410. Maintaining Data Confidentiality
Updated July 1, 2019
Confidentiality refers to the researcher's agreement to handle, store, and share research data to ensure that information obtained from and about research participants is not improperly divulged. Individuals may only be willing to share information for research purposes with an understanding that the information will remain protected from disclosure outside of the research setting or to unauthorized persons.
NOTE: For the purposes of this policy, the term "data" is used in the widest sense, and includes numeric data files, and qualitative materials such as interview transcripts, diaries, and field notes. Research data may include audio and video formats, geospatial information, biometrics, Web sites, and data archives (including those available online).
Requirements for confidentiality protections apply to Protected Personally Identifiable Information (PPII) obtained
- preliminary to research (e.g., PPII is obtained from private records to assess eligibility or contact prospective participants);
- during data collection, analysis, and dispensation; and
- after study closure (if PPII is retained).
Researchers are responsible for
- abiding by the IRB-approved researcher-participant agreement for the collection and protection of research data, and
- protecting participants from harms that may result from breaches of confidentiality (e.g., psychological distress, loss of insurance, loss of employment, or damage to social standing).
Protecting Data Confidentiality
Routine Precautions to Protect Confidentiality
In most research, assuring confidentiality is only a matter of following some routine practices:
- PPII are replaced with research identification codes (ID Codes) for PPII.
NOTE: Names and social security numbers may not be incorporated into or used for ID Codes.
- Face sheets containing PPII are removed from completed survey instruments;
- Access to master code lists or key codes is limited.
- Master lists are stored separately from the data and destroyed as soon as reasonably possible.
- Contact lists, recruitment records, or other documents that contain PPII are destroyed when no longer required for the research.
- Files containing electronic data are password-protected and encrypted (at least when data are transferred or transported).
- Research data/specimens are stored securely in locked cabinets or rooms.
- Electronic data are stored in password-protected computers or files.
- Files containing electronic data are closed when computers will be left unattended.
- Consent and HIPAA authorization forms are stored securely in locked cabinets or rooms, separately from the research data.
- Research staff are trained in the IRB-approved methods for managing and storing research data/specimens.
Considerations for Protecting Confidentiality During Data Collection
- Inclusion of PPII: Will PPII be collected along with the data/specimens? What are the minimum PPII necessary to conduct the research?
- Coding Data/Specimens: Will PPII be replaced with ID Codes when the data/specimen are collected/obtained (recommended)? If no, why not? If yes, will a master code list be used to link PPII with ID Codes? How will the confidentiality of the master code list be protected? Should numerical data be top- or bottom-coded?
- Access to Clinic, Education, Program or Personnel Records for Research: How will researchers ensure only authorized persons access clinic or other private records that will be used for the research? How will researchers ensure confidentiality is maintained during the collection of private information from clinic or other records?
- Electronic Records: How will researchers ensure electronic data are protected during data collection? Will participants completing online surveys be advised to close the browser to limit access to their responses?
- Use of Translators or Interpreters: When data collection requires use of translators or interpreters who are not members of the research team, how will researchers ensure the confidentiality of the information collected?
- In-person Interviews: What safeguards will be in place to maintain the confidentiality of data obtained through in-person interviews?
- Focus Groups or Other Group Settings (schools, jail, clinics, treatment centers): What protections will be in place to minimize the possibility that information shared in a group setting is disclosed outside of the group or for purposes other than those described in study documents?
- Internet Research: How will researchers restrict access to survey responses during data collection (e.g., restricted access, data encryption, virus and intruder protections)?
NOTE: The University IRB does not allow research data to be collected or dispensed via email.
- Field Procedures: What safeguards will be in place to maintain the confidentiality of data during collection in the field? During storage at field sites? During transport to the University?
- Biometric or Genetic Testing: How will researchers protect the confidentiality of diagnostic or genetic information, especially if tests are out-sourced?
- Re-contacting Participants: What is the minimum information necessary for re-contacting participants? How will the confidentiality of the contact information be maintained during the research? When will the contact information be destroyed?
- Linking Multiple Data-Sets: Research involving multiple datasets often require a common identifier be present in the various datasets (e.g., name, address, social security number). Will researchers use standard inter-file linkage procedures for merging the datasets? If not, how will confidentiality be protected?
- Breach of Confidentiality Risks: Should documentation of consent be waived to protect participants in the event of a breach of confidentiality?
Considerations for Protecting Confidentiality When Storing Data/Specimens
NOTE: Considerations for data storage apply both before and after analysis.
- Retaining PPII: Will PPII be stored with the data/specimens? Why?
- Access to PPII: If PPII will be stored with data/specimens, who will have access? If stored data/specimens are coded, who will have access to the master code list? When will the master code list be destroyed?
NOTE: Access to PPII should be limited to researchers who require such access to fulfill research objectives. The master code list should be destroyed as soon as is feasible (e.g., immediately after data are cleaned).
- Identification of Participants Through Linked Elements: Will stored, coded data/specimens contain elements that may be used (alone or in combination) to link an individual with her/his data/specimens? This is particularly relevant to research with small cell sizes.
- Storage of Electronic Records: How will researchers manage and electronic data to protect confidentiality?
NOTE: University (including UNSOM) researchers are advised to use the UNRNAS or other University data servers to store electronic research records. The University prohibits use of cloud-based file storage services unless specifically authorized by the University. For more information, refer to Data, Web, and Cloud Systems on the Information Technology website or send an email to firstname.lastname@example.org.
- Audio, Video, and Photographic Records: What additional precautions will be used to protect the confidentiality of audio, video, or photographic records in that individual participants may be identified through voice analysis (audio and video) or physical characteristics (video or photographic images)?
