What things should I consider to protect subjects' privacy and confidentiality of data?
Frequently Asked Question
When reviewing an application and protocol, the IRB will consider whether appropriate provisions are in place in order to protect the privacy interests of research subjects and confidentiality of their research data. If the protocol involves the use of Protected Health Information, the IRB will also ensure that the protocol satisfies the requirements of the HIPAA Privacy Rule.
The IRB will consider the following when determining whether a protocol should include provisions to protect research subjects' privacy interests and/or confidentiality of data:
- Risk/Benefit assessment,
- Location of the data collection,
- Sensitivity of the data being collected,
- Whether the research data is truly anonymous or measures are in place to separate direct from indirect identifiers when anonymity is not possible.
- Characteristics of the vulnerable populations involved,
- Interaction or intervention with participants will occur in a location offering adequate privacy,
- Research staff have the appropriate training and valid access to data being collected,
- Sensitivity of the data being collected, where and how the data will be collected and analyzed,
- Where the data will be stored, whether and how the data will be coded and who will have access to codes or master lists, who will have access to the data,
- Whether a certificate of confidentiality has been or should be obtained,
- Whether a research subject may be indirectly identified due to the small sample size,
- Whether all the information proposed to be collected is necessary for conduct of research, and
- Whether participants are adequately informed of the risks of breach of confidentiality.
HRPP: Protecting Research Participants Privacy Interests and Confidentiality of Data