Institutional Review Board -01 Gainesville Health Science Center
(352) 273-9600
myIRBNews & AnnouncementsFormsDeadlinesWeb TrackingInformation for the Public
University of Florida
IRB-01 Help!
  Report noncompliance  
  IRB-01 Home  
  Data Use/Storage  
  Full Board Deadlines  
  Drug Research  
  IRB-01 Forms  
  Form Instructions  
  Full Board Info  
  IRB's HIPAA page  
  Office Information  
  Other Committees  
  PI Responsibilities  
  IRB-01 P&P Manual  
  Position Papers  
  Psychology Info  
  Required Reading  
  Researcher Tools  
  Submit Paperwork  
  VA Research  
  Web Tracking - NEW!  
  UF's WIRB page  
Search IRB-01:


Link to MyUFL

myIRB: submit new studies electronically.  Click here to learn more.

Protect Research Data

Quick links: Research Data is Institutional Property Investigator Requirements for Retaining Research Data
  Data/Record Storage and Security Destruction of Data
  Releasing Data to Other Parties  

1. Research Data is Institutional Property

Data collected as part of research is property of the institution (e.g. UF). The institution pays you (or in the case of a student permits you) to produce the work and as a result the work/data is the institution's property. As such researchers may not remove, copy, or destroy the data without explicit written permission from the institution. For example, if a researcher leaves the university you cannot take a copy of the data unless you obtain written permission from the institution.

At UF this policy is formalized in the Intellectual Property Policy ( ). Contact the Office of Technology and Licensing (OTL) and your Department Chair in order to receive written permission to take a copy of any data.

The VA specifies this in the VHA Handbook 1200.5, 10.i ( Contact the VA Research Service Administration to receive written permission to take a copy of any data.

2. Data/Record Storage and Security

Data/record security is critical. You should insure that all hard copy and electronic data is securely stored to prevent unauthorized access, disclosure, or loss. Hard copy records should be stored in a manner that limits access to only authorized individuals. For example, filing cabinets/areas should be locked and placed in secured/locked rooms.

Electronic data should be saved on a device that has the appropriate security safeguards such as unique identification of authorized users, password protection, encryption, automated operating system patch (bug fix) management, anti-virus controls, firewall configuration, and scheduled and automatic backups to protect against data loss or theft ( Researchers possess a strong sense of ownership for their data and consequently often manage their own computers.   Security controls necessary for computers can be very intimidating or bothersome, but we know that no one wants to be in the same position as this well-intended researcher:

Names, addresses and SSNs of 600,000 citizens from the state of California were exposed to a hacker who hacked a researcher-in-residence’s computer at UC Berkeley.

Laptops, Personal Digital Assistants, removable hard drives, “jump” or “thumb” drives, CDs, DVDs and other portable devices and removable media are very convenient to ensure your data is always at your fingertips.  External hard drives are a cost effective and convenient way to back up your data. However all of these devices require encryption solutions if used to store Restricted or Sensitive data (e.g. identifiable health information).  If you need help understanding why, read on:

Names, addresses, medical record numbers and SSNs of 130,000 patients went missing when a hospital employee’s “thumb drive” (small storage drive the size of a pack of gum that plugs into a computer’s USB port) went missing.  The records could be read by Adobe Acrobat Reader and were not encrypted.

The UF HSC Security Program for the Information and Computing Environment (SPICE) has created and identified several resources to help you secure your research computers.  You can discover all of the resources available from the UF HSC SPICE web page for Researchers here: More specifically:

All HSC departments have an Information Security Administrator (ISA) and an Information Security Manager (ISM) who are familiar with the security rules and resources available.  Find your Unit ISA and ISM by browsing here:

The HSC has published user friendly and readable one page security guidelines (SPICE EduGuides) on specific Security topics like Laptop, PDA, Removable Media, Password, Malicious Software Prevention and others:

In addition, for those researchers who manage their own servers, more technically oriented security material is available on the UF HSC security web site.  See the ‘Host Security’ and ‘Portable Device and Removable Media’ training presentations here:

Lastly, the VA also has additional, strict information security standards, such as prohibiting the use of any USB memory devices (you may not use external hard drives or jump drives, even if encrypted).

