Research Information and University Data Security 

Differences between Tiers and IRB Levels 

IRB Levels are set using a combination of criteria that includes consideration of certain data sensitivity (personal information of study participants.) But that is not the only criteria that determines an IRB level:  

• IRB level I: no identifiers, no sensitive questions  
• IRB level II: either identifiers or sensitive questions
• IRB level III: both identifiers and sensitive questions  

IRB level also does not take into account the broader data types and rules that make up the University’s data Tier system. So comparing IRB Levels with Data Tiers is not a precise science. It is almost certain that IRB Level I projects would have no Tier 2 or 3 (sensitive) data (unless a creative PI tries very hard to find a way).  It is likely that Level II projects would have no more than Tier 2 data, but that is not a given. And a Level III project might have Tier 2 or Tier 3 data or both. 

How to go about securing IRB Level II and III research data
 

1. We strongly recommend that you consult with a campus IT Professional and your Unit’s Information Security Liaison in your unit to understand your responsibilities and the secure technology resources available.  

1. Both individuals and devices working with study data must comply with the Information Security Controls Standard and other applicable policies. For example, any access to study data from individuals or systems must follow the Password, Pass-phrases, and Other Authentication Methods Standard. 

1. If you store or share study data with an external organization such as another research organization or in any way use a cloud-based platform, the cloud application(s) and service must be approved and rated for working with the correct Tier of sensitive data. Previously-approved applications can be found at the Information Security Office’s Purchasing Guide if you are seeking something likely to be usable. Unless the application on the guide is scoped for general use with the data tier listed, please open a request for a risk assessment and data governance review via ITS Help.  

1. If you are building or purchasing software or using a cloud-delivered service for your study, that application must also have an IT Security Risk Assessment for the correct Tier of sensitive data. The requestor or researcher should contact their departmental IT liaison to submit a ticket for the risk assessment. Please see our Purchasing Guide | Safe Computing at UNC. 

1. Keep in mind, University data security requirements do not replace or supersede any security plans or procedures required by granting agencies or sponsors. Sometimes University requirements may be more strict. In other cases, a granting agency might have requirements different from the University’s. If the general University requirements, the IRB requirements, your granting agency, or another authority requires a specific practice, then it is required. You must meet the complete set of requirements, not the lowest. 

Campus Resources and Groups that can help you:  

• Research Computing and Office of Research
  • Data Security Requirements
• ITS Security 
• Data Governance 
• SOM Information Security
• ITS Research Computing
• Institutional Privacy Office
• Digital Accessibility Office
• Institutional Integrity and Risk Management 

Last updated: July 7, 2023