May 2005

The National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research [authors of the Belmont Report] identify privacy and confidentiality as important concepts. These concepts are derived from two ethical principles found in the Belmont Report; respect for persons and beneficence. Respect for persons allows the individual the right to maintain privacy and to expect that private information will be kept confidential. Beneficence requires the minimization of risks and maximization of benefits. Beneficence also requires that the risks to participants do not outweigh the benefits.

The 1993 Office for Protection from Research Risks (OPRR) IRB Guidebook definition of “privacy” states that, “privacy can be defined in terms of having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally, or intellectually) with others.” The definition of “confidentiality” pertains to the treatment of information already revealed and states that there is an “expectation that it will not be divulged to others in ways that are inconsistent with the understanding of the original disclosure without permission.”

Both the Department of Health and Human Services (DHHS) and the Food and Drug Administration (FDA) require the protection of privacy and confidentiality. DHHS requires adequate provisions to protect the privacy of participants and to maintain the confidentiality of data. FDA wording is slightly different, but identical in meaning.

Maintaining privacy and confidentiality protects study participants from potential harm including, “psychological distress, loss of insurance, loss of employment, or damage to social standing” that might occur if the participant’s privacy was invaded or confidentiality breached.

How can privacy be maintained in the research setting? Investigators can control the way participants are identified and approached for participation in research. For example, a researcher may have access by virtue of employment to employee files and may use information in those files to contact certain individuals with whom they have had no previous contact. These individuals may rightly feel that their privacy has been violated. Invasion of privacy can also occur when sensitive information is collected during the screening period and subsequently retained even if the participant does not qualify for the research.

How can confidentiality be maintained in the research setting? Investigators can protect the confidentiality of data by storing information in locked cabinets in locked offices, on computers that are password protected, or on computers that are not linked into a network. Confidentiality of data can be protected by coding all data and keeping the master list with the code and identifiable information in separate locations. Destruction of the master list, thus de-identifying the data, offers ultimate protection of the research data.

The consideration and protection of the privacy and confidentiality is an ethical and regulatory duty. It is important that all aspects of the research process consider privacy and confidentiality from recruitment through maintenance of the research records after study data has been collected.

*Forster, David. (2002). Privacy and Confidentiality. In R. J. Amdur and E. A. Bankert (Eds.), Institutional Review Board Management and Function (pp. 169-175). Sudbury, MA: Jones and Bartlett.