ELEMENT II.3.D.
ELEMENT II.3.D.: The IRB or EC has and follows written policies and procedures to evaluate the proposed arrangements for protecting the privacy interests of research participants, when appropriate, during their involvement in the research.
A criterion for approval of research is that there are adequate provisions to protect the privacy interests of participants. The IRB or EC should evaluate whether research
submitted for review satisfies this criterion. IRB or EC members should understand how to apply this criterion.
Privacy refers to persons and their interest in controlling the access of others to themselves. (Confidentiality refers to the agreement between the researcher and participant on how data will be managed and used.) For example, based on their privacy interests, people want to control:
- The time and place where they give information.
- The nature of the information they give.
- The nature of the experiences that are given to them.
- Who receives and can use the information.
For example, persons might not want to be seen entering a place that might stigmatize them, such as a pregnancy counseling center that is clearly identified as such by signs on the front of the building.
What is private depends on the individual and can vary according to gender, ethnicity, age, socio-economic class, education, ability level, social or verbal skill, health status, legal status, nationality, intelligence, personality, and the individual’s relationship to the researcher. For example, protecting the privacy interests of a young child might
mean having a parent present at a session with a
researcher. Protecting the privacy interests of a teenager might mean having a parent absent.
IRB members should understand the concept of privacy and how it differs from confidentiality. IRB or EC members should know strategies to protect privacy interests relating to contact with prospective participants and access to private information.
Regulatory and guidance references
Required written materials
- Essential requirements:
- Applications include a description of provisions to protect the privacy interests of participants.
- In order to approve research, policies and procedures have the IRB or EC determine that the research protocol or plan contains adequate provisions to protect the privacy interests of participants.
- When following DOE requirements:
- Personally identifiable information collected and/or used during human participant research projects must be protected in accordance with the requirements of DOE Order 206.1, Department of Energy Privacy Program
- Any breach involving Personally Identifiable Information must be reported:
- Immediately upon a finding of a suspected or confirmed data breach involving Personally Identifiable Information (PII) in printed or electronic form, the incident must be reported to the DOE-Cyber Incident Response Capability in accordance with the requirements of DOE O 206.1.
- Within 48 hours the DOE or NNSA HSP Program Manager must also be notified of any corrective actions taken and consulted regarding the plan for any remaining corrective actions.
- When following VA requirements:
- For VA facilities:
- The R&D Committee is responsible for ensuring the VA Privacy Officer (PO) review is complete before a study is given final approval.
- The VA PO reviews all VA studies using human data to ensure the study complies with VA Privacy requirements.
Common types of materials that may be used to meet the element
- Application form
- Reviewer checklist
Outcomes
- IRB or EC members understand the concept of privacy.
- IRB or EC members determine that the research protocol or plan contains adequate provisions to protect the privacy interests of participants.