General Questions

1. What constitutes “identifiable information”?

Information is identifiable when (1) it can be linked to specific individuals, or (2) a combination of the information/characteristics could allow others to ascertain the identities of individuals. Examples of directly identifiable information may include (but are not limited to):

  • Name
  • Contact information (e.g., home address, work address, fax number, email address, phone number, license plate number, driver’s license number)
  • ID numbers (e.g., student ID, employee ID, social security number, IP address, IMEI number [unique number associated with a cell phone], user name, account number)
  • Voice (e.g., audio recording)
  • Facial features (e.g., photograph and video recording)
  • GPS tracking data and location data
  • Fingerprints

In some cases, elements of information/characteristics that are not regularly identifiable alone can be considered “identifiable” when combined. For example, a combination of age, gender, ethnicity, and place of employment might allow identification of certain individuals in some situations.

Regulations under the Health Insurance Portability and Accountability Act (HIPAA) are more stringent than the requirements for protection of human subjects under 45 CFR 46 and 21 CR 50 & 56. Therefore, when conducting research involving Protected Health Information (PHI), researchers should refer to HIPAA and Human Subjects Research and the list of 18 identifiers to determine whether the information is considered “identifiable.”

Effective March 2018, the National Science Foundation requires recipients of NSF funding to protect Personally Identifiable Information within the scope of an NSF award. See NSF Procedures for Breach of Personally Identifiable Information (PII) on the Sponsored Projects Office website for more information about Article 35.

2. What if I will be accessing non-UC Berkeley data?

Incoming Data to UC Berkeley

General Information

Whenever UC Berkeley (UCB) investigators plan to obtain non-UCB data for research, the investigators should contact the Office for Protection of Human Subjects (OPHS) prior to accessing the data in order to determine if the project meets the threshold definition of “human subjects research” (HSR).

If the project meets the definition of HSR, an application must be submitted to OPHS/CPHS for review and approval prior to the research taking place. Investigators should consult with an OPHS Analyst to determine which level of review is required before submitting an application.

Incoming Data with a Data Use Agreement (DUA)

Sometimes, a DUA is required by the dataholder to gain access to the data. For example, investigators must obtain a DUA in order to access a Limited Data Set (LDS) from a HIPAA-covered entity. Whenever a DUA is required, investigators should contact the Industry Alliances Office (IAO) at to have them review and sign the DUA on behalf of UC Berkeley. Investigators are not authorized to sign DUAs on the University’s behalf.

UC Berkeley’s Committee for Protection of Human Subjects (CPHS) does not review DUAs; therefore, investigators should not upload the DUA to their OPHS/CPHS eProtocol application. However, investigators must provide a statement in the Study Procedures section of their application confirming that they will contact/have contacted IAO regarding the DUA, if applicable. In addition, the Confidentiality section of their application, where data storage and security for the incoming data is described, should match what is written in the DUA.

If the data will come to UC Berkeley with a previously-negotiated DUA, UC Berkeley investigators must contact IAO to renegotiate the agreement. DUAs are binary agreements between institutions and are non-transferable.

Accessing California State Data

UCB investigators may want to access personally identifiable data from a California (CA) State agency for use in research. Investigators should be aware that, pursuant to the California Information Practices Act (SB 13) (effective January 1, 2006), CA State agencies will only release personally identifiable data to UCB investigators when the request to access the data has been reviewed and approved by the state of California’s institutional review board (IRB).

Note that review by the CA State IRB does not replace/meet UC Berkeley’s IRB review requirement. And, in accordance with SB 13, the State IRB will not rely on another institution (i.e. UC Berkeley) for review of research involving personally identifiable state data. However, on a case-by-case basis and with the approval of the OPHS Director, UCB may be willing to rely on the State IRB for review. Investigators must contact OPHS regarding any requests for UCB to rely on the State IRB.

3. Can I collect/analyze existing data posted on the Internet without human subjects review/approval?

Use of public internet data such as the National Center for Health Statistics or National Center for Biotechnology Information data does not require IRB review. However, collecting or analyzing an individual’s identifiers or opinions from the Internet for research purposes may require IRB review if there is an expectation of privacy and/or if obtaining data requires special permission. Please review our Internet-Based Research guidance for more information.

