Please click on the specific topics below to hide/show guidance information.
PrincipaI Investigator (PI) Eligibility
General SBS IRB Submission Tips and Requirements
Determine whether your study needs IRB review: the IRB has jurisdiction to review “research” with “human subjects” as defined in the federal regulations that govern human subjects research.
- Research: a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.
- Human Subject: a living individual about whom an investigator (whether professional or student) conducting research: obtains information or biospecimens through intervention or interaction with the individual, and uses, studies, or analyzes the information or biospecimens; or obtains, uses, studies, analyzes, or generates identifiable private information or identifiable biospecimens
In light of the IRB’s mission to protect human subjects, and the potential regulatory consequences of not obtaining IRB review and approval for human subjects research, err on the side of caution and contact the IRB office if you are uncertain whether your study is human subjects research or not.
Determine who will serve as the Principal Investigator (PI): students cannot be PI on their own projects and must name a PI-eligible individual. See the policy at https://ura.uchicago.edu/page/principal-investigator-eligibility
Human Subjects Protection Training: the PI and anyone on the research team who will be engaged in the research (e.g., obtaining informed consent, interacting with research participants, and/or analyzing identifiable data) will need to complete the required online training: see link and instructions at https://sbsirb.uchicago.edu/training/
The protocol/application: your IRB submission must explain in detail the “who, what, when, where, how and why” of your study. Many new submissions are delayed during the IRB review process because the research team did not provide the materials to be used with subjects (recruitment materials, consent materials, interview questions, etc.) or sufficient detail on research procedures, subject population, recruitment methods, compensation plans, consent and assent procedures, etc.
Plan appropriate data security measures: consider the sensitivity of the data you will be collecting and the potential risks to research participants if there were a data breach. If you will be collecting sensitive data, it is a good idea to check with IT Services about appropriate data security precautions before you prepare your IRB submission. Guidance is available at http://dataguide.uchicago.edu/sensitive-identifiable-human-subject-research-data.
- A good option for securely storing data for many research studies is UChicago Box. Box is a cloud-based storage service that provides unlimited free, online space for storing or sharing files. Files stored on Box can be synced and accessed from several locations, including desktops, mobile devices, and laptops. UChicago Box is available to University faculty, staff, and students at no charge. Video and audio files can be stored and played from Box.
Consent, parental permission, and assent forms: use the SBS IRB templates (https://sbsirb.uchicago.edu/templates/) as your starting point.
Make sure your PI endorses your IRB submissions: this applies to anything you submit to the IRB – a new study, amendments, and continuing reviews. The PI has to endorse the submission before it will come to the IRB’s inbox – the PI can do that in the AURA software by clicking on a button that says “Submit to IRB.”
Plan ahead: while some studies can be approved more quickly, you should plan on the review process taking approximately 2 to 4 weeks. If your study requires full board review (potentially greater than minimal risk research), the process can take up to 2 months.
IRB Online Application: https://aurairb.uchicago.edu/. If you receive an error in AURA, log-in problems, or cannot access AURA from an email notification, please contact the AURA help desk at AURA-Help@uchicago.edu for assistance.
Engagement in Research
In situations where multiple institutions are involved in carrying out a non-exempt research project, a question each institution has to consider is whether that institution’s activities rise to the level of being “engaged.” If engaged, IRB review is required of that institution’s activities; if not engaged, IRB review is not required of that institution’s activities.
The HHS Office for Human Research Protections has issued a Guidance on Engagement of Institutions in Human Subjects Research which discusses when institutions are considered to be engaged or not engaged in research – the OHRP Guidance document is available at http://www.hhs.gov/ohrp/policy/engage08.html. The OHRP Guidance on Engagement states “In general, an institution is considered engaged in a particular non-exempt human subjects research project when its employees or agents for the purposes of the research project obtain: (1) data about the subjects of the research through intervention or interaction with them; (2) identifiable private information about the subjects of the research; or (3) the informed consent of human subjects for the research.” At least one institution must be determined to be engaged in any non-exempt human subjects research project that is funded by the U.S. Department of Health and Human Services (45 CFR 46.101(a)). Direct receipt of a federal award supporting non-exempt human subjects research automatically engages an institution in research, even if all activities are occurring at other institutions. The OHRP Guidance sets out examples of situations where institutions would be considered engaged and not engaged in research.
