This section of the Investigator Manual provides information relevant to protecting participant privacy and confidentiality.
Protecting Participant Privacy & Confidentiality
You are required to ensure human research includes adequate provisions to protect the privacy of participants and confidentiality of data, as required by federal regulations.
- Privacy refers to a person’s desire to control the access of others to themselves. For example, research participants may not want to be seen entering a place that might stigmatize them, such as a pregnancy counseling center that is clearly identified as such by signs on the front of the building.
- Confidentiality refers to the researcher’s agreement with the participant about how the research participant’s identifiable private information will be handled, managed, and disseminated.
For the IRB to assess privacy and confidentiality protections, you must describe how you will protect participant privacy and data confidentiality in your protocol or application. The IRB will assess whether the participants’ privacy interests and confidentiality of data are protected in ways commensurate with the benefits to participants and the risks of everyday life.
For more information, refer to HRP 314-WORKSHEEET-Criteria for Approval.
Certificates of Confidentiality
A Certificate of Confidentiality (COC) protects the privacy of research participants by prohibiting disclosure of their name or any information, document, or biospecimen that contains individually identifiable, sensitive research information to anyone not associated with the research, except when the participant consents to such disclosures or in other limited specific situations. The term “identifiable, sensitive information” means information about an individual gathered or used during the research through which an individual is identified or for which there is a very small risk that some combination of information could identify an individual.
Effective October 1, 2017, all ongoing or new research as of December 13, 2016 that is
- funded wholly or in part by the NIH, AND
- collects or uses identifiable, sensitive information
is automatically issued a CoC as a term and condition of the NIH grant award. Certificates will no longer be issued in a separate document. The Notice of Award and the NIH Grants Policy Statement will serve as documentation of the Certificate protection. This automatic issuance of CoC protections also applies to research that receives re-distributed NIH funds. There are several campus institutes, programs, and research centers that provide pilot, new-investigator, or other smaller awards using NIH funds. Research conducted under these types of awards are also automatically issued a CoC. If you are uncertain whether your study is funded through redistributed NIH funds, please contact the campus entity that issued your award.
The following HHS agencies and units also automatically issue CoCs as a term and condition of their grant awards: Centers for Disease Control (CDC), Health Resources and Services Administration (HRSA), Food & Drug Administration (FDA)*, and Biomedical Advanced Research and Development Authority (BARDA). Questions about whether your grant includes an automatic CoC should be directed to your program officer.
*Applies only for FDA funded research, not just research subject to FDA regulations.
You are required to determine whether your research records are covered by a COC. See HRP 333-Worksheet-Certificate of Confidentiality for details on evaluating whether a non-NIH-funded research study should be covered by a COC.
When a COC covers the research records, and informed consent will be obtained from participants, the participants must be told about the protections afforded by the COC and any limitations to those protections. Available consent form templates have been revised to include language that addresses COC protections. This language must be included in consent forms to be used in studies to which the COC policy applies.
A number of other HHS agencies also issue CoCs upon application. For information and instructions go to: https://grants.nih.gov/policy/humansubjects/coc.htm. Information about requesting a CoC from the NIH when the study is not funded by an HHS agency can be found at the link provided above. Researchers conducting non-NIH-funded studies who are applying for a CoC from the NIH should review the CoC Application Help guidance or email compliance@research.wisc.edu for questions. Researchers needing Institutional Official or IRB Chair signatures on National Institute of Justice Privacy Certificates or other non-NIH privacy/confidentiality certificates should email compliance@research.wisc.edu with their completed certificate applications.
Researchers must be aware that:
- Information protected by a COC and all copies are subject to the protections of the COC in perpetuity.
- Information may be shared with those with a need to know in order to conduct the study (e.g., individuals who perform study activities, monitor the study, conduct billing).
- There is a statutory exception to the CoC for disclosures made for scientific research that complies with the Common Rule. If a secondary researcher receives information protected by a COC, either with consent of participants or through a waiver of consent, the secondary researcher is required to uphold the protections. If data protected by a CoC will be shared with a secondary researcher, a data sharing agreement must be in place and inform the secondary researcher of their obligations under the CoC to protect the data.
- If there is a desire to share any information related to study participation, including research results, with someone other than the participant (e.g., participant’s spouse or family after participant loses capacity or after death), researchers should obtain consent for the sharing from the participant during enrollment.
- If the study continues to enroll additional participants after your NIH, CDC, HRSA, FDA, or BARDA funding ends, those participants will not be protected by the Certificate unless you apply for a Certificate following the process for non-federally funded research.
- Certificates will be issued for applicable research regardless of the country where the investigator or the protected information resides though a COC may not be effective for data held in foreign countries.
- Should the researcher ever receive a subpoena, or any other legal process request seeking disclosure of research records, the researcher should not release any records or information and should immediately contact the IRB office and the Office of Legal Affairs.
For complete information about the applicable policies and guidance, including FAQs, please visit: NIH Policy, CDC Policy, HRSA Policy, FDA Guidance, BARDA Policy.