Association for the Accreditation
of Human Research Protection Programs, Inc. ®

Resources: For Accreditation - Evaluation Instrument

Evaluation Instrument for Accreditation

Download as PDF
Latest Update: April 5, 2024

Table of Contents

INTRODUCTION DOMAIN I: ORGANIZATION DOMAIN II: INSTITUTIONAL REVIEW BOARD OR ETHICS COMMITTEE DOMAIN III: RESEARCHER AND RESEARCH STAFF TABLES INTERNATIONAL ADDENDA

ELEMENT II.3.E.

ELEMENT II.3.E.: The IRB or EC has and follows written policies and procedures to evaluate proposed arrangements for maintaining the confidentiality of identifiable data, when appropriate, preliminary to the research, during the research, and after the conclusion of the research. 
A criterion for approval of research is that there are adequate provisions to maintain the confidentiality of identifiable data. The IRB or EC should evaluate whether research submitted for review satisfies this criterion. IRB or EC members should understand how to apply this criterion.

Confidentiality refers to maintenance of the researcher’s agreement with the participant about how the participant’s identifiable private information will be handled, managed, and disseminated. IRB or EC members should understand the concept of confidentiality and how it differs from privacy. IRB or EC members should be knowledgeable about strategies to maintain confidentiality of identifiable data, including controls on storage, handling, and sharing of data.

When appropriate, the IRB or EC should also know how certificates of confidentiality can be used to maintain the confidentiality of identifiable data. When appropriate, the IRB or EC should also be aware of other standard methods to protect confidentiality, such as inter-file linkage, error inoculation, top coding, bracketing, and data brokering.

The confidentiality protections include information obtained preliminary to research; for example, information collected from personal records to determine potential sample size, as well as the maintenance of the confidentiality of information after the study has ended, when identifiable information is maintained.

