Updated July 13, 2021 Show
The IRB is responsible for evaluating proposed research to ensure adequate provisions to protect the privacy of participants and to maintain the confidentiality of data. Research involving human participants must include adequate provisions to maintain the confidentiality of research data. Maintaining confidentiality requires safeguarding the information that an individual has disclosed in a relationship of trust and with the expectation that it will not be disclosed to others without permission, except in ways that are consistent with the original disclosure. Confidentiality in the context of human research also refers to the investigator’s agreement with participants, when applicable (i.e., through participants’ informed consent), about how their identifiable private information will be handled, managed, and disseminated. Individuals may only be willing to share information for research purposes with an understanding that the information will remain protected from disclosure outside of the research setting or to unauthorized persons. NOTE: For the purposes of this policy, the term "data" is used in the widest sense, and includes numeric data files, and qualitative materials such as interview transcripts, diaries, and field notes. Research data may include audio and video formats, geospatial information, biometrics, Web sites, and data archives (including those available online). When possible, it is best to retain research data without any identifiers so that individual participation is anonymous and the data collected cannot be linked to the individual. Requirements for confidentiality protections apply to Protected Personally Identifiable Information (PPII) obtained:
Researchers are responsible for:
Protecting Data ConfidentialityRoutine Precautions to Protect ConfidentialityWhere anonymity is not possible, researchers should take steps to preserve the confidentiality of study participants and the data collected from them. Methods for keeping data confidential range from using routine precautions, such as substituting codes for participant identifiers and storing data in locked cabinets, to more elaborate procedures involving statistical methods (e.g., error inoculation) or data encryption. Consideration should be given to requirements for data security and retention throughout and following completion of the study. Methods for handling and storing data (including the use of personal computers and portable storage devices) must comply with University policies. Restricted data, including protected health information, must be encrypted if stored or used on portable devices, if removed from a secure university location, or if electronically transmitted. In most research, assuring confidentiality is only a matter of following some routine practices:
Considerations for Protecting Confidentiality During Data Collection
NOTE: The University IRB does not allow research data to be collected or dispensed via email.
Considerations for Protecting Confidentiality When Storing Data/SpecimensNOTE: Considerations for data storage apply both before and after analysis.
NOTE: Access to PPII should be limited to researchers who require such access to fulfill research objectives. The master code list should be destroyed as soon as is feasible (e.g., immediately after data are cleaned).
Considerations for Protecting Confidentiality When Using Electronic DataMany researchers are purchasing mobile apps or building their own app to interact with study participants. Even if the participant is asked to download a free app or provided monies for the download, the researcher is still responsible for disclosing potential risks. It is possible that the app the participant downloaded will capture other data stored or linked to the phone on which it is installed (e.g., contact list, GPS information, access to other applications such as Facebook). The researcher has the responsibility to understand known or potential risks and convey them to the study participant. Commercially available apps publish “terms of service” that detail how app data will be used by the vendor and/or shared with third parties. It is the researcher’s responsibility to understand these terms, relay that information to participants, and monitor said terms for updates. Additionally, it is important that the researcher collect from the app only the minimum data necessary to answer the research questions. Many investigators wish to collect the IP addresses of survey participants to provide a method of determining whether the user has previously completed the survey. This is important to consider when conducting surveys, especially if the consent process indicates that a participant’s responses will be anonymous. When using Qualtrics, check the option to anonymize the data collection process and do not collect the IP address. If IP addresses are necessary to the research, include in the consent process that you will be recording this information. Email notifications are generally not secure, except in very limited circumstances, and should not be used to share or transmit research data. Text messages are stored by the telecommunications provider and therefore are not secure. Data should be encrypted when “in-transit.” The University’s standard Zoom environment is not HIPAA compliant. If the sessions are being recorded, the researcher needs to make sure the recordings are stored in a secure location. In addition, researchers must ensure that anti-virus software is up-to-date, operating system are patched with newest versions, and access is limited. Sessions should be stored in a cloud service or a University managed server. Considerations for Protecting Confidentiality During Data Analysis and Presentation
Informing Participants of Confidentiality Protections and LimitationsIn general, researchers are obliged to provide the level of confidentiality specified in the consent materials. Individuals are to be informed about the extent to which confidentiality of their data will be maintained during all phases of the study, including who will have access to the data, what security measures will be used, and where data will be stored. Extensive security procedures may be needed in some studies, either to give individuals the confidence they need to participate and answer questions honestly, or to enable researchers to offer strong assurances of confidentiality. Complete confidentiality should not be promised, however, unless personal identifiers have not been obtained or recorded. The information researchers are required to disclose to participants is commensurate with risk. More information about processes to protect confidentiality should be provided to participants in studies in which unauthorized disclosure may place them at risk, compared to participants in studies in which disclosure is not likely to expose them to harms. Investigators may access PPII without informing the individuals to whom the information pertains if the IRB approves a waiver of the requirement to obtain informed consent. In such cases, researchers should be especially cognizant of the importance of keeping participants' information confidential because private information is being accessed without participants' knowledge or permission. Required Disclosures Related to Confidentiality ProtectionsResearchers must tell participants:
Optional Disclosures Related to Confidentiality ProtectionsParticipants may benefit from being told:
Informing Participants about Secondary and Incidental FindingsWhen communicating the fundamental aspects of their research to the IRB and to participants, researchers must also consider whether study tests or procedures may reveal information about a study participant that is not the primary focus of the research but that may have clinical significance for the individual. Such findings may be secondary or to the research and anticipated or unanticipated. Tests/procedures more likely to lead to secondary or incidental findings include large-scale genetic sequencing (e.g., whole genome sequencing, non-specific genomic analyses); non-discrete testing of blood and other biological specimens (e.g., metabolic panels); and imaging (e.g., MRI, CT, X-rays, ultrasounds). For more information, see the IRB policy for disclosing findings to participants. Disclosures Related to Limits to ConfidentialityThere are ethical or legal limits to confidentiality, for example when a researcher obtains information subject to mandatory reporting, such as evidence of child abuse. If it is probable that information subject to mandatory reporting may be collected during the study, a researcher should state these exceptions to confidentiality in the consent form. Researchers must tell participants about limitations on the protection of data confidentiality such as:
Limits to Confidentiality for Humanities ProjectsHumanities projects may not expect to keep participants' identities or their responses confidential; sometimes interviewees want their names associated with their responses. This practice is acceptable if research participants are made aware of whether or not their names will be associated with their responses and told of any inherent risks associated with such disclosure. Additional Confidentiality ConsiderationsCertificates of ConfidentialityResearch involving illegal activities, or the collection of sensitive data may require researchers to obtain a Certificate of Confidentiality for protection from subpoena. Waivers of Documentation of Informed ConsentResearch in which the principal risk is related to a breach of confidentiality may be eligible for an IRB waiver of signed consent. For example, in studies where participants are selected because of a sensitive, stigmatizing, or illegal characteristic (e.g., persons with illegal immigration status; or who have sexually abused children, sought treatment in a drug abuse program, or tested positive for HIV), keeping the identity of participants confidential may be more important than keeping the data obtained about the participants confidential. See IRB policy for consent waivers for more information. Data Use and Materials Transfer AgreementsWhen researchers are sharing data/specimens with other entities, whether as the provider or recipient, formal agreements may be warranted. See the University's Office of Sponsored Projects policy and form for establishing Data Use Agreements. Contact the University Technology Transfer Office for information about Materials Transfer Agreements. When applicable, investigators must attach approved Data Use Agreements and Materials Transfer Agreements to new projects or amendment packages (for newly added agreements) in IRBNet for IRB review or exempt determination. IRB Review of Confidentiality ProtectionsWhen research data will be linked, directly or indirectly to PPII, the University IRB will not approve the research unless precautions are adequate to safeguard data confidentiality during data collection, storage, analysis, and dispensation. The University IRB balances requirements for protecting the confidentiality of research data with the level of risk associated with unauthorized disclosure, legal obligations related to confidentiality, and the confidentiality commitment made to research participants. For research involving information that may be considered sensitive (e.g., mental illness, cognitive impairment, physical disabilities, STDs, drug and alcohol abuse), the IRB will assess the need for more robust safeguards, including Certificates of Confidentiality. Unauthorized Disclosure of InformationInvestigators must inform the IRB immediately in the event of an unauthorized release or loss of participants' private or confidential information. The IRB may determine the breach of confidentiality to constitute noncompliance and/or an unanticipated problem involving risks to participants or others. For more information, see IRB policy for reporting problems in research. What is the reason for most breaches of confidentiality quizlet?-Most breaches of confidentiality often occur as a result of carelessness and can be avoided through rigorous control over client records by not discussing clients in public areas or with persons who do not have a "need-to-know."
What is the best description of what a medical professional is doing when they demonstrate nonmaleficence?Non-maleficence
This means that nurses must do no harm intentionally. Nurses must provide a standard of care which avoiding risk or minimizing it, as it relates to medical competence. An example of nurses demonstrating this principle includes avoiding negligent care of a patient.
Which of the following would best describe the relationship between law and ethics quizlet?Which of the following best characterizes the relationship between law and ethics? Law and ethics complement one another as points of guidance in developing policy.
Which of the following best explains the main issue broadcasters have with how the FCC handles indecency complaints?Which of the following best explains the main issue broadcasters have with how the FCC handles indecency complaints? Broadcasters feel the "guilty until proven innocent" approach infringes on their First Amendment rights.
|