Federal regulations differentiate between privacy and confidentiality. The Institutional Review Board (IRB) is responsible for systematically evaluating proposed research for adequate provisions to protect the privacy of participants and maintain the confidentiality of identifiable data.
Researchers should understand the differences between privacy and confidentiality to determine whether the regulatory criteria for approval of human subject research are appropriately met.
Privacy
Privacy refers to a person’s desire to control the access of others to themselves. For example, an individual may want to keep their engagement in a counseling center private, especially if the center prominently displays office signs on the front of the building.
Researchers can develop strategies for the protection of subjects’ privacy, in the following ways:
- Understand the population of interest and potential privacy concerns.
- Identify and develop contact methods that limit undue exposure to the potential participants. Justify the nature of the requested information. Can you obtain information without disturbing an individual (e.g., public documents)?
- Choose a quiet and private location as the settings where an individual will be interacting with an investigator.
- Train all research staff on how to engage all individuals with appropriate privacy standards.
- Ensure all research staff have a clear understanding of the privacy appropriateness and standards for each research activity.
- Limit information that is obtained about individuals other than the target participant, and whether such individuals meet the regulatory definition of “human participant” (e.g., a subject provides information about a family member for a survey).
- Follow privacy guidelines developed by relevant professional associations and scholarly disciplines (e.g., psychology, education, bio-behavioral).
- Create ways to access the minimum amount of information necessary to complete the study. For example, use a personal telephone number rather than a general office number.
- Streamline privacy methods used to obtain information about participants.
Privacy concerns people, whereas confidentiality concerns data. The research proposal should outline strategies to protect privacy including how the investigator will access information from or about participants.
Regulatory and Guidance References
Confidentiality
Confidentiality refers to the researcher’s agreement with the participant about how the participant’s identifiable private information will be saved, handled, managed, and disseminated, including what will happen after the study is over and the data is presented (e.g., data will be destroyed after three years). The research proposal should outline strategies to maintain confidentiality of identifiable data, including controls on storage, handling, and sharing of data. Researchers can develop a data security that meets minimum standards and is particular to their study. When appropriate, certificates of confidentiality could be used to maintain the confidentiality of identifiable data (for more information on Certificates of Confidentiality.
When the IRB evaluates research proposals for strategies for maintaining confidentiality, where appropriate, consideration will be given as to whether:
- Methods to shield participants' identity adequately protect participant privacy.
- There is a long-range plan for protecting the confidentiality of research data, including a schedule for destruction of identifiers associated with the data.
- The recruitment materials clearly describe the study parameters.
- The consent form and other information presented to potential research participants adequately and clearly describe confidentiality risks.
- The informed consent process and the informed consent document (and, if applicable, the HIPAA Authorization section), clearly delineate who will have access to the subject’s information and under what circumstances data may be shared (i.e., with government agencies, sponsors).
Regulatory and Guidance References
*Organizations subject to the HIPAA Privacy Rule should comply with the provisions applicable to research.