For Information on ceding IRB review to an other institution, serving as the IRB of record for another institution, or covering the role of engaged individuals who are not affiliated with UChicago or another institution, please see the guidance on Collaborative Research Agreements.
Secondary Analysis of Data and/or Specimens
If you will be obtaining or accessing identifiable, private information or identifiable, private specimens in order to conduct a secondary analysis of the data/specimens for research purposes, your study will be considered human subjects research. This is true whether the data/materials were collected for non-research purposes or whether they were collected in a prior research study.
In general, private information/specimens are considered to be individually identifiable when they can be linked to specific individuals by the researcher either directly, or indirectly through a coding system to which the researcher has access.
Accessing UChicago Data (faculty, staff, or student)
The Data Stewardship Council oversees requests to use or access UChicago records, including data on students, faculty, and staff. Anyone wishing to access such data for research purposes (such as data held by the Registrar, data held by Human Resources, etc.) must submit a data access request. Please remember that even if you have access to such data as part of your non-research role (e.g., faculty or departmental administrator), formal access for research purposes must be requested.
See the Data Stewardship Council website for more information and to access the application.
Elements of Consent (general):
- A statement that the study involves research
- An explanation of the purposes of the research
- The expected duration of the subject’s participation
- A description of the procedures to be followed, and identification of any procedures that are experimental
- A description of any reasonably foreseeable risks or discomforts to the subject
- A description of any benefits to the subject or to others that may reasonably be expected from the research
- A disclosure of appropriate alternative procedures or courses of treatment, if any, that might be advantageous to the subject
- A statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained
- For research involving more than minimal risk, an explanation as to whether any compensation and an explanation as to whether any medical treatments are available if injury occurs and, if so, what they consist of, or where further information may be obtained
- An explanation of whom to contact for answers to pertinent questions about the research
- An explanation of whom to contact for answers to pertinent questions about research subjects’ rights
- An explanation of whom to contact in the event of a research-related injury to the subject
- A statement that participation is voluntary, refusal to participate will involve no penalty or loss of benefits to which the subject is otherwise entitled, and the subject may discontinue participation at any time without penalty or loss of benefits to which the subject is otherwise entitled
- One of the following statements about any research that involves the collection of identifiable private information or identifiable biospecimens:
- A statement that identifiers might be removed from the identifiable private information or identifiable biospecimens and that, after such removal, the information or biospecimens could be used for future research studies or distributed to another investigator for future research studies without additional informed consent from the subject or the legally authorized representative, if this might be a possibility; or
- A statement that the subject’s information or biospecimens collected as part of the research, even if identifiers are removed, will not be used or distributed for future research studies.
Additional IRB-Reviewed Elements of Informed Consent (as appropriate):
- A statement that the particular treatment or procedure may involve risks to the subject (or to the embryo or fetus, if the subject is or may become pregnant) that are currently unforeseeable
- Anticipated circumstances under which the subject’s participation may be terminated by the investigator without regard to the subject’s or the legally authorized representative’s consent
- Any additional costs to the subject that may result from participation in the research
- The consequences of a subject’s decision to withdraw from the research and procedures for orderly termination of participation by the subject
- A statement that significant new findings developed during the course of the research that may relate to the subject’s willingness to continue participation will be provided to the subject
- The approximate number of subjects involved in the study
- A statement that the subject’s biospecimens (even if identifiers are removed) may be used for commercial profit and whether the subject will or will not share in this commercial profit
- A statement regarding whether clinically relevant research results, including individual research results, will be disclosed to subjects, and if so, under what conditions
- For research involving biospecimens, whether the research will (if known) or might include whole genome sequencing (i.e., sequencing of a human germline or somatic specimen with the intent to generate the genome or exome sequence of that specimen)
Waiver of Documentation of Consent:
Under the Common Rule, there are three conditions under which an IRB may waive the requirement for an investigator to obtain a signed consent form (the study must meet one):
- The requirement for the participant’s signature on the consent form can be waived if the research involves no more than minimal risk and does not involve any procedures for which written consent is required outside the research context.
