When discussing human subject protections, many of us tend to use the terms ‘privacy’ and ‘confidentiality’ interchangeably, but there are very important differences. The IRB must consider both privacy and confidentiality for the entire duration of the study, and the maintenance of research records once the study finishes. These are discussed in detail in the Human Subjects Protection Module that has been developed by CITI. We summarize below some of the major points made in that module.
Private Information: information about behavior that occurs in a context in which an individual can reasonably expect that no observation or recording is taking place, and information which has been provided for specific purposes by an individual and which the individual can reasonably expect will not be made public (for example, a medical record).
‘Privacy’ refers to an individual’s right to control access to their personal information, but it also includes access to their body (such as collection of their biological specimens). Privacy is a subject’s ability to control how other people see, touch, or obtain information about the subject. Violations of privacy can involve circumstances such as being photographed or videotaped without consent, being asked personal questions in a public setting, being seen without clothing, being observed while conducting personal behavior, or disclosing information about abortions, HIV status, illegal drug use, etc.
Strategies to protect one’s privacy may include the following:
- the research intervention will be conducted in a private room
- drapes or other barriers will be used for subjects who are required to disrobe
- the collection of sensitive information will be limited to the minimum necessary to achieve the aims of the research
‘Confidentiality’ refers to how private information provided by individuals will be protected by the researcher from release. Describing just how the confidentiality of research information will be maintained is an important element of the consent process. Confidentiality is an extension of the concept of privacy; it refers to the subject’s understanding of, and agreement to, the ways identifiable information will be stored and shared. Identifiable information can be printed information, electronic information, or visual information such as photographs.
Strategies to protect one’s confidentiality may include the following:
- paper-based records will be kept in a secure location and only be accessible to personnel involved in the study
- computer-based files will be encrypted and only made available to personnel involved in the study through the use of secure access privileges and passwords
- prior to accessing any study-related information, personnel will be required to sign statements agreeing to protect the security and confidentiality of identifiable information
- whenever feasible, identifiers will be removed from study-related information
- audio and/or video recordings of subjects will be transcribed and then destroyed to eliminate audible or visual identification of subjects
Under the Common Rule, 45 CFR 46.111, the IRB must review the provisions for privacy and confidentiality. Similar protections are required under the FDA regulations at 21 CFR 56.111. The IRB will, depending on the nature of the research, assess the following protections:
- Privacy of the process and protection of collected data during recruitment and follow-up
- Provisions to protect data and samples during use and subsequent storage
- Identification of individuals or organization who may access identifiable information
- Plans for de-identification and/or destruction of data or specimens, when appropriate