This section of the Investigator Manual covers issues like study complaints, record retention,, sharing data in repositories, NIH GDS, GDPR, and PI responsibilities when leaving the UW.

Complaints or Concerns About a Study

Investigators should make a good faith effort to promptly respond to and try to resolve any study- related complaint or concern that you receive or of which you are aware.

Some complaints and concerns that an investigator may receive are relatively minor (e.g., a subject complaint about a late payment that can be quickly resolved). One-time, minor complaints that can be quickly resolved generally do not require reporting to the IRB.

Complaints or concerns may be submitted directly by anyone, including but not limited to research subjects, family members, and representatives, and study team members. Complaints may be received by the study team, UWHC Patient Relations, the IRB office, and/or the confidential human research protection reporting line (1-833-652-2506 or

Record Retention

Maintain your human research records, including but not limited to source data, signed and dated consent documents, consent documents that integrate or have stand-alone HIPAA authorization, and screening materials documenting subject eligibility for at least seven years after completion of the research. More information can be found in the campus Policy on Data Stewardship, Access, and Retention.

If your human research is sponsored, contact the sponsor before disposing of human research records. is a publicly available registry and results database of federally and privately supported clinical trials, supported by the U.S. National Library of Medicine. The purpose of is to disclose to the public key information about clinical trials that are currently available or that have been conducted. All UW–Madison faculty, staff, and students conducting human subjects research on University premises are expected to follow federal registration and results reporting requirements regarding This is not an IRB requirement. More information about requirements can be found here.

Sharing Data in Repositories

Data Sharing in large data repositories is increasingly common and may be required for funded research (e.g., NIH) or for publication purposes. The information below outlines common sharing formats, possible consent scenarios, and considerations researchers should be aware of when developing plans for grant applications for data sharing in data repositories when the data to be shared is from human research participants. Investigator’s should describe their data sharing plans, including discussion of the considerations noted on this page, in their protocol (IRB templates: HRP-503 – Biomedical Protocol and HRP-503a – Registries and Repositories Protocol) and application. Template consent language for open access and controlled access data sharing can be found in HRP-502. UW Research Data Services has information and resources regarding data sharing related to the NIH Data Management & Sharing Policy.

Note: The UW IRBs may consider exceptions to these guidelines on a case-by-case basis.

Open Access Sharing

Consent Scenario:

1) Explicit Consent for sharing via Open Access is obtained


    • Open Access sharing must be consistent with applicable laws, local approvals and governing agreements (funding, MTAs, DUAs, etc.)
    • Sharing must not pose greater than minimal risk to individual participants or communities/groups
    • Explicit consent for sharing via open access is required and the consent must specify the type of data to be shared
    • Only de-identified datasets may be shared

Controlled Access Sharing

Possible Consent Scenarios:

1) Where Explicit Consent for sharing via Controlled Access is obtained


    • Controlled Access sharing must be consistent with applicable laws, local approvals and governing agreements
    • Sharing must not pose greater than minimal risk to individual participants or communities/groups
    • Consent must specify the type of data and identifiability of the data to be shared
    • The level of controls required may vary based on the sensitivity of the data and likelihood of re-identification

2) Consent obtained prior to January 25, 2023 without explicit sharing language, and does not prohibit sharing


    • Sharing via controlled access must be consistent with any applicable laws, local approvals and governing agreements
    • Sharing must not pose greater than minimal risk to individual participants or communities/groups
    • The level of controls required may vary based on the sensitivity of the data and likelihood of re-identification
    • Only de-identified datasets may be shared

3) Data obtained under an IRB approved waiver of consent


    • Sharing via controlled access must be consistent with any applicable laws, local approvals and governing agreements
    • Sharing must not pose greater than minimal risk to individual participants or communities/groups
    • The level of controls required may vary based on the sensitivity of the data and likelihood of re-identification
    • Only de-identified data sets may be shared

Repository Controls: Examples of controls include conditional access that is moderated by the repository, and may include the requirement to sign a Data Use Agreement, the requirement to demonstrate IRB approval of a project requesting data, or use of a virtual enclave where researchers can only work within the repository’s infrastructure.

Open Access: Open access data sharing allows anyone to access and use the dataset. For
the data to be made publicly available, all information, both direct and indirect, that could lead to a person being identified must be removed. (For health information this is called de- identification when the 18 direct and indirect identifiers outlined in HIPAA are removed). Datasets from rare disease communities may require the removal of more information than for more common disease communities to safely protect a person’s identity. Although necessary, this level of de- identification of data can limit the usefulness of the dataset.

Controlled Access: Controlled access data sharing requires a request for access to the dataset to be approved. The requirements vary, but usually limit data sharing to researchers with a specific, relevant research question. Additional data sharing restrictions may be determined by the owner of the data prior to collection of the data and, for consented studies, should be described in the informed consent (e.g., data may only be used for research on a specific disease or condition). A Data Sharing Agreement and/or Data Use Agreement are often used in controlled access data sharing. Although the information that may directly identify a person must be removed, the amount of information to be removed may vary based on risk and level of controls. A “limited data set” (i.e., may include indirect identifiers like dates and city/state/zip) may only be shared under a Data Use Agreement that complies with HIPAA.

Restricted Access: Data cannot be shared or released directly to the public research community due to possible risk(s) to study participants as well as to protect the data confidentiality promised to them.

Minimal Risk: Minimal risk means that the probability and magnitude of harm or discomfort anticipated in the research are not greater in and of themselves than those ordinarily encountered in daily life of the general population or during the performance of routine physical or psychological examinations or tests.