- The participant’s signature on a consent form can also be waived if the only record linking the subjects and the research would be the consent document and the principal risk would be potential harm resulting from a breach of confidentiality. For federally-funded research, each subject (or legally authorized representative) will be asked whether the subject wants documentation linking the subject to the research, and the subject’s wishes will govern.
- The subjects or LARs are members of a distinct cultural group or community in which signing forms is not the norm, that the research presents no more than minimal risk of harm to subjects, and provided there is an appropriate alternative mechanism for documenting that informed consent was obtained.
Waiver or Alteration of Consent:
In order to approve a request from an investigator to waive the requirement for informed consent, or to omit or alter one or more basic or additional element of consent (an “Alteration”), the SBS IRB must determine and document that the below criteria are satisfied:
- The research involves no more than minimal risk to the subjects;
- The research could not practicably be carried out without the requested waiver or alteration;
- If the research involves using identifiable private information or identifiable biospecimens, the research could not practicably be carried out without using such information or biospecimens in an identifiable format;
- The waiver or alteration will not adversely affect the rights and welfare of the subjects; and
- Whenever appropriate, the subjects or LARs will be provided with additional pertinent information after participation.
Raffles and Lotteries
Investigators should fully investigate local and state laws related to lotteries and raffles in the locations where they will be offered as incentives. In most instances, gambling laws and definitions are not triggered as long as there is no payment or consideration given for a chance to be entered in the drawing.
If you will offer a raffle or drawing as an incentive, please be sure to include the following in the consent form:
- A complete description of the number and types of prizes and their values
- Specific information on when the winners will be chosen and how they will be notified
- A statement that winners are responsible for all taxes
Also, please note that no single prizes valued over $600 should be offered without consulting the Office of Legal Counsel.
Deception & Incomplete Disclosure
A project involves deception when an investigator gives false information to, or otherwise intentionally misleads, a research participants about some key aspect of the research. If participants will be given false information or otherwise misled during a study, then the participants are not provided with all of the required elements of informed consent and IRB approval for a waiver or alteration of informed consent is required. Examples include:
- Participants are told they scored poorly on an assessment completed as part of a study (regardless of how well they actually did) to see how that information influences their performance throughout the remainder of the study.
- The study involves confederates (individuals who appeared to be research participants but who are actually part of the experiment) who act to manipulate the participant or the participant’s environment as part of the study.
A project involves incomplete disclosure when an investigator withholds or conceals information from a participant about the specific purpose of, or activities involved in, the research. Not all incomplete disclosure requires a waiver or alteration of consent; however, if material information or aspects are withheld that could potentially influence the decision of prospective participants to take part in the research, then the participants are not provided with all of the required elements of informed consent and IRB approval for a waiver or alteration of informed consent is required. Examples include:
- The study is described as a simple decision-making study involving a game played on a computer, but it also involves videotaping of subjects without their knowledge or prior consent in order for researchers to also study body language.
- Participants are only told that they are participating in simple surveys of skin care knowledge, when actually the information contained in the survey is designed to be an intervention/catalyst to see if it causes their behavior to change between two time points or causes them to take a certain action based on the survey information (e.g., wear or purchase sunscreen).
Potential Risks/Harms of Deception/Incomplete Disclosure to consider:
- Feel coerced to have acted against one’s will
- Might not have chosen to participate if fully informed
- If observed without consent, subject may feel invasion of privacy
- Damage to self-esteem: feeling ashamed, guilty, stressed, embarrassed
- Forced to have knowledge about self that otherwise might not want to know
- Feel loss of control, may be distrustful/suspicious
Debriefing is often required when the research involves deception or involves incomplete disclosure of material information/aspects related to the research purpose or activities. In general, the debriefing will explain any deception or incomplete disclosure, provide information about why it was necessary to use deception or incomplete disclosure in the research, and provide other options available to participants (e.g., the ability to withdraw their data). A debriefing template can be found on our templates page. Debriefing is not always required when researchers can provide the IRB with adequate justification for why debriefing is not appropriate. For example, it may be inappropriate when debriefing may cause more harm than the deception itself (e.g., if individuals were selected for participation in a study based upon certain “negative” behaviors/characteristics, it might not be appropriate for the debriefing to describe that aspect of the selection process).
