MSU HRPP Manual Section 2-6

Considerations for Data Sharing in Human Research Studies

Researchers may be required and/or plan to share data they obtain as part of their human research study. For example, some Federal agencies that fund the research study may require data sharing as a term and condition of the award. Data may be requested for analysis and replication upon publication of articles resulting from the study. The researcher may want to share the data with students or other researchers for future studies. While there are broad institutional considerations related to data management and sharing (e.g., formatting, resources, management), this document addresses considerations when researchers may share human subject data collected as part of their research study. It applies to all human research studies, including studies determined exempt. Future research studies using the shared data may require Institutional Review Board (IRB) submission and consideration of additional consent.

Definitions

“Coded” means that:

  • Identifying information (such as name or social security number) that would enable the investigator to readily ascertain the identity of the individual to whom the private information or biospecimens pertain has been replaced with a number, letter, symbol, or combination thereof (i.e., the code); and

  • A key to decipher the code exists, enabling linkage of the identifying information to the private information or biospecimens.

Data includes information and biospecimens and may be collected in many different formats (e.g., online survey responses, audio or video recording, photographs, fingerprints, blood draw, cheek swab, nail clippings).

Data sharing means that data will be shared or made available for use beyond the current research study (e.g., other researchers, the larger research community, institutions, broader public).

Controlled access means that access to shared data is limited and requires approval or other measures such as requiring data requesters to verify their identity and the appropriateness of their proposed research use to access protected data.

Uncontrolled access means that anyone can access the data.

Requirements for Data Management and Sharing

Researchers must determine whether any human subject data collected as part of the research study may be shared and, if there are requirements for data sharing, how those requirements apply. For example, data sharing requirements may specify the type of data that must be shared (e.g., information but not biospecimens, data including biospecimens), when the data must be shared, whether there are any exceptions, and require a data management and sharing plan, etc.

Federal agencies or departments that conduct or support human research studies may require data management and sharing. Requirements vary by Federal agency or department and may also vary by institute or component within the agency or department. External sponsors may also require data management and sharing as part of the grant or contract. Because requirements vary by sponsor and are also subject to change, it is important for the researcher to be aware of data sharing requirements and describe those requirements as appropriate when they may impact an IRB submission.

If data sharing is required by the study sponsor and the researcher would like to request an exception to sharing, the researchers should consult with the sponsor to determine whether an exception to data sharing may be applicable. Exception requirements may vary based on study sponsor.

Data Management and Sharing Plan

If a data management and sharing plan is required by the study sponsor, researchers should follow the sponsor’s requirements for development of the plan. If a researcher will or may share their data, even if sharing is not required, they should develop a data management and sharing plan. Any data management and sharing plan should be submitted with any related IRB submissions.

If there is a data management and sharing plan, researchers will need to assure that the plan is consistent with any related IRB submission(s) and consent processes and document(s). For example, if the plan describes privacy and confidentiality provisions, that description needs to be consistent with the IRB submission and what is described in the consent document(s) related to privacy and confidentiality.

During the IRB submission’s review, changes may be requested or required that impact the data management and sharing plan. If those changes create inconsistencies in the data management and sharing plan, the plan should be updated following any required sponsor processes.

Human Subject Data Sharing Considerations

If there are plans to share data, researchers will need to consider how it may impact potential human subjects. Considerations include but are not limited to:

  • Whether data sharing is required to participate in the study

  • Any limitations on future use of the data

  • Impact of data sharing to privacy of subjects and confidentiality of data

  • Potential risk(s) that data sharing may pose to subjects, including risk of reidentification

  • Whether data sharing will be restricted through controlled access or whether access will be uncontrolled

  • Whether a code will be maintained with the shared data and if so, whether the code links the subject between data sets

  • Whether and how data will be de-identified under applicable requirements such as:

    • Common Rule for Protection of Human Subjects (e.g., 45 CFR 46)

    • S. Health Insurance Portability and Accountability Act

    • S. Family Educational Rights and Privacy Act

    • S. Certificate of Confidentiality

    • Relevant international data protection requirements

  • Whether the study involves:

    • Certificate of Confidentiality

    • Protected health information that is regulated under the U.S. Health Insurance Portability and Accountability Act

    • Student educational records that are regulated under Family Educational Rights and Privacy Act

    • Personal data subject to state or international data protection laws

    • Federal funding requirements

    • Tribal requirements

    • Any institutional policies (e.g., collaborative research)

    • S. Food and Drug Administration requirements

    • Any other applicable national, tribal, and state laws and regulations

    • If a study will collect both information and biospecimens, if there is a difference in what will be shared

  • Whether informed consent will be obtained from subject’s or their legally authorized representatives and if so, how the above considerations impact the consent process and document

Study sponsors may provide specific guidance that should also be considered.

Data Sharing Related to Participation in the Study and Limitations on Use

Researchers should determine whether subjects or their legally authorized representative must agree to share the subjects’ data to participate. In general, subjects or their legally authorized representative should be given the choice about whether or not they wish to have the subjects’ data stored and shared for future use. Providing options for subjects or their legally authorized representative to agree to data storage and sharing is particularly important in studies that offer the prospect of direct benefit to the subject. However, some studies may require data sharing to participate based on their study design (e.g., creation of data repository). The researcher should determine, based on the characteristics of their study, whether data sharing is required to participate.

If data sharing is not required to participate, subjects or their legally authorized representative should be given a separate option within the consent to decide whether the subjects’ data may be shared. If the subject or their legally authorized representative decides not to share the subject’s data, this decision must be followed. Researchers should develop plans and adequate safeguards to assure that only data where consent has been given to be shared is shared and data where subjects or their legally authorized representative have declined to have the subjects’ data shared is not shared. Sharing data where consent for sharing was declined will be evaluated under MSU Human Research Protection Program (HRPP) Manual 9-2, Noncompliance.

If data sharing is permitted with limitations (e.g., data can only be used for a particular kind of research), subjects or their legally authorized representative should be informed and consent to the limitations. If there are limitations, researchers should assure when sharing the data that there are mechanisms in place to assure that the data is only used for the purposes consented to by the subject or their legally authorized representative (e.g., data use agreements, material transfer agreements). Any limitations would need to be communicated to those who plan to share or use the data.

Privacy and Confidentiality

Researchers should consider how data sharing will impact the privacy of subjects and confidentiality of their data. If there is a data sharing plan that describes privacy and confidentiality, it should be consistent with any related IRB submission and consent process and document. For example, if the consent says that no one outside the research team will have access to the data but the data sharing plan says that the data will be shared with others outside the research team, a change would be needed to the consent or the plan.

If data will be shared through a repository or through another method, the researcher should assure that adequate technical safeguards are in place to assure privacy of the subjects and confidentiality of the data.

Potential Risks

Researchers should consider the potential risks to subjects related to data sharing. These risks may include but are not limited to:

  • Reidentification of the subject and any risks associated with reidentification

  • Potential discrimination against or stigmatization of subjects, their families, or groups

Researchers should consider whether the research involves collection of data:

  • For which the identity of the subject may not readily be ascertained by the investigator or associated with the information, but for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual. For example, this could include biometric data such as fingerprints or voiceprints, small sample sizes with unique attributes, etc.,

  • From individuals, groups, or populations with unique attributes that increase the risk of reidentification.

  • That could be considered sensitive, such as including information regarding potentially stigmatizing traits, illegal behaviors, or other information that could be perceived as causing group harm or used for discriminatory purposes.

  • That is genomic data, because it may be possible to re-identify de-identified genomic data, even if access to data is controlled and data security standards are met, confidentiality cannot be guaranteed, and reidentified data could potentially be used to discriminate against or stigmatize subjects, their families, or groups. In addition, there may be unknown risks due to computational methods, analytic technologies, or techniques (e.g., generation of information that could allow subjects’ identities to be readily ascertained).

Any potential risks require disclosure in the consent form unless a waiver or alteration of consent has been granted.

