Approved by: Human Protections Administrator, Director of OPRS, and Executive IRB Chair
AAHRPP REF#: 160
AAHRPP Elements: II.3.E
- The term “confidentiality” refers to the maintenance of the investigator’s agreement with the subject as to how a subject’s identifiable private information will be handled, managed, and disseminated.
- Most research studies require provisions for maintaining confidentiality of data.
- As a condition of protocol approval, the IRB determines that there are adequate provisions to protect confidentiality of information related to potential or current participants, throughout the study, including preliminary to the research, recruitment and enrollment, research participation and after conclusion of the research.
- Researchers must incorporate within their protocols measures to maximize confidentiality to avoid unintentional and unauthorized release or other disclosures of identifiable private information.
- IRB Responsibilities
- The IRB in their review considers the nature, probability, and magnitude of harms that would be likely to result from an unauthorized release of the collected information.
- The IRB assesses the level of security and adequacy of protective measures required for each protocol based on the presence of identifiers, sensitivity of the data and risks of a breach.
- Provisions that the IRB may consider for maintaining confidentiality may include:
- restricting PHI to a limited dataset,
- substitution of code for subject identifiers,
- storage of data in locked cabinets,
- use of honest brokers,
- encryption of electronic data,
- storage behind a secure firewall, and
- statistical methods, such as
- inter-file linkage (i.e., procedures that eliminate linkage of data to unique identifiers),
- error inoculation (i.e., inserting random error into dataset to secure confidentiality while still allowing useful statistical analysis),
- top coding (i.e., replacing values above a certain level with a threshold value),
- bracketing and
- data brokering (e.g., a third party holds data and identifiers). UIC HSPP data security measures for PHI and other highly sensitive identifiable data are available in UIC HSPP Policy Research Data Security).
- When identifiable data is obtained from participants in human subject research involving sensitive, stigmatizing or illegal characteristics, additional measures to protect confidentiality, such as waiver of documentation of consent or obtaining a certificate of confidentiality (refer to UIC HSPP Guidance- Certificates of Confidentiality) should be considered.
- Investigator Responsibilities
- The investigator must document in the protocol and protocol application the identifiable data elements to be collected and the measures in place to secure the data throughout the study and at it end.
- Protocols should be designed to minimize the need to collect and maintain identifiable data about participants. If collection of identifiers is necessary, they should be removed and destroyed as soon as possible. .
- The investigator must clearly disclose in the informed consent document the identifiable data elements to be collected, measures in place to secure the data, and circumstances under which confidential information may possibly be disclosed and to whom.
- Projects are required to have and submit to the IRB a privacy certificate approved by the National Institute of Justice human subjects protection officer.
- Researchers and staff are required to sign employee confidentiality statements, which are maintained by the responsible researcher.
- Non-employees of the Bureau may receive records in a form not individually identifiable when advance adequate written assurance that the record will be used solely as a statistical research or reporting record is provided to the agency.
- Except as noted in the consent statement to the participant, the researcher must not provide research information that identifies a participant to any person without that participant’s prior written consent to release the information. For example, research information identifiable to a particular individual cannot be admitted as evidence or used for any purpose in any action, suit, or other judicial, administrative, or legislative proceeding without the written consent of the individual to whom the data pertain.
- Except for computerized data records maintained at an official Department of Justice site, records that contain non-disclosable information directly traceable to a specific person may not be stored in, or introduced into, an electronic retrieval system.
- If the Researcher is conducting a study of special interest to the Office of Research and Evaluation (ORE) but the study is not a joint project involving ORE, the Researcher may be asked to provide ORE with the computerized research data, not identifiable to individual participants, accompanied by detailed documentation. These arrangements must be negotiated prior to the beginning of the data collection phase of the project.
- National Institute of Justice Funded Research
- Research Involving the Bureau of Prisons: Confidentiality
21 CFR 56.111(a)(7)
38 CFR 16.111(a)(7)
45 CFR 46.111(a)(7)
VHA Handbook 1200.05
UIC Social and Behavioral Sciences Informed Consent Template
UIC Biomedical Informed Consent Template
|Version (#, date)
||Replaces (#, date)
||Summary of changes
||Expanded agencies issuing certificates of
confidentiality and inserted updated certificate
of confidentiality language.
||Removed Certificate of confidentiality section to a separate guidance. Updated security measures looked at by the IRB and added NJI and Bureau of Prisons regulations..