Privacy is about people. It refers to research participants’ willingness to allow access to themselves and their information. Additionally, privacy involves protecting the research participants’ right to control the information being collected, used, and shared with others. Consideration of privacy includes the time and setting where private information is obtained, the nature of the information collected, and who receives and uses the information.
Follow the below guidelines to protect the research participants’ privacy during screening, consenting, and conducting the research:
- Conduct research procedures in person and in a private setting.
- Capture and review data in a private setting.
- Ensure that only authorized research study personnel will be present during research related activities.
- Ensure that only authorized research study personnel will have access to research data.
- Limit the collection of information about participants to the amount necessary to achieve aims of the research.
- Approach participants in a setting or location that preserves their physical privacy and minimizes the risk of information being overheard by unauthorized individuals.
Confidentiality is about information/data or specimens. It refers to the handling of information/data or specimens that a person has disclosed or provided in a relationship of trust, with the expectation that it/they will not be divulged to others without permission or outside the scope of general authority.
Consider how the research data/specimens will be labeled in order to align with research methodologies and requirements:
- Data and/or specimens will be directly labeled with personal identifying information. (Identifiable)
- Data and/or specimens will be labeled with a code that the research team can link to personal identifying information. (Coded)
- Data and/or specimens will not be labeled with any personal identifying information, nor with a code that the research team can link to personal identifying information. (Anonymous)
At a minimum, ensure the following measures will be taken and enforced:
- Information or specimens maintained physically will be stored with appropriate physical safeguards, such as in locked cabinets and/or in restricted areas limited to authorized study personnel.
- Electronic data will be stored with appropriate electronic safeguards, such as unique usernames/passwords, and limited to authorized study personnel. Dual factor authentication will be used, if feasible.
- Copying and use of study related materials will be restricted.
- Security software (firewall, antivirus, anti-intrusion) will be installed and regularly updated in all servers, workstations, laptops, and other devices used in the study.
- All computers with access to study data will be scanned regularly (for viruses and spyware, etc.) and problems will be resolved.
- Data stored on a removable drive will be encrypted and have proper access controls
- Data transfer will be encrypted.
Anonymity is about identifiers. It refers to information/data or specimens that cannot be linked to the person from whom they were obtained because the information/data or specimens do not contain direct identifiers (e.g., name, address, birth date, IP address, etc.). Please refer to Chapter 11 of our Policies for a list of the 18 HIPAA identifiers.
Consider not collecting any identifiers as listed above that would link a response to a specific individual. The PI/researchers should not know the identity of a respondent.
Be mindful of indirect identifiers that could link back to an individual’s identity, such as:
- Gender identity
Please note that face-to-face interviews and phone calls cannot be anonymous.