Data Sharing

This page has been updated to reflect the New Rule effective January 21, 2019.

Inbound Data Received for Research Purposes

  1. If the data comes to MIT with a previously negotiated Data Use Agreement (DUA) then the MIT researchers must follow the terms of the DUA.
  2. If the data comes to MIT with or without a previously negotiated DUA then:
    1. COUHES review is required if the data contains personal identifiers, or was collected specifically for the research study being contemplated at MIT
    2. If none of the conditions in 2.a. are met then activities are not considered human subjects research and COUHES review is not required.

Outbound Disclosure of Data to Researchers

  1. Data that is already publically available, such as through a publication or as outlined in the consent form, do not require a DUA or COUHES review. 
  2. If data to be shared with an outside researcher is de-identified but not public, then:
    1. COUHES will need to review the consent form under which the data was gathered to ensure it permits sharing for the purposes envisaged by the research.
    2. In addition, a DUA will need to be in place between MIT and the receiving institution.
  3. If the data to be shared with an outside researcher is nonpublic and contains personally identifiable information then:
    1. COUHES review of the full protocol proposed by the outside researcher is required. However, COUHES ordinarily will cede jurisdiction for review to the IRB of the receiving institution.
    2. COUHES will review the consent form under which the data was gathered to ensure it permits sharing for the purposes envisaged by the research.
    3. In addition, a DUA will need to be in place between MIT and the receiving institution.

Broad Consent

For research data collected under broad consent, investigator must submit an Application for Comprehensive Review to COUHES and include a copy of the consent form for which the data was collected. Data collected under a broad consent for which a participant did not agree to share their data, de-identified or identifiable, cannot be shared outside the institution or organization collecting the data.