Skip to main content

International Research

Conducting International Research: Processes Obtaining for IRB Approval and Data Use Agreements (DUA)

It is vital to observe the same ethical and data use standards when conducting research abroad as in domestic research. Unfortunately, there is a history of unethical research and data usage in global health and other fields, which has prompted new regulations, particularly around data protection and transporting data across country borders.

*Please note that these processes are subject to change at any point. Please email Elizabeth Rose if you have questions or find that processes have changed. You can also find more information on the VUMC International Data Privacy and Protection website and view the VUMC International Privacy Office (IPO) Project Review Process.


All international research projects must receive ethical approval (IRB) and have a data usage agreement (DUA). These are separate approvals and have separate processes.

  • IRB is concerned about the ethics of the research; DUA is concerned about the security of the data.
  • All international activity will need IRB approval and a DUA, even if it’s an exempt project.


Processes for IRB and DUA approval

  • When a funded grant initiates a subcontract with a foreign institution, the contract is put through PEER (a VUMC process), which starts review of the research project and triggers processes for DUA, other necessary reviews, and researchers to complete international data privacy training.
  • If you are joining a VUMC international research project that is part of a funded grant, the project PI should already have DUA and IRB approval. You will need to be added to these.
    • Please work with the project PI to be added to the DUA and IRB approval.
    • You will need to complete data usage training modules.
    • However, if your project is a distinct study (e.g., you’re collecting new data), you will need a separate IRB approval and DUA (see next section).
  • If you are joining an international research project that is not part of a funded grant or you are designing your own international research project, you will need to initiate DUA and IRB approval.
  • If you have a VUMC mentor,
    • DUA process: The DUA needs to be initiated by your VUMC mentor. They will submit this request in PEER. The DUA includes details about data collection, access, storage, etc. Everyone who will be handling data should be included in the DUA and will need to complete data usage training modules. The DUA needs to go through approvals in-country and the entire process can take 2+ months.
    • IRB process: You will submit the IRB approval request as normal through VUMC DISCOVR-e. The IRB has implemented a new process in which international research that meets the following set of criteria will be reviewed by BRANY IRB instead of VUMC IRB. See the criteria below and additional details here:
      • For international research, Vanderbilt IRB will review:
        • Non-research studies, such a program evaluation projects
        • Studies that include VUMC key study personnel
        • Studies that involve HIPAA protected data, as the Vanderbilt IRB serves as the privacy board for these activities
      • For international research, BRANY IRB will review:
        • Research studies with an international component that do not include VUMC key study personnel nor HIPAA protected data
      • The IRB will want to know that you have submitted a DUA.
    • Additionally, any matter intending to process international data will go through at least these steps for International Privacy Office (IPO) approval:
      1. After your mentor answers “yes” to the DUA form’s question, “Does this involve data with participants outside the US?”, they will receive a REDCap survey link. This survey helps the IPO score the risk of the matter based on the relevant country’s privacy laws and the sensitivity of the data. The matter will not proceed until the survey is complete and scored.
      2. You/your mentor must request a review of the IT/IS security measures. You make this request by opening a ticket in a VUMC system called Pegasus and you can submit a ticket for a Security Review here. This review covers all the equipment and systems that will be used to receive, use, manipulate, analyze, house, store, or share any international data at VUMC as well as by an external organization.
      3. The VUMC Enterprise Cybersecurity (VEC) group will receive the request and review the hardware and systems used to process the data. VEC will produce a report which is forwarded to the IPO. The IRB assigns international privacy training to key personnel. Your team must complete a privacy training module. Contact zolkower@vumc.org and provide a list of any individuals on the study who will need to be assigned the online training module, “Introduction to International Data Protection.” This list should include all individuals at VUMC who access any international data as part of your study and anyone who will have the ability to access international data (whether or not they actually do). The list should include the full name and VUMC email address of the PI, all sub-investigators, Key Study Personnel, and any research staff who will be authorized to access the international data. No one may access international data until they have completed this module.
      4. If the processing of data is considered “high risk” (determined by the results of the REDCap survey in step 1), the IPO will take the matter to the contract optimization committee for approval. You will be invited to attend if this occurs. High-risk matters proceed for approval only after the VEC security report is available which emphasizes the importance of getting the VEC review done as soon as possible.
    • IRB approval is often contingent on general project approval from the IPO. A project can move forward once it’s received IRB approval. However, you (and others at VUMC) cannot collect or access data until you have the DUA. For example, with only IRB approval, your in-country partners could begin data collection, but you would not be able to access data until you have the DUA.
  • If you have a VU mentor who’s not affiliated with VUMC:
    • You will need ethics approval from the site/country and Vanderbilt IRB approval.
    • These projects are handled separately through the VU international IRB office. VU is updating their international privacy and data protection processes, so the DUA might look different.