Skip to main content

System Status: 

SB 13: Safeguarding Human Subjects' Personal Data

If you conduct research with human subjects, read about Senate Bill (SB) 13, legislation that safeguards personal data used in research.

Senate Bill (SB) 13 places additional restrictions on state agencies' ability to disclose "personally identifiable information" (PII) to researchers. The bill was introduced after a 2004 data security breach on a UC campus.

Institutional review board

Research involving human subjects must be guided by an institutional review board (IRB), which oversees ethical, regulatory, and policy concerns about human subjects research. The IRB for UCSD is Human Research Protection Program (HRPP). The IRB for the California Health and Human Services Agency (CHHSA) is Committee for the Protection of Human Subjects (CPHS). CPHS must approve scientific research proposals before state agencies are permitted to disclose personally identifiable information (PII) to researchers.

PII guidelines

PII is an individual's first name or first initial and last name, combined with one or more of the following data elements, when either the name or the data elements are not encrypted:

  • Social Security number
  • Driver’s license number or California Identification Card number
  • Credit or debit card number, combined with any required security code, access code, or password that would permit access to an individual's financial account

Researchers working with PII need to:

Staff and researchers who want to share information must follow SB 13 guidelines, which apply to data released by all state agencies, including UC. To release PII in UC custody to researchers at other educational institutions, the other researchers would have to get approval from the HHS IRB. The Office of the President is in discussion about the scope and implementation of this aspect of the bill. Contact your IRB for more information.

CPHS measures

Measures taken by the Committee for the Protection of Human Subjects (CPHS) include:

  • Determining if requested information is needed to conduct research
  • Permitting access to a minimum amount of personal information
  • Determining if the plan sufficiently protects PII during research, destroys or returns PII following research, and provides assurances that the PII will not be reused or disclosed
  • Requiring assigning of de-identified codes that are not derived from personal information
  • Requiring assessment of a fee if CPHS conducts data processing, removes, encrypts, or secures PII