¾Ã²Ý¹ú²ú¸£Àû

Anonymous: Anonymous data are collected in a manner where the identity of the subject cannot be determined by anyone at any time; not even the researcher. There are no links between the data and the individual person. Anonymous data is stripped of personally identifiable information (e.g., no names, student numbers, etc.). This includes any information that was recorded or collected without any of the .

Coded: Identifying information (such as name) that would enable the investigator to readily ascertain the identity of the individual to whom the private information or specimens pertain has been replaced with a code (number, letter, symbol, or any combination) and a key to decipher the code exists, enabling linkage of the identifying information to the private information or specimens.

Confidential: Confidential refers to private information that a subject discloses with the expectation that it will not be divulged to others without that subject’s permission. When an investigator promises confidentiality, the subject is asked to supply information that could potentially identify that subject, which is then linked to the research data collected from the subject with the understanding that the investigator will not disclose the information to others outside of those for whom the subject has given the investigator explicit consent to share (i.e., the research team). 

De-identified: All identifiers have been removed from the data set even though identifiers may still exist in a separate file. For example, the data set is de-identified and the master list containing names and de-identified codes are stored in a different location not easily accessible to the researcher or any other person. De-identification prevents a person’s identity from being connected with their responses.

Identifiable: This type of data includes personal identifiers and links associated with the data set. Identifiers include any information used to distinguish one person from another (e.g., personally identifiable information). These identifiers could be sensitive (e.g., medical information) or non-sensitive (e.g., public records or websites). Be careful about what identifiable information you collect from your research subjects. 

• For example, surveys and interviews conducted in-person are considered confidential rather than anonymous because the investigator can identify the subjects even if the investigator has collected no other identifying information. 

PHI: Protected Health Information is any health information that includes any of the 18 elements identified by HIPPA and maintained by a covered entity or any information that can reasonably be used to identify a person. It is individually identifiable health information, whether oral or recorded in any form or medium (e.g., narrative notes; X-ray films or CT/MRI scans; EEG / EKG tracings, etc.), that:

• may include demographic information, and
• is created or received by a ‘covered entity,’ that is, a health care provider, health plan, or health care clearinghouse, and
• relates to the past, present, or future physical or mental health or condition of an individual, to the provision of health care to that individual, and/or to payment for health care services and
• identifies the individual directly or contains sufficient data so that the identity of the individual can be readily inferred." (Source: HHS: )

PII: Personally Identifiable Information (PII) is defined as data used in research that is not considered PHI and is therefore not subject to the HIPAA Privacy and security Rules. The key distinction between PII and PHI is that PHI is associated with or derived from a healthcare service event, i.e. the provision of care or payment for care. PII may be derived directly from the participant (survey, interview) and is covered by other state and federal laws for privacy and confidentiality of research health information.  

Private Information: Information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information that has been provided for specific purposes by an individual and that the individual can reasonably expect will not be made public (for example, a medical record). Private information must be individually identifiable (i.e., the identity of the subject is or may readily be ascertained by the investigator or associated with the information) in order for obtaining the information to constitute research involving human subjects.

Sensitive Research Data: Sensitive data is data that could cause adverse consequences for subjects or damage their financial standing, employability, insurability, or reputation if it was made publicly available. There are laws and regulations around certain types of data (e.g. controlled unclassified information (CUI) and protected health information (PHI)), however, the impact of data release should be considered for all research projects.  In data from human subjects, common topics that are generally considered sensitive include data on criminal behaviors (including drug use), disciplinary records, mental health information, sexual behavior, and unique health information.  

Anyone who conducts research with human subjects at ¾Ã²Ý¹ú²ú¸£Àû has a responsibility to protect the data collected and used for their research. This is especially important when the data (a) contain personal identifiers or enough detailed information that the identity of participating human subjects can be inferred, (b) contain information that is sensitive. Researchers need to understand when and how to use the most effective and efficient methods for storing and analyzing confidential research data so that those data are adequately protected from theft, loss or unauthorized disclosures.

The Principal Investigator (PI) is responsible for ensuring that research data are secure when it is collected, stored, transmitted, or shared.  All members of the research team should be knowledgeable about securing and safeguarding research data and to document their standard practices for protecting research data so that they can provide these details to the IRB if a mobile device is lost or stolen. Researchers must provide sufficient information concerning data storage and security procedures as part of the IRB application. Depending on the level of possible risk to participants, the IRB may require additional data safety procedures to be implemented prior to IRB approval.  

