HRPP Policy - Research data management

When research data is generated pursuant to a contract or agreement (e.g., clinical trial agreement with sponsor), ownership of the data is defined by the contract or agreement. The details of the contract should define all policies, procedures, and issues related to ownership and will be the determining document for resolution of disputes.

Research data which is not generated pursuant to a contract or agreement that explicitly details ownership is the property of IU.

If research is completed by individuals who are employees of, or conduct work at, both a federal or state government agency (e.g., Roudebush VAMC) and IU, ownership is generally shared between IU and the government agency. Research personnel should seek guidance from administrative officials at both institutions.

All records produced or collected in connection with a research project, including primary (e.g., laboratory, medical, interview), financial, statistical, supporting, administrative, and regulatory documentation, shall be retained for a minimum of three (3) years from the date of submission of the final expenditure report to the funding agency or the date of study closure with the IRB, whichever is longer.

Records may need to be retained beyond this date, specifically:

• For studies subject to HIPAA, signed HIPAA authorization forms (or if using a combined informed consent and HIPAA authorization form, the signed informed consent/authorization) must be retained for a minimum of six (6) years from the date it was obtained.
• For studies conducted under an IND, records must be retained for two (2) years after approval of a marketing application for the drug for the indication for which it is being investigated or, if no application is to be filed or if the application is not approved for such indication, until 2 years after the investigation is discontinued and FDA is notified.
• For studies conducted under an IDE or HDE, records must be retained during the investigation and for a period of two (2) years after the latest of either: the date on which the investigation is terminated or completed, or the date that the records are no longer required for purposes of supporting a premarket approval application, a notice of completion of a product development protocol, a humanitarian device exemption application, a premarket notification submission, or a request for De Novo classification.
• For research subject to VA regulations, records, including codes or keys linking subject data to identifiers, must be retained for six (6) years following the federal fiscal year end (September 30^th) after the study has been closed by the VA.
• If the research involves intellectual property, data must be kept for as long as may be necessary to protect any intellectual property claims resulting from the work.
• If any charges regarding the research arise, such as allegations of misconduct in research or financial conflict of interest, data must be retained until such charges are fully resolved.
• If the research is being conducted by a student, data must be retained at least until the degree is awarded, or it is clear that the student has abandoned the work.
• If the research is conducted pursuant to a contract or agreement, data must be retained in accordance with the contract or agreement.

After the specified period of time has elapsed, research personnel may dispose of the documentation relating to a research study in an appropriate manner, including encrypting, shredding, incinerating, mutilating, erasing, and otherwise rendering the information illegible or unusable. Source documentation must be retained in its original form until this time.

Studies conducted under the regulation of the FDA (IND, IDE studies) must maintain full audit trails. All original entries made in source documents, case report forms, spreadsheets, or databases and all subsequent modifications must be maintained.

Studies subject to FDA regulation must also comply with 21 CFR 11: Electronic Records; Electronic Signatures.

When recording source data and/or transcribing source documents to case report or data collection forms, the following procedures should be followed:

• For paper documents, record all observations/data in ink.
• Correct errors by striking through the error, dating and initialing it, and making the correction. Ensure the original entry is not obliterated. If necessary, note an explanation for the correction. Note that in FDA-regulated studies involving electronic data, a similar electronic audit trail must be created to track data corrections(See 21 CFR 11: Electronic Records; Electronic Signatures)
• Complete all fields on the forms according to sponsor or other predetermined specifications.

IU faculty, staff, and students may not disclose social security numbers (SSNs) outside IU except in limited circumstances outlined in IC 4-1-10.

Public access requests seeking documents containing information concerning research must be forwarded to the IU Office of Vice President and General Counsel for further review and analysis, including a determination as to whether the records requested are or are not publicly available.

Certificates of Confidentiality

Certificates of confidentiality protect human subjects by prohibiting disclosure of identifiable sensitive research information. Certificates of confidentiality are automatically applied to NIH-funded research and may be requested for research not funded by the NIH. The NIH considers research in which identifiable, sensitive information is collected or used, to include:

• Human subjects research as defined in 45 CFR 46, including exempt research except for human subjects research that is determined to be exempt from all or some of the requirements of 45 CFR 46 if the information obtained is recorded in such a manner that human subjects cannot be identified or the identity of the human subjects cannot readily be ascertained, directly or through identifiers linked to the subjects;
• Research involving the collection or use of biospecimens that are identifiable to an individual or for which there is at least a very small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual;
• Research that involves the generation of individual level, human genomic data from biospecimens, or the use of such data, regardless of whether the data is recorded in such a manner that human subjects can be identified or the identity of the human subjects can readily be ascertained as defined in 45 CFR 46; or
• Any other research that involves information about an individual for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual, as defined in subsection 301(d) of the Public Health Service Act.

When a certificate applies, the researcher shall not:

• Disclose or provide, in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding, the name of such individual or any such information, document, or biospecimen that contains identifiable, sensitive information about the individual and that was created or compiled for purposes of the research, unless such disclosure or use is made with the consent of the individual to whom the information, document, or biospecimen pertains; or
• Disclose or provide to any other person not connected with the research the name of such an individual or any information, document, or biospecimen that contains identifiable, sensitive information about such an individual and that was created or compiled for purposes of the research.

