Skip to main content


Research involving the collection or study of existing data, documents, or records.

  1. The submission is first confirmed as covered research with living human subjects or their identifiable, private information - review Research on Data
  2. Then, eligibility for exemption is determined.
  3. If review takes place under expedited procedures or by the full board, these Criteria for Approval will need to be met in addition to any applicable state or local laws and University/HRRC policies.

Harm from research on data from records occurs as a result of a breach of confidentiality. Additional protections and regulations governing access to certain types of records, e.g. medical, court and school information, are considered below.

Men in lab

Researchers are advised to address the following criteria for approvalin their materials

  • Identifiability (to the researcher) of individuals to their data:
    • Retention of direct identifiers
    • Retention of indirect identifiers if the researcher has access to the linking code/key
    • Ability of the researcher or others outside of the research context to identify individuals based on demographic clusters
  • Plan to protect participant privacy and the confidentiality of information obtained
    • Privacy - would a reasonable member of the research population consider the information being collected to be private? Would the release of that information without their permission be considered an invasion of privacy?
    • Does the data security plan provide adequate confidentiality in order to manage the risk of a study to minimal? 
    • Minimal risk means that the probability and magnitude of harm or discomfort anticipated in the research are not greater in and of themselves than those ordinarily encountered in daily life or during the performance of routine physical or psychological examinations or tests
  • Informed consent:
    • Is there a plan to obtain informed consent, if so will it be documented?
    • Is a waiver or alteration of informed consent proposed?

Reviewers will alsobe interested in assessing<partial list - more to come>

  • Whether the PI is qualified to conduct the methods described
  • Whether ethical access to the records has been demonstrated 
  • Auxiliary regulations and protections considered (see below)


Freedom of Information Act

When is a Data Use Agreement required? <link>

Accessing court records <link>

Level of Review Distinctions

Researchers often request assistance in determining whether their interaction-based research is eligible for exemption or if it will be reviewed under expedited procedures or by the full board. Protocols may be eligible under multiple categories; the most protective standard will be applied.

More on Levels of Review 

Exemption Criteria for Research on Records / Data

Deidentified data (exempt cat. 4)

  • May involving the collection or study of existing materials, where existing means existing at the time the research is proposed or that will exist in the future for non-research purposes (collection occurs primarily for another purpose)
  • May include data, documents, records -IF-  
    • the sources are publicly available -OR- 
    • the information is recorded by the investigator in such a manner that subjects cannot be identified, directly or through identifiers linked to the subjects

More about Research on Data

NOTE: Research involving prisoners may not be exempt. Research to which FDA regulations or policies apply are not eligible for exemption categories 1-5.

Expedited Criteria for Research on Records / Data

Research involving materials (data, documents, records) that have been collected, or will be collected solely for NONRESEARCH purposes (such as medical treatment or diagnosis) (expedited cat. 5)

  • Risk of breach of confidentiality must be minimal risk (may be managed to minimal)
  • Includes the recording of identifiers, otherwise eligible for exempt cat. 4

Collection of data from voice, video, digital, or image recordings made for research purposes (expedited cat. 6)

  • Risk of breach of confidentiality must be minimal risk (may be managed to minimal)

Research on records/data that do not fit into an exempt or expedited category must be reviewed and approved during a convened full board meeting.