As a general practice, researchers working with human subjects should avoid collecting personally identifiable information (PII) whenever possible. The best way to protect a research subject’s identity is by not collecting unnecessary identifiable information in the first place. If identifiable information is collected, that information that must be securely stored. 

Consideration for Privacy Protection

The following are questions to consider when developing your research protocol and discussing data collection and storage.

• What specific method(s) are you using to collect data from research subjects?

• How are the collected data recorded?

• What steps have you taken to de-identify all electronically gathered data?

• How are recorded data transferred between locations or devices?

• Where are recorded data stored?

• Who has access to the spaces and/or devices where data are stored?

• Is the data password protected?

• When is data encryption used?

• How are data transferred between members of the research team?

• If coded data is used, how will the research team break the connection between the coded data and the code when the connection is no longer needed?

• For electronically collected data, what are the policies of software provider and does it collect IP addresses?

For Research Participants - Report a Concern

The foremost concern of ¾Ã²Ý¹ú²ú¸£Àû's IRB is ensuring the health. safety and rights of all individuals participating in research conducted by OCU faculty, staff, and students.  

To resolve a minor issue with a study, it is best to contact the Principle Investigator (PI) of the study listed in the contact information given during the Informed Consent process.  If your concern is more serious, please contact the IRB chair at [email protected].  

For Researchers

Changes in Protocol

Researchers are required to promptly report proposed changes in research activities to the IRB. Such changes during the period for which IRB approval has already been given may not be initiated without IRB review and approval, except when necessary to eliminate apparent immediate hazards to the participant .  Researchers must complete a modification submission to propose changes in a research activity.

Adverse Event or Unanticipated Problems

An adverse event is any untoward or unfavorable occurrence in a human subject, including any abnormal sign, symptom, or disease, temporally associated with the subject’s participation in the research, whether or not considered related to the subject’s participation in the research. Adverse events encompass both physical and psychological harms (see Definitions). 

An unanticipated problem is any incident, experience, adverse event, or outcome that meets all of the following criteria: unexpected given the described procedures, informed consent, and population characteristics; related or possibly related to participation in the research; suggests that subjects are placed at greater risk than previously known (see Definitions). 

Adverse events and unanticipated problems are not mutually exclusive. An adverse event is not necessarily an unanticipated problem and vice versa. The IRB makes the final determination on categories of incidents. 

• OCU investigators shall report adverse events or unanticipated problems to the IRB within two (2) working days of knowledge of the incident. Researchers must submit a completed Incident Report Form for Legacy Studies to the IRB Office within five (5) working days.
• The incident report shall include at a minimum: name of PI, title of research project, award information (if applicable), a detailed description of the incident, a detailed description of actions or plans to address the incident, and the outcome.
• When reviewing reports of unanticipated problems and adverse events, the IRB shall consider whether the affected research protocol continues to satisfy the requirements for IRB approval, whether risks to participants continue to be minimized and reasonable in relation to the anticipated benefits to the participants, and the importance of the knowledge that may be reasonably expected to result.
• The IRB Chair may call an emergency meeting of the IRB or suspend research activities if necessary to prevent immediate threat to the safety and well-being of research subjects. Notification of suspensions or terminations will include the rationale for the IRB’s action and will be sent by the IRB to investigators, faculty advisors of student investigators, the academic unit administrator, appropriate institutional officials, and the funding agency head if applicable.
• The IRB is authorized to require additional information from the investigator and/or require any modifications necessary to ensure the safety and wellbeing of research subjects and ensure that such incidents will not happen again, either with the investigator or the protocol in question. Changes to a research study proposed by the investigator in response to an unanticipated problem must be reviewed and approved by the IRB Chair and another member before being implemented, except when necessary to eliminate apparent immediate hazards to participants. If the changes are determined to be more than minor, the changes must be reviewed and approved by the convened IRB. 

IRB Reporting Requirements

The IRB shall promptly report unanticipated problems or incidents to the provost. The time frame for reporting will be based on the nature and severity of the incident and be in accordance with applicable  regulations or the OHRP Guidance on Reporting Incidents to OHRP at . 

When required, reports to OHRP, supporting personnel, and the Provost on unanticipated problems shall include: name of the institution, name of PI, title of the research project, award information (if applicable), a detailed description of the incident, actions OCU is taking or plans to take to address the problem (e.g., protocol revision, suspension of participant enrollment, termination of research).