If disclosure of research data protected by a certificate is requested, research personnel should immediately consult the IU HRPP. Disclosures of information may include for the following purposes:

• Required by Federal, State, or local laws (e.g. as required by the Federal Food, Drug, and Cosmetic Act, or state laws requiring the reporting of communicable diseases to State and local health departments);
• Necessary for the medical treatment of the individual to whom the information, document, or biospecimen pertains and made with the consent of the individual;
• Made with the consent of the individual to whom the information, document, or biospecimen pertains; or
• Made for the purposes of other scientific research that is in compliance with applicable Federal regulations governing the protection of human research subjects.

When VA conducts a study that is protected by a Certificate of Confidentiality, the following health record documentation provisions apply:

• For studies that do not involve medical intervention, no annotation may be made in the health record.
• For studies that involve a medical intervention, a progress note entry should indicate that an individual has been enrolled in a research study, any details that would affect the subject's clinical care, and the name and contact information for the investigator conducting the study. Subjects informed consent forms and HIPAA authorization documents are not to be included in the health record.

NIH Data Sharing Policies

Effective October 1, 2003, NIH requires a written plan to share data with the public and general research community for certain grants.

Effective January 25, 2015, NIH-funded research must comply with the NIH Genomic Data Sharing Policy. Upon request, the IRB reviews the research and assures to the Institutional Signing Official that all of the following are true:

• The data submission is consistent, as appropriate, with applicable national, tribal, and state laws and regulations as well as relevant institutional policies.
• Any limitations on the research use of the data, as expressed in the informed consent documents, are delineated.
• The identities of research participants will not be disclosed to NIH-designated data repositories.
• An IRB has reviewed the investigator's proposal for data submission and assures that:
  • The protocol for the collection of genomic and phenotypic data is consistent with 45 CFR Part 46;
  • Data submission and subsequent data sharing for research purposes are consistent with the informed consent of study participants from whom the data were obtained;
  • Consideration was given to risks to individual participants and their families associated with data submitted to NIH-designated data repositories and subsequent sharing;
  • To the extent relevant and possible, consideration was given to risks to groups or populations associated with submitting data to NIH-designated data repositories and subsequent sharing; and
  • The investigator's plan for de-identifying datasets is consistent with the standards outlined in the NIH Genomic Data Sharing Policy.

If all of the above are true, the Institutional Signing Official will provide a signed Institutional Certification.

Research subject to Department of Justice (DOJ) regulations

For research funded by the National Institute of Justice (NIJ), all projects are required to have a privacy certificate approved by the NIJ human subjects protection officer. All researchers are required to sign employee confidentiality statements, which are maintained by the responsible researcher. Current or past abuse is not reportable under state mandatory reporting requirements, unless a separate consent to allow reporting is obtained from the research subject; this is in addition to a consent to participate in the research study.

A copy of all data must be de-identified and sent to the National Archive of Criminal Justice Data, including copies of the consent document, data collection instruments, surveys, or other relevant research materials.

Except for computerized data records maintained at an official DOJ site, records that contain non-disclosable information directly traceable to a specific person may not be stored in, or introduced into, an electronic retrieval system.

If the researcher is conducting a study of special interest to the Office of Research and Evaluation (ORE) but the study is not a joint project involving ORE, the researcher may be asked to provide ORE with the computerized research data, not identifiable to individual participants, accompanied by detailed documentation. These arrangements must be nego­tiated prior to the beginning of the data collection phase of the project.

Research subject to DOJ regulations but conducted within the Bureau of Prisons (BOP)

A non-employee of the BOP may receive records in a form not individually identifiable when advance adequate written assurance that the record will be used solely as a statistical research or reporting record is provided to the agency. Except as noted in the informed consent document to the subject, the researcher must not provide research information that identifies a subject to any person without that subject’s prior written consent to release the information.

At least once a year, the researcher must provide the Chief of the Office of Research and Evaluation, Central Office, Bureau of Prisons, with a report on the progress of the research. At least 12 working days before any report of findings is to be released, the researcher must distribute one copy of the report to each of the following: the Chair of the Bureau Research Review Board, the regional director, and the warden of each institution that provided data or assistance. The researcher must include an abstract in the report of findings. In any publication of results, the researcher must acknowledge the Bureau's participation in the research project. The researcher must expressly disclaim approval or endorsement of the published material as an expression of the policies or views of the Bureau. Prior to submitting for publication, the results of a research project, the researcher must provide two copies of the material, for informational purposes only, to the Chief of Office of Research and Evaluation. 

Departing research personnel may take only copies of the data. The original source data must remain with the owner as above unless a specific request is granted by the institution or IU department or school.

Responsibility for compliance with this policy may be transferred to another appropriate person willing to accept responsibility. If the study will remain open with the IRB, transfer must be made via amendment that identifies the researcher who has agreed to become the new PI. Upon approval by the IRB, the new PI will become responsible for all future data management issues pertaining to the study.

If the study will close with the IRB, the PI may withdraw from responsibility with this policy.

• The departing PI is responsible for notifying his/her institution, department, or division who has agreed to accept this responsibility.
• The institution, department, or division then becomes responsible for keeping record of the person who has agreed to accept this responsibility in case of future inquiries, such as requests for inspection by auditors.
• In the absence of someone willing to accept responsibility for the documents, the IU department chairman will become responsible for assuring that documents are stored per regulatory and IU requirements.

For studies subject to FDA regulation, notice of such a transfer of responsibility shall be given to the sponsor and FDA within 10 working days after the transfer occurs.

For Research Subject to VA Regulations

All research records are retained by the VA facility where the research was conducted. If a grant is ongoing and the investigator leaves one VA facility to go to another VA facility, the investigator must obtain approval for a copy of relevant materials to be provided to the new VA facility's research office. The investigator is not the grantee, nor does the investigator own the data.