3. Releasing Data to Other Parties

There are multiple federal regulations that impact your ability to release data outside your institution (to a sponsor, to another researcher, etc). There are a variety of factors that determine whether or not the release is permissible.

  • Is there a consent/authorization? If so, what did the research subject consent to/authorize?
  • Is the data that you wish to release unequivocally anonymous, or is it possible to trace the data back to the subject? HIPAA standards apply, so dates, diagonsis, location (e.g. Shands @ UF), etc may make the data identifiable.
  • If data was obtained under an IRB approved waiver are you tracking disclosures of PHI per HIPAA regulations?

There are a variety of very serious factors that impact your ability to release data to outside parties. You should contact the IRB prior to proceeding with a release of data UNLESS (a) your subject signed an IRB approved consent document with HIPAA compliant authorization language that clearly details what information will be collected, used, and disclosed and (b) the outside party is specified in the document.

4. Investigator Requirements for Retaining Research Data

Regulations require each investigator to retain research data not only while the research is being conducted but also after the research is completed. How long do you have to keep the records after the completion of the research? Unfortunately there are several different regulations each of which has different requirements. As a result researchers must comply with the longest applicable standard according to current institutional policies.

  • OHRP Requirements: 45 CFR 46 requires research records to be retained for at least 3 years after the completion of the research.

  • HIPAA Requirements: Any research that involved collecting identifiable health information is subject to HIPAA requirements. As a result records must be retained for a minimum of 6 years after each subject signed an authorization.

  • FDA Requirements: Any research that involved drugs, devices, or biologics being tested in humans must have records retained for a a period of 2 years following the date a marketing application is approved for the drug for the indication for which it is being investigated; or, if no application is to be filed or if the application is not approved for such indication, until 2 years after the investigation is discontinued and FDA is notified. Please note - this length of time can be much greater than 2 years. You should receive written confirmation from the sponsor and/or FDA granting permission to destroy the records. (21CFR312.62.c)

  • VA Requirements: At present records for any research that involves the VA must be retained indefinitely per VA federal regulatory requirements. This could be subject to change if federal regulators establish a national policy setting a shorter period for retention. Please contact the VA Research for additional information at: (352) 376-1611, extension 6069.

  • UF Requirements - patents: Any research data used to support a patent through UF must be retained for the life of the patent in accordance with UF's Intellectual Property Policy ( - Page 9). Please direct any questions to the Office of Technology and Licensing

  • Sponsor Requirements - contract: If your study is sponsored you must insure that you comply with any terms for record retention detailed in the contract with the sponsor. For example, a sponsor may require you to retain your research related documents for 20 years. Prior to agreeing to a contract that specifies how long records will be maintained you should insure you will receive adequate funding to pay for the storage.

  • Questions of data validity: if there are questions or allegations about the validity of the data or appropriate conduct of the research, you must retain all of the original research data until such questions or allegations have been completely resolved. 


  1. Research records must be maintained a minimum of three years after the research is completed and the study closed with the IRB.
  2. Records may need to be kept longer if other requirements apply.
  3. Researchers must comply with the longest applicable standard as described above.

5. Destruction of Data

Lastly, once you have met the regulatory requirement for how long you must retain records for completed research you cannot destroy any records/data until you comply with the institutional requirements for data destruction.

UF's Records Management office requirements:

Dennis Kozak

VA Research Service Administration

(352) 376-1611 X6069

Disposal of Protected Health Information (PHI)

UF Privacy Office Retention, Archiving, & Disposal of Patient Information

  • Record Inventory Log (Form)
  • Record Destruction Log(Form)
  • UF Records Disposition Request (Form)


© Univeristy of Florida
Updated: 02/17/2012 10:36 AM

E-mail the webmaster

IRB Sharepoint

IRB-01 Research HSC SPICE UF Information Security UF Privacy


IRB UFL   COM Clinical Trials Compliance Privacy Policy