Deception/Incomplete Disclosure and Exempt Research:
Some minimal risk research that involves deception or incomplete disclosure can now qualify for exempt review when subjects prospectively authorize the deception or incomplete disclosure. For example, the consent form could indicate: “This research requires that the full purpose of the study not be explained before you participate. We will give you a full explanation at the end of the study.”
Research with Children
Research with Prisoners
Research in Schools (FERPA, PPRA)
If you plan to do research that will involve collecting data in schools and/or accessing information from education records, you should be aware of the laws and review processes that can impact your data access and collection procedures and those that can potentially limit the IRB’s ability to waive consent.
Chicago Public Schools
- For information on conducting research in Chicago Public Schools to learn about the process and the additional review required, please see CPS’s webpage. Other districts may have similar requirements and review processed.
Federal Education Rights and Privacy Act (FERPA)
- For information on FERPA, see the U.S. Department of Education’s FERPA website.
- For information about how FERPA applies for studies conducted with University of Chicago students, please visit the University of Chicago registrar’s website.
- To utilize FERPA-protected records at UChicago, please request access from the Data Stewardship Council
- For information about how FERPA applies to students at another institution where the research will be conducted, please contact that institution.
Protection of Pupil Rights Amendment (PPRA)
- For information about PPRA, please see the U. S. Department of Education’s PPRA page.
Illinois School Student Records Act
- Like FERPA, the Illinois School Student Records Act generally requires written consent of the student (if age 18) or a parent/legal guardian for release of personally identifiable information from school student records except in specific, limited circumstances laid out in the law. For further information on this State law, see the Chicago Public Schools Policy Manual.
If you plan to obtain information from student education records as part of your research, be aware that FERPA sets forth consent requirements (and exceptions) for accessing information in student education records.
FERPA is a Federal law that regulates the disclosure of personally identifiable information from student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA stipulates that an educational institution has the authority to determine what information may be accessed from an Education Record. If an institution denies an investigator access to information in an Education Record, the IRB cannot overrule the decision.
FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when the student reaches the age of 18 or attends a school beyond the high school level (referred to as “eligible students”). As a general rule, schools must have written permission from the parent or eligible student to release information from a student’s education record. Unless research that falls within FERPA qualifies for an exception under FERPA to the general rule of parental/eligible student consent, the IRB cannot waive consent.
The FERPA regulations specify that a parent or eligible student must provide a signed and dated written consent for disclosure of personally identifiable information from education records, unless the disclosure falls within one of the exceptions discussed below. FERPA’s consent provisions require that the consent information be specific about the records that may be disclosed, the purpose of the disclosure, and the identify of the individual or group to which the records will be disclosed.
Student records can be disclosed to school officials who have a legitimate educational interest without consent from the parent/eligible student under FERPA. Many educators who are also researchers are surprised to find that the student records they personally hold (e.g., tests, journals, written assignments, etc.) are considered part of the official educational records of a student. Even more surprising is the fact that, when conducting research, an educator may not be considered to have a legitimate educational interest in the records they otherwise handle on a regular basis.
Exceptions to the general rule of parental/student consent under FERPA:
FERPA sets out various exceptions to the general rule that consent must be obtained for release of personally identifiable information from student education records. The exceptions most likely to be relevant for University researchers are described below:
FERPA allows schools to designate and disclose, without consent, certain items of information as “directory information,” such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance.
Each educational institution designates what information is considered directory information. FERPA requires that students be given the opportunity to file a request to prevent disclosure of directory information, commonly known as “opting out.” An institution will not release any information on a student, even directory information, if a student has “opted out.”
The Investigator should contact each institution from which he/she proposes to access student records and follow that institution’s FERPA policy and procedures when accessing directory information.
An educational institution may release information from student education records without the consent required under FERPA after all personally identifiable information has been removed from the records, provided that the educational institution has made a reasonable determination that a student’s identity would not be personally identifiable. Thus, a school official with legitimate access (other than the researcher) may strip the records of any identifying information and provide the data to the researcher.
