Guidance

When thinking about privacy and confidentiality in the research context, distinctions should be made between the two issues.

Privacy refers to persons and to their interest in controlling access of others to themselves. Privacy can be thought in terms of having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others.

Confidentiality is an extension of the concept of privacy, but it refers to the research participant’s understanding of (and agreement to) the ways that their identifiable information will be stored and shared. Identifiable information can include printed information, electronic data or media, or visual information (photographs, video records, etc.).

The bottom line: Privacy refers to people; Confidentiality refers to data about people.

The following are examples of methods used to protect privacy and confidentiality. Researchers are required to inform the IRB of the specific precautions and procedures they will implement to safeguard privacy and confidentiality in their project. Different levels of protection may be appropriate depending on the nature of the study; however, researchers should assume the IRB expects the highest level of protection for the most vulnerable population(s) included in the study.

Examples of Privacy Protections:

• Conducting interviews about sensitive topics individually, rather than in a group setting.
• Interviewing participants in their homes or private offices, instead of public locations.
• Providing a private exam room for study procedures.
• De-identifying photos, audio recordings, or videos recordings of participants made during the study.
• Allowing for anonymous submission of surveys and questionnaires.

Examples of Confidentiality Protections:

• Storing research data on password protected computers or in locked cabinets or offices.
• Limiting access to identifiable study data to only a few members of the study team.
• Using only encrypted systems for storing research data on laptops.
• De-identifying study data.
• Using a code number instead of the participant’s real name on study data and blood/tissue samples.
• Destroying photos, audio tapes, or video tapes at the end of the study.

Breaches of Confidentiality

Investigators are responsible for the confidentiality of participant information collected during a study, including how this information will be stored and shared. A breach of confidentiality is an unanticipated problem that must be reported to the IRB. Additional requirements apply if the breach involves Protected Health Information (PHI) covered under HIPAA regulations. For examples of data breaches and for a description of how to report breaches of confidentiality, please refer to the IRB website under Breaches of Confidentiality.

Additional Considerations

• If the research involves observation or intrusion in situations where the participants have a reasonable expectation of privacy, investigators should review study design to see if the intrusion can be avoided or minimized.
• If the investigators want to review existing records to select subjects for further study, the investigator must follow the University of Utah recruitment guidelines and abide by any applicable HIPAA requirements. Please see on the IRB website HIPAA Privacy Rule and Authorization.
• If investigators are collecting sensitive information about individuals, adequate provisions must be made for protecting the confidentiality of the data through methods that are appropriate to the study.
  • If the information obtained about research participants might interest law enforcement or other government agencies to the extent that they might demand personally identifiable information, the investigator should review the IRB guidance, Certificate of Confidentiality to ensure that the confidentiality protections are adequately explained to the participant.
  •  The IRB guidance, Mandatory Reporting outlines situations which may require the disclosure of confidential information, such as reportable diseases, abusive situations, or intent to harm others or themselves. If the research may involve the potential disclosure of these types of information, the investigator should inform the participant about the limits of confidentiality.
  • Investigators must plan a secure and confidential way to handle genetic testing information and clearly explain this plan to the IRB. Identifiable results cannot be disclosed to the participant or anyone else unless in accordance with an approved protocol for contacting participants and/or family members. If there is a potential risk to the patient’s insurability or employability because of participation in the study, the consent document should disclose this. See the IRB guidance, Genetic Research.

Points to Consider