4. If my study does not involve human subjects research, how can I get documentation for my records?

If your study is not human subjects research and you would like to get confirmation and documentation of that, please email your request to with a summary of your research purpose, procedures, and data collection. If you are unsure if your study involves human subjects research, you should call the Analyst of the Day at 510-642-7461.

5. What research falls under FDA regulations?

​A human subjects research study falls under FDA regulations if it meets one of the categories listed below.

  1. Research involving the administration, dispensation, or use of a drug, such as:
    1. research conducted under an Investigational New Drug (IND) application; or
    2. certain research involving marketed drug products that are exempt from the IND regulations.
  2. Device research conducted to determine the safety/effectiveness of a device or support a research/marketing application to the FDA, such as:
    1. a device study that is exempt from the IDE regulations;
    2. a non-significant risk device study; or
    3. a significant risk device study.

See Drugs and Medical Devices in Research for additional information.

6. What are clinical trials?

(1) Controlled, clinical investigations of a drug or biologic subject to FDA regulation; and
(2) Controlled trials of devices with health outcomes and pediatric post-market surveillance.

An “applicable” clinical trial defined by the Food and Drug Administration is a trial that must be posted on These are clinical trials as defined above excluding Phase 1 drug or biological studies and small feasibility studies of devices.

7. Can I invite students taking the course I teach to be in my research study?

The research regulations require that informed consent be sought in circumstances that minimize the possibility of coercion or undue influence (45 CFR 46.116). Due to the power differential between students and instructors, it is very likely that students will feel pressured to participate. For example, they may believe that failure to do so will negatively affect their grades and/or relationship with the instructor. Additionally, even though ongoing voluntary participation is emphasized in the consent process, students who wish to withdraw may find it difficult to do so when this involves informing the instructor of their decision. For these reasons, it is generally preferable for instructors to conduct research with individuals who are not taking their courses (e.g., recruit students from another class).

In certain situations, the use of an instructor’s own students is integral to the research question (e.g., introducing a new teaching strategy or novel content into an existing course). If an instructor does wish to conduct research with his or her students, the eProtocol application should include a rationale as to why the study should be conducted with these particular students. The rationale should be accompanied with a detailed description of the instructor’s plan to minimize the potential for student subject coercion/undue influence to participate. The consent document should also include appropriate language to address these issues.

Ways to minimize coercion and undue influence in a classroom setting include the following:

  • Having an independent third party (e.g., research colleague who has no pre-existing relationship with the students) announce the study and conduct the informed consent process, including the distribution and collection of the consent documents. This individual will need to be added as personnel in the eProtocol application and complete appropriate human subjects training.
    • These activities should occur at a time when the instructor is out of the room.
    • The third party individual should be sufficiently familiar with the study to serve as the contact person for all study-related questions.
  • Arranging for a colleague to run the study and collect all of the data (at time[s] when the instructor is not present. This individual will need to be added as personnel in the eProtocol application and complete appropriate human subjects training.
  • Blinding the instructor to who did and who did not participate – at least until final grades have been assigned.

Researchers may wish to consult with OPHS staff concerning further ways to minimize coercion and undue influence within the context of your own particular study design.

Quality assurance/quality improvement on the effectiveness of the curriculum—unless there is an intent to generalize the results—may not rise to the level of human subjects research. Researchers should contact OPHS staff to discuss the intent of the activity.

8. What training do you offer for non-UCB collaborators?

Please refer to the Quick Guide to Non-Affiliates and Outside Collaborations.

9. What if I will be sharing data with non-UC Berkeley investigators/institutions?

Please refer to the Quick Guide to Non-Affiliates and Outside Collaborations.

10. What do I need to know about human subjects research involving Massive Open Online Courses (MOOCs)?

Please refer to the Quick Guide to Massive Open Online Courses (MOOCs).

11. Can volunteer research assistants help us in the lab?

Please refer to the Quick Guide to Non-Affiliates and Outside Collaborations.

