400. Participant Privacy versus Data Confidentiality

Updated July 13, 2021

Although often used interchangeably in common discourse, for the purposes of human research protection, the terms "privacy" and "confidentiality" represent two different concepts: one related to the person, and the other related to information. The IRB is responsible for systematically evaluating proposed research for adequate provisions which protect the privacy interests of participants and to maintain the confidentiality of identifiable data. The federal regulations differentiate between privacy and confidentiality, and it is important to understand the difference to determine whether these regulatory criteria for approval of human research are appropriately met.

Privacy

Privacy refers to an individual's right to control the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with other, including personal information used in what may be presumed by the user to be a private setting (e.g., social media). NOTE: Private information must be identifiable for the collection of such information to constitute research.

Privacy concerns relate to the methods by which prospective participants are identified and approached, and sometimes include data collection methods (e.g., use of existing records for research; observational research). (See IRB privacy policy for more information.)

In developing strategies for the protection of participants’ privacy, consideration should be given to:

The methods used to identify and contact potential participants.
The settings in which an individual will be interacting with an investigator.
The appropriateness of all personnel present for research activities.
The methods used to obtain information about participants.
The nature of the requested information.
Information that is obtained about individuals other than the “target participants,” and whether such individuals meet the regulatory definition of “human participant” (e.g., an individual provides information about a family member for a survey).
Privacy guidelines developed by relevant professional associations and scholarly disciplines (e.g., oral history, anthropology, psychology).
How to access the minimum amount of information necessary to complete the study.

Confidentiality

Confidentiality refers to the expectation that information an individual has disclosed in a pre-arranged agreement between parties (e.g., between researcher and participants) will not be divulged to others in ways that are inconsistent with the understanding of the original disclosure or that permission will be obtained for disclosures not previously authorized by the individual. All studies including those using internet and social media technologies must maintain the confidentiality of information obtained from or about participants and adequately address possible risks to participants.

In human research, the relationship is generally between the research participant and the researcher. The understanding of how the information will be used should be outlined in a consent agreement. The agreement may be presented through an information script or sheet with oral or implied consent, or through use of a signed consent document.

Confidentiality concerns include data handling methods during data coding, storage, transport (when applicable), de-identification processes, and destruction. (See IRB policy for data confidentiality for more information.)

When the IRB evaluates research proposals for strategies for maintaining confidentiality, where appropriate, consideration will be given as to whether:

Methods to shield participants' identity adequately protect participant privacy.
There is a long-range plan for protecting the confidentiality of research data, including a schedule for destruction of identifiers associated with the data.
The consent form and other information presented to potential research participants adequately and clearly describe confidentiality risks.
The informed consent process and the informed consent document (and, if applicable, the HIPAA Authorization section), clearly delineate who will have access to the participant’s information and under what circumstances data may be shared (i.e., with government agencies, sponsors).

Federal Regulations Related to Privacy and Data Confidentiality in Human Research

Federal regulations for the protection of human participants in research require IRBs to consider the adequacy of provisions to both protect the privacy of participants and to maintain confidentiality of the research data (when appropriate) (45 CFR 46.111(a)(7)). The University IRB may not approve human research projects without assessing the adequacy of these provisions. When it is necessary to collect and maintain identifiable data, the IRB will ensure that the protocol includes the necessary safeguards to maintain confidentiality of identifiable data and data security appropriate to the degree of risk from disclosure.

Federal regulations for human research protection also require researchers to inform study participants of "...the extent, if any, to which confidentiality of records identifying the subject will be maintained" (45 CFR 46.116). The regulations also require researchers disclose "reasonably foreseeable risks," including risks related to privacy and confidentiality, to participants during the informed consent process. However, in some research a promise of confidentiality may not be part of the informed consent agreement, for example when participants agree in advance to be identified. In such cases, the research plan and consent materials must clarify the confidentiality considers of participation and when applicable, justify disclosure of participants' identities and the information collected about them.

Research Integrity and the IRB ensure human research is compliant with federal regulations and local laws concerned with privacy and confidentiality. See the following sections in the IRB Policy Manual for additional protections:

Nevada state laws: for an overview of relevant laws with a link to the Nevada Law Library;
HIPAA: for research involving medical records;
Department of Education (DoEd) and Family Educational Rights and Privacy Act (FERPA): for research involving education records; and
Department of Justice (DoJ) and National Institute of Justice (NIJ) requirements: for research conducted or supported by the Department of Justice or the National Institute of Justice.

For sponsored research, the University agrees to abide by the Uniform Administrative Requirements...for Federal Awards, Internal Controls (2 CFR 200.303(e)) by requiring University and affiliate researchers to take reasonable measures to safeguard Protected Personally Identifiable Information (see online Policy Manual Definitions) and other information designated as sensitive or considered sensitive consistent with applicable Federal, state and local laws regarding privacy and obligations of confidentiality (e.g., true name of victim of a crime). For the purposes of this policy, research is designated as sensitive if it involves the collection of personal information that if released, could reasonably lead to social stigmatization or discrimination, or be damaging to an individual's financial standing, employability, or reputation within the community. Examples of sensitive data include information about:

sexual behavior;
sexually transmitted diseases;
excessive alcohol or illegal drug use, or overuse of prescription drugs;
illegal conduct; and
mental health diagnoses.

Determinations of the sensitivity of research data may be made by the principal investigator or the IRB. Sensitive research requires additional safeguards to protect participant privacy and maintain the confidentiality of research data.

Privacy and Confidentiality Considerations for Human Research

Researchers and IRB members must consider the complete spectrum of research activities, risks of participation, and environmental and cultural factors to fully assess the adequacy of processes and mechanisms to protect participant privacy and maintain data confidentiality. The IRB must decide on a protocol-by-protocol basis whether there are adequate provisions to protect the privacy of participants and to maintain the confidentiality of the identifiable data at each segment of the research from recruitment to maintenance of the data.