Check out the new USENIX Web site. next up previous
Next: Research Implications Up: Legal Framework Previous: IRB Exemptions

IRB Myths and Facts

Below are some popular myths about IRBs and the Common Rule that are apropos to computer security research.

Myth: Because the Common Rule exempts research involving subjects that cannot be identified, IRB approval is not required when using anonymized data Although this would certainly be convenient, most institutions only allow a determination of exemption to be made by the IRB itself.

Myth: ``Pilot studies'' do not require IRB approval. Although some schools have policies which define a kind of ``pilot study'' not requiring IRB approval, there is no support for this interpretation in the Common Rule, which makes no reference to ``pilot'' or ``preliminary'' studies.

Many universities (e.g. [#!ucsf-irb!#,#!georgia-state!#,#!capella-faq!#]) have specific language in their IRB guidelines stating that IRB approval is required for all research, even pilot studies that will not be published. Georgia State University's policy[#!georgia-state!#] goes further, requiring consent forms to indicate if a study is a pilot study and requiring that the experimenter obtain additional IRB approval when the study progresses beyond preliminary stages.

But some organizations allow unapproved pilot studies: the School of Social Service Administration at University of Chicago allows small-scale pilot studies with less than 10 individuals to proceed without IRB approval assuming that ``proper steps will be taken to protect human subjects,'' sensitive data will not be collected, vulnerable populations will be excluded, and methods with no more than minimal risk will be used. However, SSA/UC requires IRB approval if the data collection in the pilot study will be used in any publication; if the data is to be used, IRB approval is required before data collection begins[#!ssa_uc!#].

Myth: IRB approval is not required if you are working with data you already have. The Common Rule makes no such exception. If previously collected data will be analyzed using a methodology that is different than that which was described in the original IRB application, new approval may be required.

Fact: IRB approval is not required by the Common Rule when using publicly available data. The Common Rule states that research involving the ``collection or study'' of ``existing data, documents [or] records'' is exempt ``if these sources are publicly available'' §46.101(b)(4). But, as previously noted, most institutions require IRB approval for all work involving human subjects, even research exempt under the Common Rule.

next up previous
Next: Research Implications Up: Legal Framework Previous: IRB Exemptions
Simson L. Garfinkel 2008-03-21