Privacy and Confidentiality
Herky Hints for HawkIRB: Section X. Privacy and Confidentiality
Privacy and confidentiality are two unique concepts that are required for human research participant protection. While privacy is specific to the person who is the research participant, confidentiality is specific to the participant’s identifiable data and/or specimens.
Privacy is the ability of an individual to function without intrusion and includes the ability to control what personal information is shared with others. Privacy protections in research refer to the methods used to protect subject privacy during the conduct of the study and the collection of data.
Confidentiality is the right of the individual to have their information, once it is shared with others, held securely, and kept secret unless the individual consents to disclosure. Confidentiality protections in research include measures taken to protect data during and after collection.
The exercise of privacy and confidentiality falls within the ethical concept of beneficence from the Belmont Report which focuses on ‘maximizing possible benefits and minimizing potential harms.’
Criteria for Approval
Federal regulations overseeing the criteria for approval of human subjects research 45 CFR 46.111(a)(7) and 21 CFR 56.111(a)(7) require that the research plan has “…adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data.”
Confidentiality protections include the researcher’s data security plan and their data sharing plan (if applicable) to protect collected data. The researcher will need to indicate in the HawkIRB application, and in the consent document (if applicable) whether data/specimens will be identifiable, coded, or de-identified.
Confidentiality Requirement for Informed Consent
Federal regulations overseeing the general requirements for informed consent at 45 CFR 116(b)(5) and 21 CFR 50.25 state that informed consent must include “a statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained.” The consent document will need to describe the methods that will be used to ensure the confidentiality of the participant’s data.
Types of Risk
In considering what harms could be involved with the loss of participant privacy and/or confidentiality, we can look elsewhere in the regulations where types of risks are discussed, including placing subjects “… at risk of criminal or civil liability or be damaging to the subjects' financial standing, employability, educational advancement, or reputation …” 45 CFR 46.104(d)(2)(ii)
Risks from Loss of Privacy
When considering how these types of risk could apply to a participant’s privacy, we can imagine a scenario in an interventional study of people who inject illegal drugs. For these individuals, it would be important to conduct the consent process in a place where no one could see or overhear the consent being discussed. If it were possible for someone to overhear them confirming that they meet the study criteria it might be that the person overhearing could tell the participant’s employer, and it could result the person losing their job which could:
Affect financial standing
Damage their reputation
Put them at risk for criminal liability
Risks Due to Loss of Confidentiality
Risks from loss of confidentiality can occur at almost any point during or after data collection. For example, loss of confidentiality could occur if a laptop containing participant data for the same drug use intervention was stolen. Or if data were transferred electronically to a colleague on a system that did not use encryption, or if paper consent documents were left in an unlocked office, the information about participants could put them at risk of harm due to
criminal liability, and loss of
financial standing,
employability,
educational advancement, and/or
reputation.
Managing Risks in Research Procedures
Efforts to protect the subject’s rights to privacy could include protections such as the following:
• Providing a private space for discussing study procedures and obtaining consent
• Telling participants at the beginning of surveys or interviews that they can choose not to answer any questions that make them feel uncomfortable
• Collecting only the amount and type of information necessary to answer the research question
• Not allowing tagging on social media recruitment posts
• Sending non-specific emails and/or leaving only general messages on voicemail (not saying anything specific about the participant or the research)
• Using blind copy (BCC) for group emails
Plans to protect the confidentiality of participant data and/or specimens might include:
• Limiting who has access to identifiable data and specimens
• Retaining identifiable data or specimens on a secured server or in a locked lab
• Not linking identifiers with data or specimens, or removing identifiers from data or specimens as soon as possible, or
• Using encrypted email for sending data to a colleague
• Certificates of Confidentiality
Confidentiality protections begin at data collection and are ongoing as long as the identifiable data and/or specimens exist.
Certificate of Confidentiality
A Certificate of Confidentiality (CoC) is an additional layer of protection for information, documents, and/or biospecimens that contain identifiable, sensitive information related to a participant’s involvement in research. The National Institutes of Health (NIH) and other federal agencies issue certificates to provide additional confidentiality protections beyond the standard protections for human subjects research.