- Security of Storage Facility: Are the security features of the storage site (or storage mechanisms for electronic data) sufficient to ensure data confidentiality?
- Inclusion in Clinical or Program Records: Will research data be recorded in permanent clinical or program records? If yes, what information will be recorded and why will it be recorded in these records?
- Placement of Data in Repositories: What are the requirements of the repository related to file formats; data management and sharing plans; documentation of form and content; variable names, labels, and groups; coding; and missing dat.
Considerations for Protecting Confidentiality During Data Analysis and Presentation
- Presenting Data: How will data be presented to ensure discrete variables cannot be used (alone or in combination) to identify an individual? This is especially important for research with small cell sizes.
- Geocoding and Mapping: For research involving geocoding and mapping, what precautions will be implemented to protect the identities of individuals in the sample populations? Is it possible the mapped information may stigmatize or provoke anxiety among the individuals living in specific locales identified on the map?
- Secondary or Incidental Findings: Will participants (or affected, biological family members) be told about secondary or incidental findings? If no, why not? If yes, how and to whom will the disclosure be made?
Informing Participants of Confidentiality Protections and Limitations
The information researchers are required to disclose to participants is commensurate with risk. More information about processes to protect confidentiality should be provided to participants in studies in which unauthorized disclosure may place them at risk, compared to participants in studies in which disclosure is not likely to expose them to harms.
Investigators may access PPII without informing the individuals to whom the information pertains if the IRB approves a waiver of the requirement to obtain informed consent. In such cases, researchers should be especially cognizant of the importance of keeping participants' information confidential because private information is being accessed without participants' knowledge or permission.
Required Disclosures Related to Confidentiality Protections
Researchers must tell participants
- how the information collected from/about them will be used (i.e., study purpose);
- if PPII will be collected, and whether PPII will be disclosed in reports or publications resulting from the research;
- who will have access to their PPII and the other information collected about them; and
- the collection of audio, video, or photographic records. For the latter, researchers must obtain signed video/photo releases.
Optional Disclosures Related to Confidentiality Protections
Participants may benefit from being told
- why the collection/retention of PPII is necessary for the research;
- if PPII will be stored with the data or linked to the data via a master code list;
- how long the researchers will retain their PPII;
- when data will be de-identified, or if not de-identified, when it will be destroyed; and
- what procedures will be put in place to preclude unauthorized access to the research data.
Informing Participants about Secondary and Incidental Findings
When communicating the fundamental aspects of their research to the IRB and to participants, researchers must also consider whether study tests or procedures may reveal information about a study participant that is not the primary focus of the research but that may have clinical significance for the individual. Such findings may be secondary or to the research, and anticipated or unanticipated.
Tests/procedures more likely to lead to secondary or incidental findings include large-scale genetic sequencing (e.g., whole genome sequencing, non-specific genomic analyses); non-discrete testing of blood and other biological specimens (e.g., metabolic panels); and imaging (e.g., MRI, CT, X-rays, ultrasounds). For more information, see the IRB policy for disclosing findings to participants.
Disclosures Related to Limits to Confidentiality
Researchers must tell participants about limitations on the protection of data confidentiality such as:
- inspection of medical or research records by the IRB, FDA or sponsor;
- mandatory reporting laws for communicable diseases; and
- mandatory reporting laws for child or elder abuse.
Limits to Confidentiality for Humanities Projects
Humanities projects may not expect to keep participants' identities or their responses confidential; sometimes interviewees want their names associated with their responses. This practice is acceptable as long as research participants are made aware of whether or not their names will be associated with their responses and told of any inherent risks associated with such disclosure.
Additional Confidentiality Considerations
Certificates of Confidentiality
Research involving illegal activities or the collection of sensitive data may require researchers to obtain a Certificate of Confidentiality for protection from subpoena.
Waivers of Documentation of Informed Consent
Research in which the principal risk is related to a breach of confidentiality may be eligible for an IRB waiver of signed consent. For example, in studies where subjects are selected because of a sensitive, stigmatizing, or illegal characteristic (e.g., persons with illegal immigration status; or who have sexually abused children, sought treatment in a drug abuse program, or tested positive for HIV), keeping the identity of participants confidential may be more important than keeping the data obtained about the participants confidential. See IRB policy for consent waivers for more information.
Data Use and Materials Transfer Agreements
When researchers are sharing data/specimens with other entities, whether as the provider or recipient, formal agreements may be warranted. See the University's Office of Sponsored Projects policy and form for establishing Data Use Agreements. Contact the University Technology Transfer Office for information about Materials Transfer Agreements.
When applicable, investigators must attach approved Data Use Agreements and Materials Transfer Agreements to new projects or amendment packages (for newly added agreements) in IRBNet for IRB review or exempt determination.
IRB Review of Confidentiality Protections
When research data will be linked, directly or indirectly to PPII, the University IRB will not approve the research unless precautions are adequate to safeguard data confidentiality during data collection, storage, analysis, and dispensation. The University IRB balances requirements for protecting the confidentiality of research data with the level of risk associated with unauthorized disclosure, legal obligations related to confidentiality, and the confidentiality commitment made to research participants.
For research involving information that may be considered sensitive (e.g., mental illness, cognitive impairment, physical disabilities, STDs, drug and alcohol abuse), the IRB will assess the need for more robust safeguards, including Certificates of Confidentiality.
Unauthorized Disclosure of Information
Investigators must inform the IRB immediately in the event of an unauthorized release or loss of subjects' private or confidential information. For more information, see IRB policy for reporting problems.