Privacy and Confidentiality

The IRB must decide on a protocol-by-protocol basis whether there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of the identifiable data at each segment of the research from recruitment to maintenance of the data.

In This Section

What is the Requirement?

46.111(a)(7): “When appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data.”

How Do I Comply With the Requirement?

Initial Review Application

On the Data Confidentiality page, you will be asked about the type of data you will store and the security in place to maintain the confidentiality of the data.  You will provide an answer by answering a series of questions on the Initial Review Application.

Data Collected

You will be asked, once the data has been collected or received by this PI, how will it be maintained?

The data will be:

  • Identifiable – Data or specimens will be labeled with identifying information.
  • Coded with linking key – Data will be stripped of identifiers and assigned a code. The research team will maintain a key that links the identifiers to the data set.
  • Coded without linking key – Data will be stripped of identifiers and assigned a code. The research team will not have access to a key that links the identifiers to the data set and will not attempt to re-identify the data.
  • All identifiers will be destroyed. There will be no way to link the data to an individual.

Data Protection

Only authorized persons should be granted access to participants’ identifiable information. You will be asked to indicate how you will protect research subjects’ identities and information.

Select all that are true:

  • Identifiable data maintained in paper format and/or specimens labeled with identifiers will be kept in a locked area with limited access.
  • Identifiable electronic data will be maintained on a password protected, encrypted device.
  • Identifiable electronic data will be maintained on a password protected, secured cloud service appropriate for the sensitive of data collected.
  • NA – No identifiable data or specimens will be created or stored for this this research.
    • Name of Cloud Service – This response is optional.
    • If you are using a cloud service, provide the name of the cloud service.
    • (Plain Text Response)

For research involving the access, use or disclosure of Protected Health Information, please contact the Biomedical Informatics Department for assistance with data security.

Data Transfer Protections

If you will be transferring data between locations, you will be asked to describe your plan to protect the data.  or example, using lock boxes or locked cars when conducting field work or transferring data between sites)

Sensitive Data

In a yes or no question you will be asked:

If the confidentiality of the research data were compromised, could it reasonably place subjects at risk of criminal or civil liability or otherwise be damaging to the subjects’ financial standing, employability, educational advancement, or reputation?

Ethical Considerations

The following issues will be considered during IRB review:

  • The proposed recruitment methods: How are potential participants identified and contacted? Does the recruitment plan involve access to private information, such as a medical record or student record? Where are potential subjects being approached?
  • Sensitivity of the information being collected – the greater the sensitivity, the greater the need for privacy and confidentiality.
  • Method of data collection (focus group, individual interview, covert observation)
  • Will subjects feel comfortable providing the information in this manner?
  • If passively observing the subject; could the individual have an expectation of privacy (e.g., chat room for breast cancer patients)?
  • Will the researcher collect information about a third-party individual that is considered private (e.g., mental illness, substance abuse in family)? If yes, informed consent should be obtained from the third-party.
  • Are the activities appropriate for the proposed subject population?
  • What are the cultural norms of the proposed subject population? Some cultures are more private than others.
  • What are the ages of the proposed subject population? There may be age differences in privacy preferences (e.g., teenagers less forthcoming than older adults)
  • Do you have safeguards to maintain data confidentiality as described in the Initial Review Application?
  • Do you plan to share data collected for research with individuals outside this institution?
  • Do you plan to maintain identifiable data or specimens for future use?

Definitions

  • Privacy is the state or condition of being free from being observed or disturbed by other people. Privacy is the control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others.
  • Confidentiality is the state of keeping or being kept secret or private. Confidentiality pertains to the treatment of information that an individual has disclosed in a relationship of trust and with the expectation that it will not be divulged to others without permission in ways that are inconsistent with the understanding of the original disclosure.

Resources