Privacy & Confidentiality

During research, NIH investigators collect identifiable private or sensitive information from research subjects, which they may wish to keep private. NIH investigators must keep this information confidential as much as possible. Therefore, private information should only be disclosed:

• With the explicit consent of the subject
• To those who are authorized and have a need to know
• If required by law (e.g., when required by a state health department or FDA inspector)

Protocols that involve human subjects research must include a plan detailing how the privacy and confidentiality of research participants will be protected. They must describe how the safety of the research data will be ensured both during the research study and after it has been completed.

As a federal agency, the NIH is subject to several laws regarding privacy and confidentiality:

• The Privacy Act of 1974 which contains provisions for handling systems of records and investigators must comply with requirement of this Act.
• The Public Health Service Act (Certificates of Confidentiality)
• The Freedom of Information Act (FOIA)

NIH is not subject to the HIPAA Privacy Rule as we are not a covered entity, but most of our scientific collaborators are.

The NIH is also not subject to the European Union General Data Protection Regulation (GDPR). For more information on the GDPR, refer to the attached document.

• Describe whether participant identifiers will be attached to data/specimens, or whether they will be coded or unlinked.
• Describe any clinical or demographic information that will be collected (e.g., age, ethnicity, sex, diagnosis, stage, treatment, response to treatment).
• Explain in your protocol how this information might make specific individuals or families identifiable, and the measures that will be taken to protect the confidentiality of their data.
• If research data will be coded, explain how access to the "key" for the code will be limited. Include a list of security measures (e.g., password-protected database, locked drawer).
• Explain if pedigrees are to be published. Include a description of measures to minimize the chances of identifying specific families.
• Describe the circumstances under which specimens and/or data (e.g., identifiable, coded, anonymized) will be shared with other researchers or third parties.
• Include information about plans for deposition in a genomic database (e.g., dbGaP).
• Specify what data capture system will be used in the protocol.

It is important to ensure that data transfer and storage during research are always implemented using appropriate security measures.

• Systems used to collect and store study data must meet NIH IT security requirements.
• If you will be using cloud-based systems, check with your IC Chief Information Officer or Information Security Officer (ISSO) to ensure you are engaging with a reputable cloud service provider.
• If the protocol is subject to FDA regulations, the electronic data capture system used must be compliant with 21 CFR Part 11.

NIH Security Best Practices for Controlled-Access Data and Repositories