Controlled or Uncontrolled Access

The U.S. National Institutes of Health (NIH) have provided considerations for researchers on whether access to human subjects’ data should be controlled, even if the data is de-identified and lacking explicit limitations on use. While the information is provided by NIH, it may be applicable to other research studies. Investigators should consider sharing subjects’ scientific data through controlled access repositories if data:

  • Have explicit limitations on subsequent use, such as those imposed by laws, regulations, policies, informed consent, and/or agreements.

  • Could be considered sensitive, such as including information regarding potentially stigmatizing traits, illegal behaviors, or other information that could be perceived as causing group harm or used for discriminatory purposes. Sensitive data may also include data from individuals, groups, or populations with unique attributes that increase the risk of re-identification.

  • Cannot be de-identified to established standards or cannot sufficiently reduce the possibility of re-identification. Access controls, among other measures, may be appropriate to further mitigate the risk of re-identification.

  • Due to previously unanticipated approaches or technologies, pose risks to subject privacy if released without controls on access.

If access to the data will be controlled, there should be mechanisms in place to assure that data is shared only with those who are approved to have access to it and that the subsequent use is consistent with the subject’s consent (e.g., data use agreements, material transfer agreements).

If access to the data will not be controlled, the subject should be informed of this and what it means. If there are no limits on use of the data (e.g., only for research purposes), this should be explained to the subject.

De-Identification and Coded Data

When sharing data, researchers should consider whether the data that will be shared will be de-identified or may be coded.

If coded, the data may not be identifiable to the individuals outside the research team who may be accessing the shared data, but the data is still identifiable to the research team through the code.

Researchers should consider to what level data will be de-identified. Different regulations have different standards for de-identification and researchers should determine what standard will be used to de-identify the data. Examples include:

  • Common Rule for Protection of Human Subjects (e.g., 45 CFR 46)

  • S. Health Insurance Portability and Accountability Act

  • S. Family Educational Rights and Privacy Act

  • S. Certificate of Confidentiality

  • Relevant international data protection requirements

If data will be shared through uncontrolled access, researchers should carefully consider the de-identification process and whether there is a risk that data could be re-identified. If there is a risk of re-identification, this should be explained to subjects.

If a code will be used to link the subject between research studies, researchers should explain this in the consent. For example, the GUID, or Global Unique Identifier, is an alphanumeric code that is created by the NIMH Data Archive (NDA) GUID Tool and used as an identifier for a research subject. The GUID provides a mechanism to link research subjects within and across research project datasets in NDA.

Certificate of Confidentiality

Certificates of Confidentiality (CoC) protect the privacy of research subjects by prohibiting disclosure of identifiable, sensitive research information to anyone not connected to the research with limited exceptions. See HRPP Manual 2-2-H, Certificate of Confidentiality, for more information.

If a study involves data protected by a CoC, any data sharing must be done in compliance with the CoC requirements.

Several exceptions that are relevant to data sharing include when the disclosure is made:

  • With the consent of the individual to whom the information, document, or biospecimen pertains, or

  • For the purpose of other scientific research that is in compliance with applicable Federal regulations governing the protection of human subjects in research. 42 USC 241(d)(1)(C).

If consent from the subject will not be obtained to share data protected by to a CoC, the data could only be shared if the disclosure was made for the purpose of other scientific research that is in compliance with applicable Federal regulations governing the protection of human subjects in research. This means that it would be necessary to assure that access to the shared data was limited to use for scientific research (e.g., could not share through uncontrolled access where data could be used for any purpose).

Sharing of Protected Health Information Subject to U.S. Health Insurance Portability and Accountability Act

The U.S. Health Insurance Portability and Accountability Act (HIPAA) establishes Federal protections for the use (i.e., the sharing, employment, application, utilization, examination, or analysis of health information within an entity that maintains such information) or disclosure (i.e., the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information) of protected health information. See HRPP Manual Section 7 for more information.

If a study involves protected health information subject to HIPAA, any data sharing must be done in compliance with HIPAA requirements.

Sharing of Student Information Subject to U.S. Family Educational Rights and Privacy Act

The Family Educational Rights and Privacy Act (FERPA) of 1974 (as amended) is a Federal law that sets forth requirements for the protection of privacy of students’ educational records. See HRPP Manual 2-2-D-i, Family Educational Rights and Privacy Act for more information.

