Data confidentiality and participant privacy considerations are a critical component of a research protocol. Per HHS and FDA regulations 45 CFR 46.111(a)(7) and 21 CFR 56.11(a)(7), the IRB shall determine where appropriate, that there are adequate provisions to protect the privacy of research participants and to maintain the confidentiality of data. The IRB must consider the sensitivity of the information and the protections offered to the participants.
The Belmont Principles also support privacy and confidentiality: Respect for Persons and Beneficence
WVU Institutional policies require appropriate levels of data protection and WVU OHRP Standard Operating Procedures (SOP) require appropriate levels of data and participant protection during the conduct of human subjects research.
Complete a WVU Research Data Protection Request Form for your research project as soon as possible before submitting an INITIAL protocol. The information will be used by the Research Office and WVU\HSC ITS departments to determine appropriate data protection requirements and if a data agreement is required.
Data Protection vs Participant Protection
Data Protection - Protecting the confidentiality, integrity, and availability or the data used throughout the research project. Protection requirements are based on the classification of the data. The WVU Data Protection process will determine protection requirements and the data classification considering the applicable laws and regulations for the project. Data Protection address the storage and access of the data collected or created during a research project. At WVU, the protection of data is certified by Information Technology Services (WVU or HSC) by completing the WVU Research Data Protection Request Form.
Participant Protection- Protecting the privacy of research participants and the confidentiality of their protected health information during interactions and other research activity including the informed consent process. At WVU, the IRB will review and approve plans for protecting the privacy of research participants.
Privacy vs Confidentiality
Privacy: The control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others. For example, a participant may not want to be seen entering a place that may stigmatize them, recruitment and advertising techniques, and the environment for consenting, and research activity interaction.
- Privacy is about people, a sense of being in control of access that others have to ourselves, a right to be protected is in the eye of the participant not the researcher or the IRB.
Confidentiality: The treatment of information that an individual has disclosed in a relationship of trust with the expectation that the information will not be divulged to others without permission in ways that are inconsistent with the agreement of understanding of disclosure.
- Confidentiality is about data (identifiable data or sensitive data) and is an extension of participant privacy, is an agreement of data management and access, and for HIPAA applicability, protects participants from inappropriate disclosures of "Protected Health Information" (PHI).
Research Projects using Protected Health Information (PHI)
Review the WVU Health Care Components and Business Associates list to determine if your department meets the definition of a Covered Entity or if your department performs Covered Functions. Departments on the list must fully comply with federal HIPAA privacy and security rules and institutional HIPAA policies. Departments not on the list must comply with applicable institutional information security and privacy policies according to the type of data used for the research project. Note that sensitive data often requires the same level of protection as PHI.
Research Projects using Personally Identifiable Information (PII) or Personal Information (PI)