2)
- Indiana Code
- IU Policy on Research Misconduct
- NIH Certificates of Confidentiality Policy
- NIH Data Sharing Policy
- NIH Genomic Data Sharing
- VHA Records Control Schedule 10-1 (November 2017)
adverse event, audit, audit trail, authorization, biospecimen, device, drug, HIPAA, humanitarian device exemption (HDE), informed consent, interaction, intervention, principal investigator, protocol deviation, regulatory agencies, research, research personnel, source documents, sponsorBack to top