Describe Plans to Protect Privacy and Participant Confidentiality
There are multiple ways in which study participant privacy and confidentiality should be protected throughout the life of a project. Protective measures can be described in the Data Management and Sharing Plan (DMSP), including informed consent procedures, data de-identification procedures, and plans to respect applicable federal, Tribal, state, and local laws, regulations, and policies.
- The informed consent process can be designed with data sharing as part of the consent, hence eliminating the need for re-consenting for data sharing. The NIH has released a new resource on developing informed consents to facilitate data/biospecimen storage and sharing for future use.
- The plan can outline that Northwestern templates for informed consent will be used, with data sharing clauses included
- Note any Certificates of Confidentiality or Data Use Agreements that you anticipate will be involved in the project
- Note restrictions that will be placed on data sharing in order to respect applicable federal, Tribal, state, and local laws, regulations, and policies
- See the Supplemental Information to the NIH Policy for Data Management and Sharing: Responsible Management and Sharing of American Indian/Alaska Native Participant Data for considerations and best practices for responsible and respectful management and sharing of AI/AN participant data under the NIH DMS Policy
Data De-Identification:
For data involving human subjects, DO NOT deposit or share data that contains personal identifiers, or that can be re-identified based on triangulation or other methods. If you plan to share a subset of data that originally contained PII (personally identifiable information), outline how you will undertake to de-identify the data and prevent re-identification in your Data Management and Sharing Plan (DMSP). Data de-identification plans are ultimately the responsibility of the Primary Investigator (PI).
- The NIH has released the Supplemental Information to the NIH Policy for Data Management and Sharing: Protecting Privacy When Sharing Human Research Participant Data, which outlines in more detail principles and best practices for protecting research participant privacy and confidentiality
- HIPAA guidance can be a first step toward a de-identification procedure, but it is not infallible
Data Protection Practices throughout the Research Data Lifecycle
This image, based on DataONE's Data Lifecycle, shows the data confidentiality, de-identification, and legal and regulatory considerations surrounding research data sharing and re-use, and the key points in research projects when these considerations should be addressed.