If a study involves student education records subject to FERPA, any data sharing must be done in compliance with FERPA requirements.

State and International Data Protection Requirements

Some states and countries have developed requirements regarding the use and sharing of an individual’s personal data. Studies that may involve state or international data protection requirements (e.g., European Union General Data Protection Regulation) will be evaluated on a study specific basis with consultation with the Office of General Counsel as appropriate.

Research that Involves Sharing of American Indian/ Alaska Native Subject Data

When research involves American Indian or Alaska native subjects’ data, researchers should be aware that tribal sovereignty may require additional permission or limit sharing of data. Tribal sovereignty affords Tribal nations unique rights to control how research can be performed within Tribal jurisdiction, including how their data can be used, managed, and shared. Researchers should consult with the appropriate tribal nation(s) to determine what laws, regulation, and policies may impact the research, including sharing of data. See HRPP Manual 2-2-F-iv, U.S. NIH Data Management and Sharing, for more information.

U.S. Food and Drug Administration

The U.S. Food and Drug Administration (FDA) requires IRB review for clinical investigations that involve human subjects, including those that use leftover, deidentified human specimens in FDA-regulated device studies. This requirement includes data used to support an investigational device exemption, device marketing application, or submission to the FDA, including in vitro diagnostic (IVD) technical or analytical studies that use human specimens. Because of this, for clinical investigations of research involving devices, the definition of “subject” includes the use of specimens, even if the specimen is unidentified. While such research may not be considered “human subjects” under the Common Rule for Protection of Human Subjects regulations, such research would be considered to include “subjects” under the FDA regulation for certain types of research.

It is possible that while a research study’s collection of data may not be regulated by the FDA, the future use through data sharing may be FDA regulated. It is important to note that the future use, if FDA regulated, would require subsequent IRB approval.

Collaborative Research

If an External IRB will serve as IRB of record for the study, the researcher will need to comply with that institution’s IRB requirements. However, the expectation is that if the study involves data sharing, that any consent process and form will address data sharing. As part of the local context process, the researcher may be asked by the MSU HRPP to address data sharing if it has not been addressed in the consent.

For collaborative research where MSU is serving as the Single IRB, researchers should consult with their collaborators and share with the MSU IRB any local context considerations related to data sharing.

Withdrawal

Researchers should develop a plan on how to address requests from subjects or their legally authorized representatives to withdraw their shared data. Withdrawal should also be addressed in the consent form. See HRPP Manual 9-7, Withdrawal of Subject for more information.

Informed Consent

Unless consent will not be obtained, the consent process and document(s) need to explain whether the data collected in the research study will be shared. If there are plans to share the data, the subjects or their legally authorized representatives need to consent to the sharing of their data. If the study sponsor requires data sharing and the study has not been granted an exception to the requirement, the consent cannot indicate that the data will not be shared.

Explanation of Whether Data May be Shared

If the research involves the collection of identifiable private information or identifiable biospecimens, one of the following statements need to be included in the consent document:

  • A statement that identifiers might be removed from the identifiable private information or identifiable biospecimens and that, after such removal, the information or biospecimens could be used for future research studies or distributed to another investigator for future research studies without additional informed consent from the subject or the legally authorized representative, if this might be a possibility; or

  • A statement that the subject’s information or biospecimens collected as part of the research, even if identifiers are removed, will not be used or distributed for future research studies.

If the research involves the collection of data that is not identifiable private information or is not identifiable biospecimens, one of the following statements should be included in the consent form:

  • A statement that the information or biospecimens collected as part of this research could be used for future research studies or distributed to another investigator for future research studies without additional informed consent from the subject or the legally authorized representative

  • A statement that the information or biospecimens collected as part of this research will not be used or distributed for future research studies

Researchers should carefully consider whether to include language that the data will not be used or distributed for future studies because use of this kind of language will limit the researchers’ future ability to share data.

This policy and procedure supersedes those previously drafted.

Approved By: Vice President for Research and Innovation on 6-20-2023.

Related HRPP Manual Sections