400. Participant Privacy versus Data Confidentiality

Updated July 1, 2019

Although often used interchangeably in common discourse, for the purposes of human research protection, the terms "privacy" and "confidentiality" represent two different concepts: one related to the person, and the other related to information.

Privacy

Privacy refers to an individual's right to control the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with other, including personal information used in what may be presumed by the user to be a private setting (e.g., social media). NOTE: Private information must be identifiable in order for the collection of such information to constitute research.

Privacy concerns relate to the methods by which prospective participants are identified and approached, and sometimes include data collection methods (e.g., use of existing records for research; observational research). (See IRB privacy policy for more information.)

Confidentiality

Confidentiality refers to the expectation that information an individual has disclosed in a pre-arranged agreement between parties (e.g., between researcher and participants) will not be divulged to others in ways that are inconsistent with the understanding of the original disclosure or that permission will be obtained for disclosures not previously authorized by the individual. All studies including those using computer and internet technologies must maintain the confidentiality of information obtained from or about participants and adequately address possible risks to participants.

In human research, the relationship is generally between the research participant and the researcher. The understanding of how the information will be used should be outlined in a consent agreement. The agreement may be presented through an information script or sheet with oral or implied consent, or through use of a signed consent document.

Confidentiality concerns include data handling methods during data coding, storage, transport (when applicable), de-identification processes, and destruction. (See IRB policy for data confidentiality for more information.)

Federal Regulations Related to Privacy and Data Confidentiality in Human Research

Federal regulations for the protection of human participants in research require IRBs to consider the adequacy of provisions to both protect the privacy of participants and to maintain confidentiality of the research data (when appropriate) (45 CFR 46.111(a)(7)). The University IRB may not approve human research projects without assessing the adequacy of these provisions.

Federal regulations for human research protection also require researchers to inform study participants of "...the extent, if any, to which confidentiality of records identifying the subject will be maintained" (45 CFR 46.116). The regulations also require researchers disclose "reasonably foreseeable risks," including risks related to privacy and confidentiality, to participants during the informed consent process.  However, in some research a promise of confidentiality may not be part of the informed consent agreement, for example when participants agree in advance to be identified. In such cases, the research plan and consent materials must clarify the confidentiality considers of participation and when applicable, justify disclosure of participants' identities and the information collected about them.

Research Integrity and the IRB ensure human research is compliant with federal regulations and local laws concerned with privacy and confidentiality. See the following sections in the IRB Policy Manual for additional protections:

For sponsored research, the University agrees to abide by the Uniform Administrative Requirements...for Federal Awards, Internal Controls (2 CFR 200.303(e)) by requiring University and affiliate researchers to take reasonable measures to safeguard Protected Personally Identifiable Information (see online Policy Manual Definitions) and other information designated as sensitive or considered sensitive consistent with applicable Federal, state and local laws regarding privacy and obligations of confidentiality (e.g., true name of victim of a crime). For the purposes of this policy, research is designated as sensitive if it involves the collection of personal information that if released, could reasonably lead to social stigmatization or discrimination, or be damaging to an individual's financial standing, employability, or reputation within the community. Examples of sensitive data include information about

  • sexual behavior;
  • sexually transmitted diseases;
  • excessive alcohol or illegal drug use, or overuse of prescription drugs;
  • illegal conduct; and
  • mental health diagnoses.

Determinations of the sensitivity of research data may be made by the principal investigator or the IRB. Sensitive research requires additional safeguards to protect participant privacy and maintain the confidentiality of research data.

Privacy and Confidentiality Considerations for Human Subjects Research

Researchers and IRB members must consider the complete spectrum of research activities, risks of participation, and environmental and cultural factors to fully assess the adequacy of processes and mechanisms to protect participant privacy and maintain data confidentiality.