Federal regulations [45 CFR 46.111(a)(7) (DHHS) and 21 CFR 56.111(a)(7) (FDA)] require that the IRB only approve research where there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data.

The investigator must have sound plans to protect the subject's identity, must collect only the necessary identified information to conduct the study, and must have procedures in place to maintain the confidentiality of the research records.

Although related, the concepts of privacy and confidentiality are distinct from one another. Privacy concerns people; confidentiality concerns data.


  • Privacy is the freedom from unauthorized intrusion or the state of being let alone and able to keep certain personal information to oneself.
  • The evaluation of privacy should involve consideration of how the investigator will access information from or about participants.
  • By its nature, research may invade the privacy of individual subjects in that it may require the collection, use, or access to identifiable information that would otherwise not be shared with others. When this is required for the purposes of the research, the private information involved should be the minimum necessary to accomplish the goals of the research.


  • Confidentiality means the ethical or legal right that information is considered private and will be held secret unless consent is provided permitting disclosure.
  • IRB members should be knowledgeable of strategies to maintain confidentiality of identifiable data, including controls on storage, handling, and sharing of data. 
  • Investigators should explain the mechanisms that have been devised, for example, the use of numbering or code systems or safely locked files in private offices. The investigator should describe who has access to the data and under what circumstances a code system may be broken.