Third-Party Access to Existing Data Protocol

Use the "Third-Party Access to Existing Data Protocol" [3PA] if you propose to access existing data about individual persons that have been collected by others and which contain personal identifiers, such as names or phone numbers. The protocol still applies even if you do not intend to use or report the personal identifiers.

The words "authorization" and "consent" are used as synonyms. The protocol outline is designed to elicit the information needed for the CSUB Institutional Review Board [IRB] to evaluate requests for waiver of authorization by individuals for use/disclosure of information about them for research purposes. The structure reflects the provisions of the federal Health Insurance Portability and Accountability Act [HIPAA] that regulates research access to protected health information. If the data requested contain protected health information, then the waiver documentation provided by the IRB will satisfy HIPAA requirements. However, at CSUB the same procedure is used to evaluate requests to waive authorization for use/disclosure of any information for research purposes, such as scores on standardized tests in the educational setting.


  1. Use of this procedure is limited to third-party access to data, that is, for a researcher to seek access to existing data collected by another entity, for example, a school or public agency providing services to the individuals whose data are requested.
  2. Waiver of authorization will be granted only if the research participants are placed at no greater that minimal risk.
  3. All protocols submitted will undergo either expedited or standard review by the IRB.
  4. If the individuals have consented that their data may be used for research purposes, then this request for waiver of authorization is not needed. However, if individuals have only consented that their data may used for purposes of program evaluation and/or providing of services, then this request for waiver of authorization is needed.

The Third Party Access to Existing Data request is submitted through the Cayuse IRB Initial form and is processed by the GRaSP Office.  If you are a student, you will be asked in the form to identify your faculty research supervisor who will automatically receive an E-mail to review and certify the content of the form. 

See the example protocols if needed: Third-Party Access to Existing Data Protocol:  Examples

For your information, reviewers use this Checklist when they review a Human Subjects Protocol.

Please contact us if it is inconvenient for you to use these online materials or you have questions:

Isabel Sumaya (Research Ethics Review Coordinator) 654-2381 or
Gwen Parnell (Research Compliance Analyst)  654-6712 or

New IRB Protocol Submission Platform

Cayuse IRB Coming this Fall 2018

cayuse horse logo

Click her to submit your Third Party Access to Existing Data Protocol