The National Institutes of Health (NIH) automatically issues a CoC for studies that the agency funds to provide additional protections for participants who are participating in a research project that collects identifiable, sensitive data. However, the IRB is tasked with ensuring the CoC criteria are appropriately applied to the research. Several non-NIH agencies, including the Centers for Disease Control, the Food and Drug Administration, and others, also issue Certificates of Confidentiality. Once a CoC is applied, the protections for the research data last in perpetuity.
The study team and the institution have specific obligations outlined in the Institutional Assurance Statement for ensuring research subject’s sensitive data is only released under limited scenarios. The responsibilities associated with the CoC must be applied by all collaborators affiliated with the project if the research is a cooperative research project. In a multisite collaborative project utilizing a single IRB of record, the primary PI and lead IRB are responsible for ensuring all collaborating sites are aware of, and apply, the terms of the CoC.
Even if the NIH (or other HHS agency) does not fund the study, when reviewing research, the IRB may advise the researcher to apply to the NIH for a Certificate of Confidentiality based on the sensitivity of the data being collected. For more information on CoCs, see the Certificates of Confidentiality FAQs.
Additional information about privacy and confidentiality provided in HawkIRB is available in this month’s Herky Hint!
For more information on protecting confidentiality through data security see the Data Security Guidance educational tool.
Questions about this topic? You can email the HSO Education and Outreach team or come to Office Hours to speak directly to a member of the HSO team.
In the HawkIRB application, items X.1-9 address privacy and confidentiality. When completing the responses in section X., it is important to note the difference between privacy and confidentiality. Privacy protections refer to the methods used to allow participants to not be seen or heard discussing the recruitment, enrollment and consent process, or participating in study procedures. Confidentiality protections refer to the methods that the researcher will use to protect participant data after it has been collected.
Privacy
Section X.1 of the new project application asks how the research team will conduct the project to protect the privacy of the subjects during the recruitment, enrollment and consent process to ensure subject privacy: For example, asking questions in a private room and only collecting the minimum information needed to meet the study aims.
If you will be collecting Social Security numbers (SSN) of subjects, indicate ’yes’ on item X.2.
Why you may need to collect SSNs:
If you will be compensating subjects with a payment at or above $100 (or over $600 in a year) you would need to collect their SSN. (Note: For VA subjects, SSNs must be collected for any amount of payment.) In addition to selecting ‘yes’ for X.2, indicate the compensation plans in section VII.E 9-16 of the HawkIRB application.
Reimbursing a subject for travel or per diem costs does not require the collection of SSNs. However, the research team would need to have documentation of the mileage and/or per diem amounts to support the reimbursement.
If you select ‘yes’ was selected in for X.2, section X.3 will ask the intended use of the SSN. In item X.3, describe the intended uses for the SSN. The subject must consent to the collection of their SSN for any purpose other than compensation. The description in section X.3 should be consistent with section VII.D.6-16 and the consent document. Indicate the plan for how and when the SSN will be destroyed in accordance with UI policy. (Note: For VA research subjects the SSN is retained indefinitely). For additional information on the UI Research Subject Compensation Policy.
Confidentiality
Section X.4 asks how the research team will maintain confidentiality of subject data they collect. (Note: Managing the risk of loss of confidentiality should be addressed in section VIII.2.) Several storage methods are available (paper/hard copy records, electronic records, and biologic samples). Select all that apply to the proposed collection methods and describe the security measures for each method. Physical protection, such as locked cabinets/offices, should be indicated in this section.
Describe how hard copy records will be transported, transferred, and stored. State the specific location for storage of these records. This can include signed consent documents and data collection tools which are often paper records.
If you are using electronic records, describe the methods/systems used to collect and store these data and the security methods that will be used when electronic records are being transported, transferred or stored.
If accessing medical records, describe how you will collect and store any protected health information (PHI) from the medical record. If you are adding collected data to the medical record from the study, describe the procedures you will use.
