IRB and IT Security

IRB or Institutional Review Board, involves IT Security as it pertains to sensitive data. We can help the researcher in meeting the requirements needed for their study.

What is the IRB?

The Health Sciences and Behavioral Sciences Institutional Review Board (IRB-HSBS) is responsible for protecting the rights and welfare of human subjects participating in research conducted by faculty, staff and students affiliated with the University of Michigan – Ann Arbor Campus. It comprises of a number of people from various departments at the University (10-16 people). More info:

General process

A researcher submits an application to IRB. A number of items must be filled out before it can be approved for an IRB review. Researcher will get a pre-review before the actual submittal to the IRB. This is to help the researcher so that they have all the necessary information in place before meeting with the board. Once the researcher re-submits, then the study will get reviewed. This IRB board review only happens once a month.

General workflow for IRB

initial submission -> Pre-review -> feedback/fix -> resubmit -> get approved for IRB board review.

The IRB may ask the researcher to contact the CoE IT Security Unit Liaison (SUL) to review security requirements that may be needed. The SUL will typically forward the request to the CoE Security Analyst Team. For CoE Security Analyst Team to help the researcher, the following parties work together:

  1. IT Security Unit Liaison (SUL): [email protected]
  2. CoE Security Analyst Team: [email protected]
  3. Researcher’s Departmental IT staff: contact email varies per CoE department

Once the request is received from the researcher, the group will then reply to the researcher about their issues so that they can move forward with their submittal. From here, it will also be determined if further consultation will be needed.


When the researcher reaches out to CoE support (typically , must determine where in the workflow they are in. We have seen questions asked prior to the board review. Especially if that is the case, then we may refer the researcher to the Data Security Guidelines and then consult with them if needed after they review that information.

Storage of Data

Researchers frequently ask where they can store and share their data. because their project is in submitted to HSB-IRB, they usually have a sensitive data type. It usually is classified as either:

  1. sensitive human subjects research data or
  2. protected health information (PHI).

So if help is needed, the Sensitive Data Guide can help determine the appropriate solution for their needs. Google Drive at U-M is an example of solution that can be used with either data type.

Information needed from the researcher

  1. IRB number of Study title
    1. Primarily HUM#
    2. AME would be a specific amendment to an original study.
    3. CR is for a Continuing Review – an existing study hasn’t changed but is up for a periodic / scheduled review
  2. General outline of the study
  1. Ask the researcher for this as we would not have access to the IRB data.

IRB can go two ways.

  1. Give them as much detail as possible to be ready for submittal.
    1. Give the research as much assistance as needed. This may involve a more comprehensive discussion on the researcher’s project
  2. Wait until after the IRB Board (Approval upon contingency)
  1. Researcher has some plan in place to conduct their study and has enough to proceed, but has to clear up some detail before getting final approval
  2. More specific action can be taken for the IT security team to help the researcher

**Remember, researcher level of experience will vary with the IRB submittal process. Be flexible and help for what is asked.