Office for the Protection of Research Subjects (OPRS) Institutional Review Board FWA# 00000083

201 AOB (MC 672) 1737 West Polk Street

Chicago, IL 60612-7227 IRB Approval Criteria: Confidentiality Phone: 312 996-1711 Fax: 312 413-2929 Version: 1.3; Date: 02/21/2017 http://research.uic.edu/human-subjects-irbs/ Approved by: Human Protections Administrator, Director of OPRS, and Executive IRB Chair AAHRPP REF#: 160 AAHRPP Elements: II.3.E

POLICY:

I. The term “confidentiality” refers to the maintenance of the investigator’s agreement with the subject as to how a subject’s identifiable private information will be handled, managed, and disseminated.

II. Most research studies require provisions for maintaining confidentiality of data.

III. As a condition of protocol approval, the IRB determines that there are adequate provisions to protect confidentiality of information related to potential or current participants, throughout the study, including preliminary to the research, recruitment and enrollment, research participation and after conclusion of the research.

IV. Researchers must incorporate within their protocols measures to maximize confidentiality to avoid unintentional and unauthorized release or other disclosures of identifiable private information.

PROCEDURE:

I. IRB Responsibilities A. The IRB in their review considers the nature, probability, and magnitude of harms that would be likely to result from an unauthorized release of the collected information. B. The IRB assesses the level of security and adequacy of protective measures required for each protocol based on the presence of identifiers, sensitivity of the data and risks of a breach. C. Provisions that the IRB may consider for maintaining confidentiality may include: 1. de-identification, 2. restricting PHI to a limited dataset, 3. substitution of code for subject identifiers, 4. storage of data in locked cabinets, 5. use of honest brokers, 6. encryption of electronic data, 7. storage behind a secure firewall, and

Page 1 of 3 OVCR Document #0889 IRB Approval Criteria: Confidentiality, Version 1.3 8. statistical methods, such as a) inter-file linkage (i.e., procedures that eliminate linkage of data to unique identifiers), b) error inoculation (i.e., inserting random error into dataset to secure confidentiality while still allowing useful statistical analysis), c) top coding (i.e., replacing values above a certain level with a threshold value), d) bracketing and e) data brokering (e.g., a third party holds data and identifiers). UIC HSPP data security measures for PHI and other highly sensitive identifiable data are available in UIC HSPP policy Research Data Security). D. When identifiable data is obtained from participants in human subject research involving sensitive, stigmatizing or illegal characteristics, additional measures to protect confidentiality, such as waiver of documentation of consent or obtaining a certificate of confidentiality (refer to UIC HSPP Guidance for Investigators: Certificates of Confidentiality) should be considered.

II. Investigator Responsibilities A. The investigator must document in the protocol and protocol application the identifiable data elements to be collected and the measures in place to secure the data throughout the study and at it end. B. Protocols should be designed to minimize the need to collect and maintain identifiable data about participants. If collection of identifiers is necessary, they should be removed and destroyed as soon as possible. C. The investigator must clearly disclose in the informed consent document the identifiable data elements to be collected, measures in place to secure the data, and circumstances under which confidential information may possibly be disclosed and to whom.

III. National Institute of Justice Funded Research and Research Involving the Bureau of Prisons: Confidentiality A. Please refer to the UIC HSPP policy Research Involving Prisoners.

REFERENCES:

21 CFR 56.111(a)(7) 45 CFR 46.111(a)(7)

Page 2 of 3 OVCR Document #0889 IRB Approval Criteria: Confidentiality, Version 1.3 REVISION LOG:

Version (#, date) Replaces (#, date) Summary of changes 1.1, 06/26/09 1.0, 10/15/08 Expanded agencies issuing certificates of confidentiality and inserted updated certificate of confidentiality language. 1.2, 04/03/2012 1.1, 06/26/09 Removed Certificate of confidentiality section to a separate guidance. Updated security measures looked at by the IRB and added NJI and Bureau of Prisons regulations.. 1.3, 02/21/17 1.2, 04/03/2012 Removed NJI and Bureau of Prisons regulations and replaced with referral to the Research Involving Prisoners policy. Addition of hyperlinks. Updating of logo.

Page 3 of 3 OVCR Document #0889