12. I am a student investigator who will be withdrawing from enrollment in order to conduct my human subjects research. What are some considerations I need to make regarding my protocol?

Please refer to the Quick Guide to Non-Affiliates and Outside Collaborations.

13. How can I pay subjects using campus funds?

The Berkeley Human Subject Prepaid Card Program (HSPC) allows researchers to pay study participants using Berkeley funds. In order to be eligible to participate, researchers must submit a request to Cash Handling and Banking Services for each research study for which they plan to issue payment. This request must include proof of CPHS approval, as well as a user agreement to register each employee who will have access to the Prepaid Card Program portal and the IP address of his/her workstation.

There are three types of payment options for researchers to choose from:

  • Instant Issue Plastic
    Departments will issue a Visa debit card directly to subjects after they perform an easy-to-use activation and load process.
  • Personalized (Bulk) Plastic
    Visa debit cards will be mailed directly to the subjects. This program is designed to pay a large number of study subjects.
  • Virtual Payment
    Subjects will be provided virtual card payment information via email notification to allow for online purchases or the option to transfer funds to their personal bank accounts.

14. Where can I receive assistance with my research using large secondary data sets?

Researchers should contact the Berkeley Research Data Management (RDM) program. Research data is broadly defined to include the digital inputs to and products of research performed in all campus disciplines. A partnership between Research IT and the Library, the RDM program offers consulting, training, and online guidance to address new requirements from funding agencies, publishers, and data providers, and to help researchers manage and steward their data effectively and efficiently.

Protocol-Related Questions

1. What does “normal education practices” mean in the context of Exempt Category 1?

This category may include research on established teaching methods, curriculum content and commonly-accepted classroom management techniques that are planned and implemented by the teacher/instructor. Normal educational practices are activities that would occur regardless of whether the research is conducted. Therefore, a study that involves implementing a new instructional strategy and/or untested curriculum would not constitute “normal education practices.” Studies that involve surveys and interviews with minors that focus on the characteristics of the children themselves rather than the educational activity being evaluated would not qualify for an exemption.

2. What is Exempt Category #70 for UC Berkeley?

Please refer to the Quick Guide for Exempt Category 70.

3. I am a student investigator. What training verification do I need to provide in my protocol application?

All UCB student investigators or key personnel engaged in human subjects research must complete either of the following CITI courses: Group 1 Biomedical Research Investigators and Key Personnel or Group 2 Social Behavioral Research Investigators and Key Personnel. Additional guidance for student researchers can be found at OPHS’s Student Investigators Guide. For information on the CITI Responsible Conduct of Research course for NSF-funded studies, please refer to RAC’s resource on training.

4. If I am in the data analysis phase of my research do I need to renew my protocol?

It depends. If you still have access to identifiable data you must continue to renew your eProtocol application until all analyses are complete or all identifiers have been destroyed. Identifiable data include audio/video recordings as well as coded data where the identifier key is retained. If all identifiable data fields have been destroyed and data analysis will be conducted using only de-identified data, no renewal application is necessary and the protocol may be closed.

5. How do I get information on confidential and secure data storage?

Please refer to our data security policy for guidelines on how identifiable information should be stored based on the storage device, location of the storage device, and who has access to the storage device.

6. What is the difference between privacy and confidentiality?

Privacy is control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others. Confidentiality pertains to the treatment of information that an individual has disclosed in a relationship of trust and with the expectation that it will not be divulged to others without permission in ways that are inconsistent with the understanding of the original disclosure. Examples of protecting subject privacy include conducting interviews in private areas or closing exam room curtains when conducting physical exams. Examples of minimizing the likelihood of a breach of confidentiality include sharing subject data only with other study team members, encrypting and password-protecting data files, and maintaining lists of subject names/study identification numbers in a separate, secure location from all other private study data.

7. What is anonymous data collection?

Anonymous data collection means that no identifiable information (e.g. name, address, student ID number, email address, phone number) is connected to the data either directly or through a coding system at any point in the study. In addition to videotapes and photographs, audio recordings are not considered to be anonymous. It is also possible that multiple pieces of information, none of which are identifiable on their own, may uniquely identify a person when brought together; in this case, the data would not be considered anonymous. For more information on de-identified data sets, please visit our Secondary Use of Existing Data guidance document.

