Information Practices Act (IPA): Safeguarding Human Subjects' Personal Data

If you conduct research with human subjects, read about the Information Practices Act (IPA), legislation that safeguards personal data used in research.

California’s Information Practices Act (IPA) also known as Senate Bill (SB) 13 places additional restrictions on state agencies' ability to disclose "personally identifiable information" (PII) to researchers. The bill was introduced after a 2004 data security breach on a UC campus.

Institutional review board

Research involving human subjects must be guided by an institutional review board (IRB), which oversees ethical, regulatory, and policy concerns about human subjects research. The IRB for UCSD is Office of IRB Administration (OIA). The IRB for the California Health and Human Services Agency (CalHHS) is Committee for the Protection of Human Subjects (CPHS). CPHS must approve scientific research proposals before state agencies are permitted to disclose personally identifiable information (PII) to researchers.

PII guidelines

According to CA Civil Code 1798.3(a): The term “personal information” means any information that is maintained by an agency that identifies or describes an individual, including, but not limited to, the individual’s name, social security number, physical description, home address, home telephone number, education, financial matters, and medical or employment history. It includes statements made by, or attributed to, the individual.

Researchers working with PII need to:

• Allow time to obtain the necessary review and approvals from CPHS
• Review IPA Regulations and CPHS expectations/requirements
• Be prepared to justify the need for the data and present a plan for:
  • Protecting data: See Securing Your Data and Workspace, Preventing Identity Theft-Securing Personal Information, and Computer Security for Laptops
  • Destroying or returning data (PDF)
  • Ensuring that data is not reused or disclosed
• Be reviewed by the Human Research Protection Program (HRPP)

Staff and researchers who want to share information must follow SB 13 guidelines, which apply to data released by all state agencies, including UC. To release PII in UC custody to researchers at other educational institutions, the other researchers would have to get approval from the HHS IRB. The Office of the President is in discussion about the scope and implementation of this aspect of the bill. Contact your IRB for more information.

CPHS measures

Measures taken by the Committee for the Protection of Human Subjects (CPHS) include:

• Determining if requested information is needed to conduct research
• Permitting access to a minimum amount of personal information
• Determining if the plan sufficiently protects PII during research, destroys or returns PII following research, and provides assurances that the PII will not be reused or disclosed
• Requiring assigning of de-identified codes that are not derived from personal information
• Requiring assessment of a fee if CPHS conducts data processing, removes, encrypts, or secures PII

Contacts

• UCSD HRPP
• CPHS
• Ellen R. Auriti, Executive Director, Research Policy and Legislation for UC Office of the President