Analysis of Existing Data

For the purposes of IRB review, existing data are data not generated by the researcher. Existing data may be in the form of individual records (e.g., academic, medical, financial), data sets, interview notes, biospecimens, online profiles and posts (e.g., social media), and audio- or video-recordings. These data could be available for purposes other than research, and are sometimes, but not always, identifiable.

Identifiable data either directly identifies participants or contains enough information to deduce a participant’s identity.

Analysis of publicly available de-identified data may not need IRB review. Data are considered public if they are readily available for research purposes without making a formal request. That is, the data can be downloaded with a simple click from an open, public-facing website. Data are not public if researchers need to create an account, register a study, submit an application, or enter into an agreement before accessing the data. Data provided by colleagues by way of a personal arrangement or request are not considered public.

Duke researchers receiving existing data for research purposes need to identify the mechanism under which those data are being provided. The mechanism usually dictates how Duke will receive and protect the data. The mechanism can be a data use agreement, data transfer agreement, or a memorandum of understanding. Copies of confirmation emails from the data provider or screenshots of a completed online data request application may also be acceptable.

If the data provider does not have data protection instructions or guidance, researchers are responsible for creating a plan. The Campus IRB will connect researchers to the grants and contracts and the IT Security offices for assistance. Researchers can also visit Developing Data Protection Plans for additional information.

To submit a request for analyzing existing data, see Analysis of Existing Data.


Campus IRB