IRB
If you're collecting data from human subjects for research, you may need approval from an Institutional Review Board. File if any of these apply:
- You're collecting any Personally Identifiable Information (PII) or running experiments on humans → Campus IRB.
- You're collecting any Personal Health Information (PHI) → Health IRB.
- You're going to publish results from a dataset that involves humans.
What counts as PII?
PII (Personally Identifiable Information) includes: names, SSNs, dates of birth, addresses, phone numbers, email addresses, biometric data, IP addresses, driver's license numbers, passport numbers, and financial account information.
If you're not collecting PII, IRB approval is usually fast. If you are, build the review into your project timeline — not at the end.
Outside academia, there's no campus IRB — but ethical and legal obligations around human subjects research don't disappear. Companies conducting research that could be publishable, regulated, or that involves sensitive data typically use independent (hired) IRBs. Common providers include WCG IRB, Advarra, and Copernicus Group.
When to consider a hired IRB:
- Your company intends to publish or present findings from human-subjects research (journals and conferences increasingly require IRB approval).
- You're running clinical, health, or behavioral studies that fall under FDA or HHS regulations.
- You're working with a regulated partner (hospital, university, government agency) that requires IRB oversight for all collaborators.
For internal product research — A/B tests, UX studies, customer surveys — formal IRB review is rarely required, but your company's legal and privacy teams should still review data collection practices, especially if PII or PHI is involved.
You're conducting research that involves collecting email addresses and health survey responses from university students. Which review board(s) should you consult?