Institutional Certification for NIH Genomic Data Sharing


The NIH GDS policy requires the submission of large-scale genomic data, as well as relevant associated data, to an NIH-designated data repository. The policy became effective January 2015 and expands the scope of the original 2007 policy that was specific to genome-wide association studies (GWAS) studies. The GDS policy applies to all NIH-funded research that generates large-scale genomic data, as well as the use of these data for subsequent research. Examples of large-scale genomic data include genome-wide association studies (GWAS), single nucleotide polymorphisms (SNP) arrays, and genome sequence, transcriptomic, metagenomic, epigenomic, and gene expression data.

Institutions are responsible for assuring, through an institutional certification, that plans for the submission of large-scale human genomic data to the NIH meet the expectations of the GDS policy. An Institutional Certification must accompany the submission of all large-scale human data to the NIH repository. Investigators are responsible for requesting this institutional certification from the IRB prior to the sharing of any data with the federal repository.

How do I know if the NIH GDS policy applies to my study?

If a study is NIH-funded and involves the creation of large-scale genomic data, the GDS policy applies. The policy requires that investigators provide a basic genomic data sharing plan in the Resource Sharing Plan section of grant applications at the time of submission. A more detailed plan should be provided prior to award. The Institutional Certification also should be provided prior to award, when possible. Guidance on genomic data sharing plans is available on the NIH GDS website.

If researchers are unclear whether the GDS policy applies to their study, they are encouraged to consult with their NIH program officer.

Requests for institutional certification may be submitted at the time of initial review, or, for already approved studies, as a full change of protocol. In either case, the investigator must provide certain information in order for the IRB to evaluate the request, along with a template certification letter. The NIH provides single-site and multicenter template institutional certification forms, which can be found at

Study teams are responsible for identifying the correct certification template letter and providing the letter with applicable fields filled out to the IRB with the request for certification. Investigators who have been awarded grants through the NIH grant program should use the appropriate extramural template. Submit any documentation required in the supplemental information section of the IRB application. For additional information see:

General Data Privacy Regulation (GDPR)

The European Union has additional requirements regarding data privacy, referred to as the GDPR. Where UW-Madison is working with personal data collected in, or transferred from, any European Economic Area country, GDPR will be relevant. This includes data collected, obtained, or used for research projects. Failure to follow GDPR if it applies puts the University at risk of noncompliance, monetary fines, and reputational harm so it critical to understand and assess whether GDPR applies to your study.

GDPR requires a legal basis to collect and process (e.g., analyze) personal data. In order to use personal data for research, the legal basis that generally will apply is consent from the data subject.

Consent must be freely given, specific, informed, and unambiguous as to the data subject’s wishes by a statement or by a clear affirmative action:

Freely given means the individual must have a realistic choice, or the realistic ability to refuse or withdraw consent. Individuals in a position of authority cannot obtain consent, nor can consent be coerced.

Specific means the consent must be explicit and transparent and contain the following information:

  • Identity of the Principal Investigator
  • Purpose of the data collection
  • Types of data collected, including listing of any special categories of data. This includes information about a data subject’s health, genetics, race or ethnic origin, bio-metrics for identification purposes, sex life or sexual orientation, political opinions, religious or philosophical beliefs, or trade union membership
  • The right to withdraw from the research and the mechanism for withdrawal
  • Identify who will have access to the data
  • Time period for which data will be stored (can be indefinite)
  • Information regarding data security, including storage and transfer of data
  • Information regarding automated process of data for decision making about the individual, including profiling
  • Whether and under what conditions data may be used for future research, either related or unrelated to the purpose of the current study

Informed means that subjects are made aware of the risks, how their data will be safeguarded, their rights in relation to the research (as described below), and how to exercise those rights.

Unambiguous means consent is given through a statement or clear affirmative action.

  • This may be by a written or oral statement or other affirmative act demonstrating consent. For instance, checking a box can indicate consent, while silence or pre-ticked boxes that require unchecking (opting out) cannot.
  • Investigators should be able to demonstrate that a particular subject consented to the research. Consent records, including time and date of consent, must be maintained for each data subject.
  • If the consent form serves multiple purposes, the request for consent must be clearly distinguishable within the document.
  • There is no ability for the IRB to waive informed consent under GDPR.

Additionally, there are certain rights that data subjects have:

  • The right of access to their data
  • The right to request corrections to their data
  • The right to withdraw and to request erasure of their data. In this case, data may be retained only if it is anonymized or if another legal basis exists to retain the data. This may include:
    • The need to protect scientific research if deletion would render impossible or seriously impair the research objectives; or
    • The need to protect the public health by ensuring the accuracy and quality of data related to medical care or to investigational drugs and devices
  • The right to request transfer of their personal information to a third party (such as a personal physician) in a format suitable for re-use

More details about GDPR can be found in Appendix A. Contact the IRB office with any questions.

Investigator Responsibilities When Leaving UW-Madison

If you plan to leave UW-Madison while your study is ongoing, please contact IRB office overseeing your research to discuss the transfer or closure of your study prior to your departure. You can have another UW-Madison investigator assume principal investigator responsibilities, you can transfer the study and data to another institution, or you can close the study entirely. We will advise you regarding what actions will need to be taken. To transfer the research data and specimens to the new location you will need to have a data transfer and use agreement (DTUA) and/or materials transfer agreement (MTA) in place.