Confidentiality of data and privacy of subjects

The seventh criterion for approval [45 CFR 46.111(a)(7)] requires the IRB to determine that, when appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of the data. Subject privacy can be a concern at several different points in the research process. Does the research under review require a consent process? If so, will the consent process occur in a way and place that promote the subjects’ privacy to an appropriate extent? For some kinds of studies, such as a project involving focus group discussions, a group consent process may be appropriate. For others, however, the IRB should examine whether the consent process will indeed occur in a way that limits the possibility of someone’s privacy being invaded. Subject privacy may also be a concern for some of the study procedures, and the IRB should assure that an appropriate level of privacy is maintained during participation. The IRB also pays close attention to how study data will be identified and maintained to minimize the chances of a loss of confidentiality. Will the data kept on site include direct identifiers? Who will have access to the data at the study site? Will the data be sent elsewhere, such as to a sponsor or a central study site? If so, will the data that is transmitted include anything that directly identifies subjects? These are all considerations for IRB reviewers to keep in mind when deciding whether to approve research.