Confidentiality, Privacy and Information Security in Human Research
Federal law requires that as one (there are several) criteria of Institutional Review Board (IRB) approval of proposed human research, that an IRB find and determine that a study team ensures to the IRB's satisfaction that adequate provisions have been made in the research to protect the privacy of subjects and to maintain the confidentiality of data. Federal law also requires compliance with pertinent other laws, including federal, state and local laws, and any foreign laws or regulations. Where other laws protect an individual's privacy and the confidentiality of their data, then these laws are considered to provide subjects with additional protections and must therefore be followed.
Some additional and more well-known laws that may protect subjects' privacy and the confidentiality of their data include, for example, the following:
- Health Insurance Portability and Accountability Act (HIPAA) (some provisions of which are referred to as the "Privacy Rule"), relating generally to health information (visit our HIPAA and Research page to learn more)
- General Data Protection Regulation (GDPR), a regulation of the European Union (EU) pertaining to generally to data collected from or about residents of the EU/European Economic Area (EEA) (visit our GDPR and Research page to learn more)
- Certificates of Confidentiality, protecting researchers from legal requests for subjects' identifiable information
- Family Educational Rights and Privacy Act (FERPA), which protects the students' educational records; see FSU FERPA page or U.S. Department of Education FERPA page
- Privacy Act of 1975, providing safeguards for federal government records about individuals
The above list is not exhaustive. FSU information security policy also establishes requirements that implicate the need for researchers to put into place procedures and processes that will protect study data; see our Information Security page to find out more about protecting research data. The IRB's role in the review of human research is to require, find and determine the adequacy of provisions that researchers will put into place, in accordance with applicable laws, to protect the privacy of subjects and to maintain the confidentiality of data. Provisions deemed by the IRB as inadequate will result in return to researchers of their IRB submissions.
Links to our subordinate HIPAA and Research, GDPR and Research, and Information Security pages are located in the left hand column.