Describe the IT protections and the physical protections for the computer systems (locked office, etc.).
Indicate whether electronic data will be stored on a stand-alone hard drive or a network server and where the hard drive or server is located.
Indicate the person who will be responsible for maintaining the IT security for the data, typically the departmental IT representative. The PI should not be the person responsible for IT security. The person indicated is responsible for the security of electronic records storage and is responsible if there is a breach of security with the study data.
If collecting biologic samples, describe the security methods used to transport, transfer and/or store the specimens. Indicate the person who will be responsible for maintaining the security of the samples and the specific storage location for the specimens. All items indicated in section X.4 should be consistent with the consent document.
Note: For VA research subjects, the consent form must describe if data is stored anywhere outside VA premises. Any biological samples to be stored outside the VA must have approval from the VA ACOS.
In section X.5 indicate if the confidentiality protections allow only members of the research team to access the data/specimens.
Indicate ‘no’ if the data will be shared outside the UI; with collaborating sites, in a central data repository or with an Electronic Data Capture (EDC) system provided by a sponsor or coordinating center. If you select ‘no’, section X.6 will open, and you can describe the data sharing plan. Also indicate ‘no’ if the data or specimens will be accessible to anyone that is not a member of the UI research team (shared lab/freezer/office/repository etc.)
Note: For VA research subjects, the consent form must describe if data is stored anywhere outside VA premises. Any biological samples to be stored outside the VA must have approval from the VA ACOS.
In section X.5 indicate if the confidentiality protections allow only members of the research team to access the data/specimens.
Indicate ‘no’ if the data will be shared outside the UI; with collaborating sites, in a central data repository or with an Electronic Data Capture (EDC) system provided by a sponsor or coordinating center. If you select ‘no’, section X.6 will open, and you can describe the data sharing plan. Also indicate ‘no’ if the data or specimens will be accessible to anyone that is not a member of the UI research team (shared lab/freezer/office/repository etc.)
In section X.6, describe the following,
Identify the institution and any individuals that are not members of the UI research team that will have access to the data/specimens or that the data will be shared with.
Describe what data/specimens will be shared and how they will be identified.
Indicate if the data or specimens will contain identifiers or if they will be completely de-identified.
Indicate if a Data Use Agreement (DUA) has already been established with the non-UI individual or institution or include a statement about the PI’s plan to work with the Division of Sponsored Programs to establish a DUA.
Note: This is not necessary for data sharing through a sponsor Electronic Data Capture (EDC) system.
This should be consistent with section X.4 and the consent document.
Certificate of Confidentiality
If your study meets the NIH criteria for a Certificate of Confidentiality or if you will be applying for one, indicate ‘yes’ in section X.7.
A Certificate of Confidentiality is only allowed for research projects that are:
Collecting personally identifiable, sensitive information
Approved by an Institutional Review Board (IRB) operating under a Federalwide assurance (FWA) issued by the DHHS Office of Human Research Protections (OHRP) or with the approval of the FDA
On a topic that is within the HHS health related research mission
Federal funding is not required but issuance is at the discretion of the issuing agency
Storing research data in the United States
Allowable under federal regulations
The CoC should also be indicated in section VIII.2 as a method of minimizing risk to subjects.
If you select ‘yes’ in X.7, sections X.8 will open. In X.8, describe the justification for the Certificate of Confidentiality.
In section X. 8, indicate if the coordinating center, rather than the UI, will obtain the Certificate of Confidentiality.
If the UI or the VA will be the coordinating center, section X.9 will open. Describe how UI researchers will ensure that the CoC protections will be implemented at all participating sites. Provide a response to each bulleted item in X.9 and attach signed CoC assurances from the participating institutions. (The HSO can provide a template CoC assurance letter for participating institutions to sign and return.) Related responses in section VII.A. should be consistent with the information provided here.
Questions about this topic? Email the HSO Education and Outreach team or come to Office Hours to speak directly to a member of the HSO team.
Have an idea for a future Herky Hint for HawkIRB? Let us know!