Use of coded data: An educational institution can release de-identified student level data from education records for the purpose of education research by attaching a code to each record that may allow the recipient to match information, provided that the educational institution does not disclose any information about how it generated and assigned the code, or that would allow the recipient to identify a student based on a code; the code is not used for any purpose other than identifying a de-identified record for purposes of education research; and the code is not based on a student’s social security number or other personal information.
Research conducted for or on behalf of educational institutions:
Personally identifiable information from student education records may be disclosed by an educational institution/agency to researchers when the disclosure is to organizations conducting studies for, or on behalf of, educational agencies or institutions to: 1) develop, validate, or administer predictive tests; 2) administer student aid programs; or 3) improve instruction. If PII from student education records will be disclosed to a researcher under this exception, the researcher must enter into a written agreement with the educational institution that contains specific assurances on data confidentiality. See 34 CFR Section 99.31(a)(6).
The Protection of Pupil Rights Amendment (PPRA) (20 U.S.C. § 1232h; 34 CFR Part 98), also known as “Student Rights in Research, Experimental Programs, and Testing,” is a federal law that affords certain rights to parents of minor students with regard to surveys that ask questions of a personal nature. The No Child Left Behind Act of 2001 contains a major amendment to PPRA that gives parents more rights with regard to the surveying of minor students, the collection of information from students for marketing purposes, and certain non-emergency medical examinations.
The PPRA applies to any “local educational agency” that receives funding from the U.S. Department of Education. A “local educational agency” means an elementary school, secondary school, school district, or local board of education that is the recipient of funds from the U.S. Department of Education. PPRA also applies to research funded by the U.S. Department of Education.
PPRA has two sets of requirements for surveys:
- Requirements that apply to “protected information” surveys that are funded in whole or in part by the U.S. Department of Education.
- Requirements that apply to “protected information” surveys that are funded by sources other than the U.S. Department of Education and that are administered or distributed by education institutions that receive funds from the U.S. Department of Education (i.e. public elementary and secondary schools and some private schools).
PPRA lists eight categories of protected information for survey responses:
- political affiliations of student or student’s parent;
- mental or psychological problems of student or student’s family;
- sex behavior or attitudes;
- illegal, anti-social, self-incriminating or demeaning behavior;
- critical appraisals of others with whom students have close family relationships;
- legally recognized privileged or analogous relationships;
- religious practices, affiliations or beliefs of student or student’s parent;
- income, other than as required by law to determine eligibility for participation in a program or for receiving financial assistance under such program.
Practical Implications of PPRA for Parental Consent:
Requirements for Protected Information Surveys funded by the U.S. Department of Education
- Does the research involve “protected information” surveys?
- Are the surveys U.S. Department of Education-funded in whole or part?
- Are the surveys “required”?
If the answer is yes to the three questions, PPRA affords parents the right to provide active consent. Thus, even when the Common Rule criteria for a waiver of parental permission are met, the IRB cannot approve waivers of parental permission for surveys, analyses, or evaluations where the primary purpose is to reveal information concerning one or more of the eight protected areas specified in PPRA. Prior written parental consent would be required.
Requirements for Protected Information Surveys, Funded by Sources other than the U.S. Department of Education and administered or distributed by education institutions that receive funds from the U.S. Department of Education (i.e., public schools and some private schools)
- Do the surveys include protected information?
- Are the surveys being administered or distributed by schools that receive any U.S. Department of Education funds?
If the answer is yes to both questions, PPRA affords parents the right to inspect the surveys before they are administered or distributed and to opt the student out of the surveys.
The U.S. Department of Education has not provided guidance about some of the key terms in the current law. For example, the Department has not taken a position about whether the word “required” should be interpreted to mean that surveys that are clearly voluntary are exempt from PPRA requirements. Also, the law does not directly address the question of whether anonymous surveys are exempt from PPRA because anonymous surveys do not provide individually identifiable information about students or their families. Until the Department issues revised regulations implementing PPRA investigators should work with the schools involved to be sure schools are following their policies.
Researchers whose research is subject to the PPRA should review the policies of the local educational agency early in the study design process.
Research with PHI (HIPAA)
Qualtrics Access for Researchers
The University of Chicago has a site-wide license with Qualtrics. Qualtrics is a very good option for secure collection of survey data.