Regulatory and guidance references


Required written materials

  1. Essential requirements:
    1. Applications include a description of provisions to maintain the confidentiality of data.
      1. In order to approve research policies and procedures have the IRB or EC determine that, when appropriate, the research protocol or plan contains adequate provisions to maintain the confidentiality of data.
  2. When following DHHS regulations:
    1. Written materials specify that research is automatically covered by a certificate of confidentiality whenever the study is funded in whole or in part by the NIH and involves identifiable, sensitive information.
    2. Written materials define “identifiable sensitive information.”
    3. Examples of research automatically covered by a certificate of confidentiality include:
      1. Biomedical, behavioral, clinical or other research, including exempt research, except where the information obtained is recorded in such a manner that human participants cannot be identified or the identity of the human participants cannot readily be ascertained, directly or through identifiers linked to the participants.
      2. The collection or use of biospecimens that are identifiable to an individual or for which there is at least a very small risk that some combination of the biospecimen, a request for the biospecimen, and other available data sources could be used to deduce the identity of an individual.
      3. The generation of individual level, human genomic data from biospecimens, or the use of such data, regardless of whether the data is recorded in such a manner that human participants can be identified or the identity of the human participants can readily be ascertained.
      4. Any other research that involves information about an individual for which there is at least a very small risk, as determined by current scientific practices or statistical methods, that some combination of the information, a request for the information, and other available data sources could be used to deduce the identity of an individual.
    4. Researchers may also apply for a certificate of confidentiality for non-federally funded research.
    5. Written materials specify that when research is covered by a certificate of confidentiality, researchers:
      1. May not disclose or provide, in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding, the name of such individual or any such information, document, or biospecimen that contains identifiable, sensitive information about the individual and that was created or compiled for purposes of the research, unless such disclosure or use is made with the consent of the individual to whom the information, document, or biospecimen pertains; or
      2. May not disclose or provide to any other person not connected with the research the name of such an individual or any information, document, or biospecimen that contains identifiable, sensitive information about such an individual and that was created or compiled for purposes of the research.
      3. May disclose information only when:
        1. Required by Federal, State, or local laws (e.g., as required by the Federal Food, Drug, and Cosmetic Act, or state laws requiring the reporting of communicable diseases to State and local health departments), excluding instances of disclosure in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding.
        2. Necessary for the medical treatment of the individual to whom the information, document, or biospecimen pertains and made with the consent of such individual;
        3. Made with the consent of the individual to whom the information, document, or biospecimen pertains; or
        4. Made for the purposes of other scientific research that is in compliance with applicable Federal regulations governing the protection of human participants in research.
    6. Written materials require that when research is covered by a certificate of confidentiality, researchers must inform participants (for example, in the consent document) of the protections and limitations of certificates of confidentiality.
      1. For studies that were previously issued a Certificate, and notified participants of the protections provided by that Certificate, NIH does not expect participants to be notified that the protections afforded by the Certificate have changed, although IRBs may determine whether it is appropriate to inform participants.
      2. If part of the study cohort was recruited prior to issuance of the Certificate, but are no longer activity participating in the study, NIH does not expect participants consented prior to the change in authority, or prior to the issuance of a Certificate, to be notified that the protections afforded by the Certificate have changed, or that participants who were previously consented to be re-contacted to be informed of the Certificate, although IRBs may determine whether it is appropriate to inform participants.
    7. Researchers conducting research covered by a certificate of confidentiality, even if the research is not federally funded, must ensure that if identifiable, sensitive information is provided to other researchers or organizations, the other researcher or organization must comply with applicable requirements when research is covered by a certificate of confidentiality. 
  3. When following DoD requirements:
    1. Additional confidentiality protections include:
      1. Data or information acquired by the DoD component under a pledge of confidentiality for exclusively statistical purposes must be used exclusively for statistical purposes and may not be disclosed in identifiable form for any other purpose, except with the informed consent of the respondent.
      2. All studies involving large scale genomic data collected on/from DoD-affiliated personnel will apply an DHHS Certificate of Confidentiality.
  4. When following DOE requirements:
    1. Written materials require the IRB or EC to review and ensure that research protocols submitted to the IRB for review comply with the DOE requirements for protecting personally identifiable information (PII).  Additional information can be found at: https://science.osti.gov/ber/human-subjects 
  5. When following DOJ requirements:
    1. Written materials indicate that for National Institute of Justice (NIJ)-funded research: 
      1. All projects are required to have a privacy certificate approved by the NIJ human participants protection officer.
      2. All researchers and research staff are required to sign employee confidentiality statements, which are maintained by the responsible researcher.  
    2. Written materials indicate that for research conducted with the Bureau of Prisons:
      1. A non-employee of the Bureau may receive records in a form not individually identifiable when advance adequate written assurance that the record will be used solely as a statistical research or reporting record is provided to the agency. 
      2. Except as noted in the consent statement to the participant, the researcher must not provide research information that identifies a participant to any person without that participant’s prior written consent to release the information. For example, research information identifiable to a particular individual cannot be admitted as evidence or used for any purpose in any action, suit, or other judicial, administrative, or legislative proceeding without the written consent of the individual to whom the data pertain.
    3. Except for computerized data records maintained at an official U.S. Department of Justice site, records that contain non-disclosable information directly traceable to a specific person may not be stored in, or introduced into, an electronic retrieval system.
    4. If the researcher is conducting a study of special interest to the Office of Research and Evaluation (ORE) but the study is not a joint project involving ORE, the researcher may be asked to provide ORE with the computerized research data, not identifiable to individual participants, accompanied by detailed documentation. These arrangements must be negotiated prior to the beginning of the data collection phase of the project.
  6. When following VA requirements:
    1. For studies in which information about the participant’s participation will be included in the participant’s VHA medical record, information must be given to the prospective participants as part of the informed consent process that information regarding study participation will be included in the medical record.
    2. For studies in which a Certificate of Confidentiality was issued and the IRB requires a written informed consent, the informed consent document approved by the IRB must include a statement that the study has a Certificate of Confidentiality.
    3. For VA facilities:
      1. The R&D Committee is responsible for ensuring the VA Information System Security Officer (ISSO) review is complete before a study is given final approval.
        1. The ISSO reviews all VA studies that involve the collection, processing, storage, and transmission of research data to ensure that the proposed research complies with information security requirements for VA research data. The ISSO must also participate in the IRB protocol review and approval process, evaluating the study’s data usage, and making recommendations to ensure implementation of reasonable safeguards for the data as determined within the Office of Information Security (OIS) Research Support Division (RSD) developed Enterprise Research Data Security Plan (ERDSP).

Common types of materials that may be used to meet the element

  • Application form
  • Reviewer checklist

Outcomes

  • IRB or EC members understand the concept of confidentiality.
  • IRB or EC members determine that, when appropriate, the research protocol or plan contains adequate provisions to maintain the confidentiality of identifiable data in accordance with agreements between researchers and participants.

Proceed To: ELEMENT II.3.F.