Revised Common Rule (2018 Requirements)
“(a) In order to approve research covered by this policy the IRB shall determine that all of the following requirements are satisfied:
(7) When appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data.
(i) The Secretary of HHS will, after consultation with the Office of Management and Budget's privacy office and other Federal departments and agencies that have adopted this policy, issue guidance to assist IRBs in assessing what provisions are adequate to protect the privacy of subjects and to maintain the confidentiality of data.
(ii) [Reserved]” 45 CFR 46.111(2018 Requirements)
Pre-2018 Common Rule Requirements
“(a) In order to approve research covered by this policy the IRB shall determine that all of the following requirements are satisfied:
(7) When appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data.” 45 CFR 46.111(Pre-2018 Requirements), 21 CFR 56.111
Privacy means having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others. Confidentiality means the treatment of information that an individual has disclosed in a relationship of trust with the expectation that it will not be divulged to others in ways that are inconsistent with the understanding of the original disclosure, without their permission.
Methods for gathering and storing data may pose the risk of invasion of privacy and possible breach of confidentiality. To protect human subjects against such risks, investigators should use research designs that protect subjects’ privacy and confidentiality. For example, researchers may consider the following recommendations:
Identifying information should not be collected unless it is essential to the research
Identifiers should be destroyed as soon as they are no longer needed, to the extent permitted by law and other requirements (e.g. sponsor)
When identifiers are essential, a coding process should be employed so that identifiers and the key to the code that identifies the data are kept separately and securely from the data
As appropriate to the study design, this may include research procedures that provide anonymity in the data collection or de-identification of data once collected. Anonymity means that no one, including the principal investigator, is able to associate responses or other data with individual subjects. Investigators may promise anonymity only under this condition. Face to face interviews are not considered anonymous. See the Human Research Protection Program (HRPP) Manual 12-5 “Guidance on the Use of Anonymous and De-identified Data” for further explanations on anonymity.
In general, the privacy and confidentiality of subjects should not be compromised. However, legal requirements may compel a researcher to disclose subjects’ information (e.g., federal or state reporting laws, subpoenas, payments, tax laws) or allow access to the subject records (e.g., study sponsors, governmental or university officials). In certain instances, (e.g., oral history), it may be appropriate to use subjects’ names in reports or publications. In such instances, a subject’s permission for the use of his or her name should be documented in the consent process.
In order to approve research, the Institutional Review Board (IRB) will determine that, when appropriate, the research protocol or plan contains adequate provisions to protect the privacy of research subjects. The IRB should consider:
In order to approve research, the IRB will determine that, when appropriate, the research protocol or plan contains adequate provisions to maintain the confidentiality of identifiable data. The IRB should consider:
Absolute confidentiality may not be offered to subjects. Study sponsors, the U.S. Food and Drug Administration, and other university officials (e.g. Internal Audit, Research Integrity) have the right to access confidential records. In addition, an IRB or the Human Research Protection Program has the right to access subject records in the interest of protecting subjects’ rights.
Applicability of the Revised Common Rule (2018 Requirements)
See HRPP Manual Section 4-11 “Applicability of the Revised Common Rule (2018 Requirements),” for a description of whether the Revised Common Rule (2018 Requirements) or the Pre-2018 Common Rule Requirements apply.
Additional Considerations
For additional policies and procedures on privacy and confidentiality, see the following sections of the HRPP Manual:
2-3 State and Local Guidelines and Regulations
6-6-A Student PID Policy
6-8-E HIV and AIDS
12-5 Guidance on the Use of Anonymous and De-identified Data
For research subject to the requirements of the U.S. Department of Energy and U.S. Department of Justice, see the following sections of the HRPP Manual:
2-2-C U.S. Department of Justice
2-2-E U.S. Department of Energy
This policy and procedure supersedes those previously drafted.
Approved By: Vice President of Research and Graduate Studies, 3-3-2005. Revision 1 approved by VP Research & Graduate Studies on 7-21-2011. Revision 2 approved by Assistant VP Regulatory Affairs on 12-10-2015. Revision 3 approved by Senior VP for Research and Innovation on 1-18-2019.