Between privacy and confidentiality, confidentiality is arguably the more important one in research. While privacy is easily assured with proper consent procedures, confidentiality of data takes more effort to maintain. All information gathered in a research study should be considered “information that an individual has disclosed in a relationship of trust,” and participants have the right to expect that it will not be divulged without their permission. The easiest way to protect confidentiality is to collect (or if the data are already collected then use) anonymous data. Anonymous data are data that are not connected to information that can identify the individual participant. If there is no connection between the participant and their data, even the most sensitive studies can qualify for exemption assuming they are minimally risky. If you are collecting anonymous data, you will need to describe how you collected the data so that identifiers are not linked to the data. If the data are already collected and you can obtain the data without identifiers, you should make an effort to do so. For more information about using data that are already collected, please see Secondary Use of Existing Data.
Not all studies can be anonymous. In the protocol, you need to justify why it is necessary to collect identifying information about an individual, include a list of identifiers that you will collect (with the understanding that you will not collect more identifiers than you need), describe how this information will be used and how it will be collected, and describe what you will do to destroy this information once it is no longer needed. The consent form should also include this information to help the participant understand how their information will be used and the consent form should also state who has access to their identifying information and their study data (usually phrased as “members of the research team”). Also, your consent form should be used to inform participants about your privacy and confidentiality policies. You may wish to have two paragraphs in the consent form's "confidentiality" section, one discussing your protection policies (i.e., how you will prevent information from being disclosed against the participant’s wishes) and one discussing disclosure policies (i.e., under what circumstances and to whom must information be disclosed). For example, a breach of confidentiality may be required in cases of suspected abuse or if the participant is in imminent risk of harm to self or others. Research involving information about illegal behaviors may require a federal Certificate of Confidentiality, which protects against disclosure to law enforcement agencies and prevents records from being subpoenaed. Research that requires a Certificate of Confidentiality will also require additional information in the consent form. Please see Certificate of Confidentiality for more information.
In most cases, confidentiality can be ensured by using good data collection and storage practices. You should make certain that all members of the study team have been trained in these issues and understand not to discuss participants outside of the research context. In general, access to information about individual participants should be restricted to the researcher, his or her advisor (if applicable), and any research assistants on a need-to-know basis. Care should be taken to avoid breaches of confidentiality in which this information is divulged to anyone else. Not only does this protect against psychological, social, and legal harm to your participants, but it is also essential to the conduct of research on sensitive topics.