- Further information about accessing Qualtrics for survey research is available from IT Services at https://answers.uchicago.edu/page.php?id=66722.
- Social Sciences Division information can be found at https://sscs.uchicago.edu/page/qualtrics.
Internet and Virtual Research
Zoom Security Memo: PDF
- International Human Subjects Research Standards
- Travel Toolkit for International Research
- Export Control
- UChicago International Travel Resources webpage
Research conducted by University investigators in foreign countries remains under University purview and guidelines, including IRB review and approval when applicable. We do not relax our standards for ethical conduct of research or for a meaningful consent process for research that will be done outside the United States.
- Investigators are responsible for determining the local laws and requirements that apply to their research.
- When drafting written consent documents or proposing alternative consent formats, special attention should be given to local customs and to local cultural and religious norms.
- If the research includes enrollment of children in other countries, the principal investigator is responsible for providing the IRB with sufficient information to verify the age at which participants in such jurisdictions have the ability to consent to participation in research.
- In some instances it may be appropriate for the IRB to alter or waive some or all requirements for written consent. Research proposals for which this may be reasonable should include explanations of cultural norms or conditions that would justify a waiver (e.g., societies where no written language is used).
- You must consider what data security protections should be in place and are allowed in the localities to which you will be traveling. See the guidance on Data Security and Storage for more information on how to protect data and devices.
NOTE: Special rules apply to travel and other transactions related to Cuba, Iran, North Korea, the Republic of the Sudan (aka “North Sudan”) or Syria. For further information, see the UChicago Memo on Export Controls and International Travel.
Data Security & Storage
Data Access, Storage, and Transfer:
- University Information Security
- University Research Data Retention Policy
- Data and Material Transfer Agreements (Contracts, MTAs, DUAs, CTAs)
- UChicago Data Classification Guide
- UChicago Data Usage Guide
- Accessing and Utilizing University Data for Research
- Secure Data Enclave (SDE)
- Center for Research Informatics (CRI)
- IT Contacts for Questions
Everyone in the University community is responsible for protecting our data. Good security practices minimize risk to subjects and financial or regulatory/compliance risks to yourself and the University. Privacy and protection of confidential information is a continued priority for the University.
- Password selection and management–choose strong passwords or passphrases to make sure no one gets access to your private information. Visit the UChicago IT Services’ website at Choosing Good Passwords and Keeping Them Secure for tips on how to create strong passwords and passphrases and how to keep them secure.
- 2Factor Authentication – 2Factor Authentication (2FA) enhances the security of your CNetID by using your device (mobile phone, landline, tablet, hardware token) to verify your identity.
- Virtual Private Network (cVPN)– The cVPN (https://cvpn.uchicago.edu) secures your access to the Internet no matter where you are in the world. Use it whenever you are not at home, on campus, or don’t know whether the local wifi is truly secure.
- File storage and sharing– Use UChicagoBox (https://uchicago.box.com) to securely store and control how files with sensitive data are shared. Carefully set up different Box folders to support the different modes of sharing needed for your protocol. (Note: some data use agreements may preclude the use of UChicago Box — you must comply with the terms of any applicable data use agreements. Data use agreements must be reviewed by University Research Administration.) The University Data Usage Guide shows which services can and cannot be used to store and share sensitive, identifiable human subject research data.
- Operating System & Software Application Updates– keep your device’s operating system and software applications updated. You can add program application update tools that will prompt you to install the latest updates by visiting the Updating Non-Operating System Software
Avoid Accidental or Coercive Exposure of Sensitive Information
Whether at home, work, or traveling, you should secure your digital environment and restrict access to sensitive information.
- Encrypt laptops, desktops, and mobile devices that contain sensitive information. Visit the IT Services Knowledge Base for instructions.
- For smartphones, tablets, and other mobile devices, set a passcode to access your device, set a passcode lock that requires the PIN to be re-entered after 5 minutes of inactivity, and set up auto-wipe so that the device wipes (erases) all of the data it contains after 10 successive passcode failures.
- Use an encrypted and password protected flashdrive to move sensitive data to other devices or share data with others when UChicagoBox is not used. Encrypted USB drives are available at local retailers as well as https://buysite.uchicago.edu.
