Submitted by Erica.Johns on Mon, 09/19/2016 - 12:54
Responsibility for such an occurrence would depend on the policies and documentation present at the institution. In general, a confidentiality agreement specifies the authority of the signatories and should articulate the ramifications of any breach of contract. A few suggestions for local institutional contacts would be the IRB office (if data are being collected) and the research compliance or information security office; another option is to review the data use contract (if the data are being provided by an external entity, the initial contract with the provider should say who's ultimately responsible). DataQ is not able to provide any more specific information due to the wide variety of policies and practices across institutions.