Data Sharing

This page has been updated to reflect the New Rule effective January 21, 2019.

Page updated April 18, 2024

Inbound Data Received for Research Purposes

  1. If the data comes to MIT with a previously negotiated Data Use Agreement (DUA) then the MIT researchers must follow the terms of the DUA.
  2. If the data comes to MIT with or without a previously negotiated DUA then:
    1. COUHES review is required if the data contains personal identifiers, or was collected specifically for the research study being contemplated at MIT
    2. If none of the conditions in 2.a. are met then activities are not considered human subjects research and COUHES review is not required.
  3. For incoming data when MIT is the recipient of third party protected health information (“PHI”) used for MIT research purposes, please refer to Guidance on Use of Protected Health Information for Research Purposes

Outbound Disclosure of Data to Researchers

  1. Data that is already publicly available, such as through a publication or as outlined in the consent form, do not require a DUA or COUHES review. 
  2. If data to be shared with an outside researcher is de-identified but not public, then:
    1. COUHES will need to review the consent form under which the data was gathered to ensure it permits sharing for the purposes envisaged by the research.
    2. In addition, a DUA will need to be in place between MIT and the receiving institution if the sharing is for secondary use (i.e. sharing data for a future research) and/or if required by applicable regulations.
  3. If the data to be shared with an outside researcher is nonpublic and contains personally identifiable information then:
  1. COUHES review of the full protocol proposed by the outside researcher is required. However, COUHES ordinarily will cede jurisdiction for review to the IRB of the receiving institution.
  2. COUHES will review the consent form under which the data was gathered to ensure it permits sharing for the purposes envisaged by the research.
  3. In addition, a DUA will need to be in place between MIT and the receiving institution if the sharing is for secondary use (i.e. sharing data for a future research) and/or if required by applicable regulations (i.e. sharing limited data set).

Sample Scenarios

  1. MIT collaborates with institution B on a human subjects research, institution B helps MIT to analyze de-identified data. MIT will obtain IRB approval. Institution B will not obtain IRB approval because institution B is not engaged in the research. A DUA is NOT required for institution B to receive de-identified data from MIT because Institution B is collaborating with MIT for the same research project.
  2. MIT collaborates with institution B on a project, both institutions will exchange data (including identifiable data) with each another. Both institutions will obtain IRB approval. A DUA is NOT required for institution B to receive data from MIT because institution B is collaborating with MIT for the same research project.
  3. MIT plans to release data to institution B for secondary use. MIT is not involved in the outside institution’s research other than to share data. A DUA is required for institution B to receive data from MIT because the sharing is for secondary use.

DUA requests

For inbound data received by MIT, use the Hermes Portal

For outbound disclosure of data, please contact OGC.

The Principal Investigator is responsible to ensure that the DUA is fully executed before starting any research activities and the Principal Investigator must keep the fully executed DUA in their research records.

 

Broad Consent

For research data collected under broad consent, investigator must submit an Application for Comprehensive Review to COUHES and include a copy of the consent form for which the data was collected. Data collected under a broad consent for which a participant did not agree to share their data, de-identified or identifiable, cannot be shared outside the institution or organization collecting the data.