- Never ask for or supply more sensitive information than necessary.
- Anyone who can access sensitive information should be made aware of its importance and be trained in handling it, including transcribers and data coders.
- Use Identity Finder to help you locate sensitive data on your computer.
Report any data security incidents to UChicago’s IT Security (email: firstname.lastname@example.org; phone: 773-702-2378) and to the IRB if your study involves human subjects research.
Keeping Your Data Safe When Traveling
- Do not leave your devices unattended. Keep mobile devices on your person or in a locked safe whenever possible. Ensure that they are encrypted and have a PIN as described above.
- Do not expect privacy. Certain countries have policies or legal environments that allow them to record everything and anything, from cellular calls to internet traffic. Be prepared when traveling abroad that you may be compelled to share any data brought with you. Certain countries restrict encrypted devices.
- Make sure that cVPN is set up on your computer before you travel.
- Install a privacy screen on your laptop to discourage “shoulder surfing.”
- Back up your data and media to a device that will remain in the United States or to UChicago Box.
- Only download iOS or Android mobile apps from the Apple or Google App Store.
- Less is best – bring the least amount of information/data and the fewest devices possible. Utilize travel-only devices that are stripped down to only necessary documents, services, and applications.
- If possible, do not insert USB (“thumb”) drives or other portable media given to you when traveling. If it is necessary, before plugging them in make sure that your virus definitions are up-to-date and that your anti-malware program is configured to automatically examine USB devices for malware before enabling access to them.
- Turn off your device, or at least the Wi-Fi and Bluetooth capabilities, when not in use. Do allow them to be in “sleep” or “hibernation” mode when they are not in active use.
- Limit use of public terminals, and avoid using accounts that require usernames and passwords on public machines. It is easy for someone to set up a fake WiFi network in a hotel or other public area and encourage people to connect to it to capture sensitive information.
- If for some reason you can’t use a VPN, at least protect your web browsing. Try typing https instead of http into the address bar — to access Gmail, for example, you’d type https://gmail.com. If a padlock appears beside the address, the data you send and receive from that site is encrypted. If you’re using Chrome, Firefox, or Opera, it’s even easier: install the HTTPS Everywhere plugin and it’ll do this for you automatically.
- If you are doing something sensitive online, use cVPN, in addition to any other measures such as HTTPS, to protect the connection against eavesdropping. Also, it’s harder to intercept cellular networks than Wi-Fi ones, so if you have access to reasonably priced cell data on your phone or tablet, use it.
- If you absolutely must use a public computer, don’t do anything involving money (e.g., online banking and purchasing that involves entering credit card details), use two-factor authentication for as many online services as possible, use the web browser’s Incognito/Private Browsing mode to avoid your details being saved, log out of all of the apps you use, and reboot the computer when you’re finished with it.
- Software like Prey, Find My iPhone, and Android Device Manager all offer various features for tracking down stolen gear. They can report their location, take photos and video, sound alarms, display messages on the screen, and more, and can help reunite you with your technology. Make sure they’re set up and working correctly before your gear goes missing!
- If your mobile device has been lost or stolen, you can remove xMail data in that device by following the steps on the IT Services website at Security – Remote Data Wipe of Mobile Devices Using xMail.
- Upon your return to the United States, run anti-virus software to scan your device for malware and follow the instructions to correct any issues. If you used your CNET ID and password while traveling abroad, it’s a good idea to change your password when you return.
Report any incidents/breaches to UChicago’s IT Security (email: email@example.com; phone: 773-702-2378), and to the IRB if your project involves human subjects research.
Privacy & Confidentiality
Transcription or Translation Services
Certificate of Confidentiality (CoC)
What is a Certificate of Confidentiality?
