University of Delaware
Toolbox

Guidance on Human Subjects Research Data Storage & Retention

All research involving the collection of data from interaction or intervention with human subject and/or access to identifiable private information must be reviewed and approved by an Institutional Review Board (IRB) prior to its initiation.

Research subject to IRB review and approval includes activities like surveys and questionnaires, prototype testing on humans, access to private identifiable information from data repositories, medical or physical intervention, psychological testing, collection of biological samples for research purposes, etc.

Records associated with human subjects research approved by the IRB via expedited or full board review, are subject to federal and University of Delaware record-keeping requirements. The information below is a guide to the recommended practices and procedures for handling and storing human subjects research data at UD.

While the Project is Active

A human subjects research project is considered ‘active’ from the time IRB approval is issued until the time personal identifiers linked to the research data no longer exist and the project is closed. Records for active IRB approved research projects must be stored in some form (paper and/or digital form) in secure locations on campus. For research performed off-campus, the data should be secured and returned to campus as soon after collection as it is practicable. Particular care should be taken to protect data on lap-top computers, external hard drives and other portable devices. Study information containing personal identifiers stored on these devices should be encrypted (see link for UD’s guidelines on encryption) to prevent unintentional breaches of confidentiality in the event the storage device is lost or stolen. Similarly, paper records identifying research participants including consent forms should be kept in a secure location with access restricted to key study personnel. The level of protection for the data should be commensurate with the sensitivity of the data. Basic levels of storage are as follows:

Paper Records (e.g., consent forms, data files, medical records, etc.): Paper files related to human subjects participation in research must be securely stored on campus. Access to files should be restricted to key personnel and supervised by the principal investigator(s) of the study. Locked file cabinets ought to be used and preferably located in secured locations (i.e., locked office or laboratory). In the event that research activities are not carried on campus AND it is necessary to maintain the consent forms at the research site, copies of the signed consent forms should also be stored on a secure University location (either as a paper copy or in digital form).

Signed informed consents must not be used as the identifying link to the research data and must NOT contain participant ID numbers nor be filed with other research data files.
Digital Records (e.g., electronic files, digital recordings, etc.): Digital files containing human subjects research data must be stored in password protected files, preferably on University maintained servers with regular and secured back-up. Sensitive data should also be encrypted (see link for UD’s guidelines on encryption).
Tapes and other media-supporting devices used for audio and/or video recordings should be stored in the same secure manner as paper records and erased as soon as information has been transcribed or coded and is no longer needed for research.
IRB approval for expedited and full board reviewed protocols must be renewed annually on or before the approval expiration date. Continuing review must be obtained for as long as recruitment, data collection activities are undergoing, and/or private identifiable data are stored (that is, the identifying link between the data files and the participants’ identity still exists and is accessible to the researcher(s)):
IRBNet will send automatic reminders 60 days and 30 days before the expiration date, and an expiration alert the day an approval is set to expire. Please plan to submit your continuing renewal application with enough time to allow for its review and approval. No recruitment, data collection, or private identifiable data analysis activities shall be carried on under an expired protocol.
If no continuing review application is submitted for review, projects will be closed after expiration. Further data collection and/or identifiable data analysis will require a new submission for IRB review and approval.

Project Closure and Record Retention

Approved human subject research projects should be closed at the time all data have been collected and identifying information is no longer needed. De-identified data for which no identifying key exists can be kept for further analysis and do not require continuing review and approval by an IRB.

A project closure report should be submitted to the IRB once data are no longer identifiable.


Compliance with 45 CFR 46.115(b) requires that all records relating to IRB approved research be retained for 3 years after closure of the project.
Records to be maintained include: copies of all research proposals reviewed, scientific evaluations (if any), consent documents, progress reports, reports of injuries to subjects and other unanticipated problems, and copies of all correspondences between the IRB and the investigator(s).Records may be preserved in hard-copy, electronic or other media form, and must be accessible for audit purposes. Records for completed projects should be stored in secure locations on campus with the same care used when the project was active.


If a researcher (faculty, staff or student) leaves UD, a copy of the research records must remain on campus. Students should coordinate storage of research records with their faculty advisor(s) and/or departments. In the event that the advisor or department are unable to retain the records, they should be sent to the IRB office for secure storage in University Archives. Copies of all human subjects research records for faculty and staff leaving the University should similarly be sent to the IRB office for secure storage in University Archives. Records sent to archives will be recalled only in the event of an audit requirement, and will be destroyed at the end of the 3 year retention period.

Destruction of Records

Destruction of human subjects research records should be performed in a fashion that protects the confidentiality of the research subjects. It is recommended that paper records be shredded, that physical tapes (audio and video) be erased and physically destroyed, and that electronic media used to store data be scrubbed after the files are deleted.

Researchers may retain de-identified data for future analysis in the context of the project the data were collected for. Data are considered to be completely de-identified when ALL links between individual identity and the data are destroyed. Research data are not considered de-identified simply because names have been removed if they still contain information that might identify the participants such as date of birth, address, etc.

For Further Guidance

For further guidance, please contact the IRB Office at 302-831-2137