8. How long should I keep my research records?

Research record retention length varies depending on sponsor, population, use of protected health information, federal regulations, and the Food and Drug Administration regulations when applicable. Please refer to the University of California Office of the President Administrative Records Relating to Research: Retention and Disposition Requirements document for requirements.

9. How can electronic signatures be used to document informed consent?

Electronic signature means a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature (21 CFR 11). Electronic signatures can be created using a wide variety of methods including, but not limited to, user name and password combinations, biometrics, computer-readable ID cards and digital signatures.

Federal regulations allow for electronic consent signatures as documented consent when the subject’s identity can be verified (see Use of Electronic Informed Consent: Questions and Answers). The regulations do not specify any particular method for verifying the identities of individual subjects when obtaining electronic signatures and accepts a number of methods.

An electronic consent signature obtained from a subject whose identity cannot be verified is not documented consent. In this situation, investigators must either obtain a handwritten consent signature* or ask the IRB for a waiver of documented consent. Federal regulations allow investigators to request a waiver of documented consent for minimal risk studies, and for certain greater than minimal risk studies, according to the below waiver criteria:

A. The only record linking the subject and the research would be the consent document AND the principal risk of the research would be potential harm resulting from a breach of confidentiality (criterion A is not described in 21 CFR 50 and therefore does not apply to FDA-regulated research).


B. The research presents no more than minimal risk of harm to subjects AND involves no procedures for which written consent is normally required outside of the research context.

*A handwritten signature means the scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. The act of signing with a writing or marking instrument such as a pen or stylus is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark (21 CFR 11). For example, a handwritten signature obtained on a tablet device is treated as documented consent, just as it would be if obtained as an ink signature on a paper consent form.

10. What documents need to be translated if I will be recruiting subjects in a non-English language?

For Non-Exempt protocol applications that have non-English literate subject populations, CPHS requires translated versions of all consent documents appropriate for your subject population(s). Translations should be submitted to and approved by CPHS prior to their use in the field. Certified translations are not required. However, PIs are responsible for affirming the accuracy of any translated documents. UCB does not provide translation/verification services.

Other Regulatory Questions

1. How do I comply with CA State CPHS data security requirements?

When research projects need to use personally identifiable research data (PID) from California state agencies, state CPHS requires researchers to comply with a specific set of data security requirements before releasing PID. Campus Information Security Office has developed an assessment program to help researchers to comply with these data security requirements. Please go to California State CPHS Data Security Assessment Service for more information on how to meet state CPHS data security requirements.

2. Where do I get information about Biohazard Use Authorization (BUA) numbers?

For Biomedical Non-Exempt researchers, please refer to UC Berkeley’s Environmental, Health and Safety website for information regarding BUA numbers.

3. Under the University of California Policy on Sexual Violence and Sexual Harassment, as set forth by the Systemwide Title IX Office, are Responsible Employees required to report disclosures about Prohibited Conduct received in the course of conducting CPHS-approved or certified exempt human subjects research?

Responsible Employees are not required to report disclosures of Prohibited Conduct made by an individual when participating in human subjects research that has either been approved by an Institutional Review Board (IRB) or certified as exempt from IRB review under one or more of the categories in 45 CFR 46.104.

Disclosures of incidents of alleged Prohibited Conduct made during an individual’s participation as a subject in a CPHS–approved or certified exempt human subjects research protocol will not be considered notice to the University for purposes of triggering its obligation to investigate. This exception does NOT apply to disclosures made to research personnel outside of the course of participation in the research protocol (e.g., to faculty during office hours or while providing academic advising).

This exception also does not affect mandatory reporting obligations under federal, state, or local laws, such as the Clery Act and the California Child Abuse and Neglect Reporting Act (CANRA), and other policies or laws that require reporting to campus or local law enforcement, or Child Protective Services.

If a research study is likely to elicit information about sexual violence or sexual harassment, researchers are encouraged to notify subjects, within the informed consent document, of the research reporting exception and to provide information about University and community resources.