IRB Guidance: Privacy vs. Confidentiality
Privacy and confidentiality are often used and referred to interchangeably. Although the two are related, as confidentiality is an extension of privacy, privacy and confidentiality do involve very different considerations that need be addressed appropriately when filling out an IRB application.
This page defines privacy and confidentiality and clarifies the important distinctions for IRB purposes.
Privacy (applies to the individual/subject)
Privacy refers to an individual’s desire to control who has access to him/herself. This includes access to the individual’s personal/private information.
Things to keep in mind and address when outlining privacy precautions in the IRB application are:
- The methods used to identify and contact potential participants;
- The settings in which an individual will be interacting with an investigator. For example, persons may not want to be seen entering a place that might stigmatize them, such as a pregnancy counseling center that is clearly identified as such by signs on the front of the building;
- The type of information being collected (i.e. personal, sensitive and/or identifiable);
- How to access the minimum amount of information necessary to conduct the study.
Confidentiality (applies to the data)
Confidentiality refers to the researcher’s agreement with the participant about how the research participant’s identifiable private information will be handled, managed, and disseminated. In other words, it refers to how and where research documents and data will be stored.
Things to keep in mind and address when outlining confidentiality provisions in the IRB application are:
- If the study includes collection of data from multiple mediums (audio, video, digital, paper files), data storage, data protection, and data retention plans for each medium should be detailed;
- If audio or video collection is for transcription purposes only, include that the audio and video files will be destroyed as soon as transcription is complete. Also include details for storing, protecting, and retaining the transcribed data;
- If coding, use of pseudonyms, and/or other data protections will be in place, include those details as well as who will have the key/ability to link the data to the direct identifiers;
- If signed consent forms will be used, details about storage, protection, and retention of the signed consent forms should be addressed;
- This information should also be outlined on the consent form for participants;
- Per campus policy, data should be retained on campus servers or in locked campus offices for 7 years.