Student Data Protocol
There is an expectation by the Federal Government and the United States Department of Education in coordination with the Higher Learning Commission (HLC) that all research conducted with university students must first obtain approval from a university Institutional Review Board (IRB). An IRB is based on the following federal laws and HLC policy:
- Title 45 Public Welfare, Part 46 is the Code of Federal Regulations for the Protection of Human Subjects.
- The U.S. Department of Health and Human Services oversees and enforces CFR §46 with the Policy for Protection of Human Research Subjects as the primary document.
- The U.S. Department of Education oversees and enforces Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99). Specific guidance is provided to post-secondary school officials and researchers.
- HLC’s 2019 Policy Handbook discusses the need for institutions to conduct research in accordance with Federal Law on pages 16, 18 (1.B), 20 (2.E.1), 22 (3.D.5 and 3.E.2), and 30.
The laws and policies listed above clearly show an expectation for any institution of higher learning to ensure the safety of humans which include student “Personally Identifiable Information” (PII). Student PII is the primary reason for a university IRB.
Support of the IRB comes from the University President because of CFR §46.112—Review by Institution and the MACU Board of Trustees By-law 3.1.
- CFR §46.112 states, “Research covered by this policy that has been approved by an IRB may be subject to further appropriate review and approval or disapproval by officials of the institution. However, those officials may not approve the research if it has not been approved by an IRB.”
- The Board of Trustees By-law 3.1 states, “With respect to interactions with students or those applying to become students, the CEO shall not cause or allow conditions, procedures, or decisions that are unlawful, unsafe, undignified, unnecessarily intrusive, or that fail to provide appropriate confidentiality or privacy.”
A university cannot allow student PII’s to be collected without a valid reason, housed in files which are not institutionally controlled, or distributed to entities without a need-to-know approval. A university IRB must be responsible and provide the required oversite on all research on and collection of student-related data (i.e. PII) which will assist in ensuring a university properly safeguards student PII information and data.