From NIH: Certificates of Confidentiality (CoCs) protect the privacy of research subjects by prohibiting disclosure of identifiable, sensitive research information to anyone not connected to the research except when the subject consents or in a few other specific situations. NIH funded researchers are automatically issued a CoC through their award. Other Department of Health and Human Services (HHS) agencies (FDA, CDC,SAMSHA, HRSA, IHS) issue CoCs for research they fund. Researchers can request a CoC from NIH for health-related studies that are not funded by HHS. Issuance of CoCs for such requests is at the discretion of the NIH. See: https://grants.nih.gov/policy/humansubjects/coc/what-is.htm
Notice of Changes to NIH Policy for Issuing Certificates of Confidentiality
Effective October 1, 2017, all research that is funded wholly or in part by the NIH and collects or uses identifiable, sensitive information is deemed to be issued a Certificate of Confidentiality, and is therefore required to protect the privacy of individuals who are subjects of such research in accordance with subsection 301(d) of the Public Health Service Act. This change is retroactive to December 13, 2016. Studies not funded by NIH can continue to apply for a CoC.
For more information, please see
Am I affected?
- If you have a NIH-funded or supported project that was started or ongoing on or after December 13, 2016, your project may now be covered by a CoC, even if you did not apply for one. See the link above to determine if your project is within the scope of this policy.
What do I need to do if I am affected?
- You will need to comply with the requirements in 301(d) of the Public Health Service Act (see the link above for more information).
- You will need to make sure those you share information with know the requirements. Recipients of Certificates are required to ensure that any subrecipients as well as any investigator or institution not funded by NIH who receives a copy of identifiable, sensitive information protected by a CoC, understand they are also subject to the requirements of subsection 301(d) of the Public Health Service Act.
- For studies in which informed consent is sought, NIH expects investigators to inform research participants of the protections and the limits to protections provided by a CoC. For studies where enrollment is ongoing, this means an amendment will be needed to add the required CoC language to the consent form (generally, this can occur at your next continuing review or the next time you need to amend the consent form for other reasons). You should also amend the form to eliminate provisions that may be inconsistent with the new CoC protections. If research subjects are no longer actively participating in the project, then an amendment to the informed consent process may be impractical: contact the IRB office for guidance.
Additional guidance and changes to the AURA application are in development; please contact the SBS IRB office (firstname.lastname@example.org) with questions.
- NIH Information Sheet for researchers regarding Certificates of Confidentiality: NIH information sheet
- National Institutes of Health’s internet site on Certificates of Confidentiality: https://humansubjects.nih.gov/coc/index
CoC Consent Template Language:
This research is covered by a Certificate of Confidentiality from the National Institutes of Health. The researchers with this Certificate may not disclose or use information, documents, or biospecimens that may identify you in any federal, state, or local civil, criminal, administrative, legislative, or other action, suit, or proceeding unless you have consented for this use. Information, documents, or biospecimens protected by this Certificate cannot be disclosed to anyone else who is not connected with the research except if there is a federal, state, or local law that requires disclosure (such as to report child abuse or communicable diseases, see below); if you have consented to the disclosure, including for your medical treatment; or if it is used for other scientific research, as allowed by federal regulations protecting research subjects.
Exceptions to data confidentiality:
The researchers will voluntarily disclose information to the appropriate authorities about evidence of child abuse, and/or intent to hurt yourself or others. In addition, a Certificate of Confidentiality does not prevent you or a member of your family from voluntarily releasing information about yourself or your involvement in this research. If an insurer, employer, or other person obtains your written consent to receive research information, then the researchers may not use the Certificate to withhold that information. Finally, the Certificate may not be used to withhold information from the Federal government needed for auditing or evaluating Federally funded Projects or information needed by the FDA.
Collaborative Research Agreements (IAA, IIA, COA)
Data Use Agreements (DUAs, MTAs)
Payments to Research Participants
University Policy on Payments to Research Participants:
The University’s policy on payments to research participants is created by the Office of Financial Services. The full policy is available at http://finserv.uchicago.edu/support/policies/1200/1218_HumanSubect.shtml
- Payments to Human Subjects over $100 per occurrence must be paid directly to the individual via University check. Gift cards, gift certificates or in-kind payments over $100 per occurrence are not permitted as remuneration for participation in a research study. Refer to the University Check section within the Paying Human Subjects procedures and guidelines.
- Human Subject payments $100 and under per occurrence can be processed via University check or other methods including petty cash, gift cards or in-kind payments. Refer to the Cash Payment section within the Paying Human Subjects procedures and guidelines.