Use of Restricted Data
Data holders whose archives or sources involving identifiable coded or private information are available on a restricted basis but have certain conditions for use and possession of their data. When a researcher wishes to access archives or restricted data sets that may contain identifiable or coded information about individuals, a Data Use Agreement (DUA) is required. A DUA addresses university issues such as limitations on use of the data, liability for harm arising from the use of the data, publication, and privacy rights that are associated with transfers of confidential or protected data. This DUA is contractual document between a “Data Users” (the UMBC investigator requesting access to information) and the “Data Set Source” (the organization or institution providing the data) describing the provisions used to transfer confidential or protected data that may be used for the purpose of conducting human subjects research.
The Office of Sponsored Programs (OSP) serves as the campus signatory for research-based Data Use Agreements. OSP is authorized to enter into contractual agreements, including DUAs, on behalf of UMBC to ensure compliance with appropriate policies and regulations. As investigators are not authorized to negotiate or sign these agreements on behalf of UMBC, DUAs must be submitted to OSP for final approval and sign-off. Researchers are not authorized to negotiate or sign these agreements and cannot sign DUAs on behalf of UMBC
Examples of data archives or restricted data sets where a DUA may (or may not) be required are found on the OSP Data Use Agreement FAQ site.
The IRB’s role
The IRB will review the proposed project if an investigator plans to use, study, or analyze identifiable private information for research purposes. Investigators wishing to use restricted access data must submit an application to the IRB for review of the protective mechanisms planned to protect the identity of persons and evaluate the security of procedures. Investigators should also consider if the HIPPA Privacy Rule applies when researchers want to obtain, create, use, and/or disclose individually identifiable health information. Research with data that includes personal identifiers may require the use of HIPAA Authorization to use and/or disclose PHI (for individual authorizations to access PHI) or a HIPAA Waiver of authorization (for request of large sample size where individual authorizations are impractical and the request meets privacy rule specifications).
Submission of an IRB application and the DUA to the Office of Sponsored Programs may be done concurrently.
The IRB may provide conditional approval of a protocol if it is needed in order to obtain a Data Use Agreement signed, but final IRB approval will not be granted until a copy of the signed Data Use Agreement is received from OSP with required security measures in place.