IRB Considerations: Human Participant Data, Data Sets and Internet Research

UPDATED September 7, 2022

COVID-19: Cornell IRB COVID-19 guidance and FAQs have been updated (Sept. 7, 2022). Face masks are still required for in-person, on-campus human participant research activities similar to clinical exams or procedures. Review the revised guidance in its entirety here.

TRAINING UPDATE: Effective October 1, 2022, all Cornell study personnel involved in Exempt research protocols will be required to complete CITI training in human participant research ethics. See details here. For more information about Cornell IRB training requirements, visit the IRB Training webpage.

IRB PROTOCOLS: As of February 1, 2022, we are using the RASS-IRB system for new protocol submissions, continuing reviews, amendments, and adverse event and protocol deviation reporting. See more details about the transition to RASS-IRB here. Find how-to documentation and recordings of Zoom training sessions on the RASS Guide Site. For help or feedback about the system, contact the RASS team at: For content-related questions about your IRB protocol or other human participant research topics, email per usual. You can also schedule a Zoom meeting with members of the RASS or IRB teams via Microsoft Bookings.

Whether you are working with an existing data set collected by another researcher, storing data you yourself have collected from human research participants, or conducting Internet- or app-based research, you must take adequate steps to protect the privacy and confidentiality of research data.

Research with human participants frequently involves analysis or collection of personal identifying information ("identifiers").  In reviewing proposed human participant research, the IRB will consider whether data to be analyzed or collected by the researcher could be stigmatizing, result in criminal or civil liability, damage financial standing, employability, insurability, or reputation, result in stolen identity, or otherwise pose a threat to an individual’s privacy or confidentiality.  If so, the researcher should describe steps they will take to ensure that such information is kept secure.  

 Broadly, human participant research should be planned with the following in mind:

  • Ensuring that the informed consent process adequately and accurately explains to potential participants about possible risks of participation, including any risk that their personal data may be compromised.
  • Appropriately safeguarding the privacy or confidentiality of information obtained from or about human participants, and documenting these procedures in the protocol application and consent form.
  • Minimizing potential risks to participants, including risks associated with accidental or malicious security breaches.