Topics Map > Research Policy and Compliance > Human Research Protection Program (HRPP) > HRPP Policies
Protecting Research Participants Privacy Interests and Confidentiality of Data
This policy describes how the UW-Madison IRBs evaluate proposed arrangements for protecting participants' privacy interests and confidentiality of research data.
UW–Madison IRBs are required to ensure human subjects research includes adequate provisions to protect the privacy of participants and confidentiality of data for non-exempt human subjects research and certain categories of federally funded exempt human subjects research.
Privacy refers to a person's desire to control the access of others to him or herself. For example, research participants may not want to be seen entering a place that might stigmatize them, such as a pregnancy counseling center that is clearly identified as such by signs on the front of the building.
Confidentiality refers to the researcher’s agreement with the participant about how the research participant’s identifiable private identifiable information will be handled, managed, and disseminated.
In order for the IRBs to assess privacy and confidentiality protections, study teams are expected to describe how they will protect participant privacy and data confidentiality as part of their IRB application.
The UW–Madison IRBs assess whether the risks of breach of participants' privacy interests and confidentiality of data are commensurate with the benefits to participants and the risks of everyday life and what measures may be necessary to mitigate those risks.
The UW–Madison IRBs consider the following in regard to the protection of participant privacy:
The research setting.
Participant population, including whether a vulnerable population is involved or whether participants in another country whose political or cultural climate raises unique risks.
The manner in which participants will be approached and enrolled.
Inclusion of any individuals about whom the primary participants will provide information (but from whom informed consent is not planned).
Whether the study proposes an invasion of privacy through observation or intrusion into situations where participants would otherwise have a reasonable expectation of privacy.
Whether the information collected is the minimum necessary to answer the research question.
Whether a participant may be indirectly identified because of small sample size.
Where there is a risk that privacy will be compromised, the IRB will evaluate whether:
Reasonable people might be offended by the invasion of privacy;
The research can be redesigned to avoid the possible invasion of privacy;
The importance of the research objective justifies the invasion of privacy;
The participant will be informed of the invasion of privacy, its implications, and available protections; and
Documentation of consent should be waived in order to protect participant privacy.
The UW–Madison IRBs consider the following in regard to assessing data confidentiality protections:
The nature of information collected, including whether any information could be considered sensitive, such as illegal or stigmatizing behaviors, stigmatizing medical conditions, whole genome sequencing or identification of genetic markers that serve as potential predictors of disease.
When the research includes the collection of sensitive individual information, the IRB will evaluate whether:
Adequate provisions have been identified to protect the confidentiality of the data through coding, destruction of identifying information, limiting access to the data, and any other methods that may be appropriate, given the context of the study;
The disclosure of the data might place the participant at legal, social, reputational, employability, or insurability risk.
The nature of the identifiers associated with the data.
The data format, such as whether images or audio recordings are created or collected.
The justification for needing identifiers in order to conduct the research.
The proposed use of the information.
Who will collect, receive and use the information.
The process used to share the data, if applicable.
The likely retention period for identifiable data.
The security controls in place, including physical safeguards for paper records and technical safeguards for electronic records.
Whether appropriate permission is sought for access to records when reviewing existing records for participant selection or to abstract data.
Where compelled disclosure of the data might place participants at risk, whether a Certificate of Confidentiality should be sought to protect the researcher from disclosure of the data under subpoena or other legal process.
Where accidental disclosure of the data might place participants at risk, whether data management procedures ascribe to institutional policies and IRB guidance for appropriate and required data security measures.
Whether disclosures to participants about confidentiality risks and protections are adequate.
Whether documentation of consent should be waived in order to protect confidentiality.
If a study involves the use of Protected Health Information (PHI), UW–Madison IRBs must assure that the study satisfies the requirements of the HIPAA Privacy Rule, including any waiver or alteration of HIPAA authorization.
If the study involves the use of student education records, UW–Madison IRBs must assure that the protocol satisfies the requirements of the Family Educational Right and Privacy Act (FERPA).
If a study is supported by the National Institutes of Health (NIH), the UW–Madison follows the NIH policy regarding Certificates of Confidentiality (CoCs); NIH automatically issues CoCs for most research that agency supports.
Adopted By: All Campus IRB
Adoption Date: November 10, 2005
Revised: March 1, 2012
Revised: February 5, 2018