SOP 107 - Use and Disclosure of Personal Information

1.0 PURPOSE

This standard operating procedure (SOP) describes the duties of the Research Ethics Board (REB) and the REB office in the protection of the Personal Information (PI) of research participants.

2.0 SCOPE

This SOP pertains to REBs that review human participant research in compliance with applicable regulations and guidelines.

3.0 RESPONSIBILITIES

All REB members, REB Office Personnel and Researchers are responsible for ensuring that the requirements of this SOP are met.

The Researcher is responsible for submitting information to the REB and to the participant regarding the nature of the PI (including personal health information (PHI)) that will be collected for the research, including how it is identified, collected, accessed, used, disclosed, retained, disposed of, and protected.

The REB Chair, REB members, and the REB Office Personnel are responsible for maintaining the confidentiality of any PI received by the REB office during the research.

Each organization’s privacy office is responsible for providing Researchers and research staff with guidance on their respective privacy policies and regulations.

4.0 DEFINITIONS

See Glossary of Terms.

5.0 PROCEDURE

Privacy is a fundamental value that is essential for the protection and promotion of human dignity. Breaches in privacy and confidentiality may cause harm to individuals or groups of individuals. Hence, PI must be collected, used, and disclosed in a manner that respects a research participant’s right to privacy, and in accordance with applicable federal and provincial privacy regulations.

Privacy regulations permit the use and limited disclosure of PI for research purposes if certain requirements are met. One of the key ethical challenges for the health research community is to protect appropriately the privacy and confidentiality of PI used for research purposes. The REB plays a vital role in balancing the need for research against the risk of the infringement of privacy and in minimizing invasions of privacy for research participants. Individuals should be protected from any harm that the unauthorized use of their PI may cause, and they should expect that their rights to privacy and confidentiality are respected.

5.1    REB Review of Privacy Concerns

5.1.1    The REB shall review the research submitted to determine if the Researcher has access to and/or is using PI and whether appropriate privacy legislation is adhered to.

5.1.2    In reviewing the research, the REB will include such privacy considerations as:

• The type of PI to be collected,
• The research objectives and justification for the requested personal data needed to fulfill these objectives,
• The purpose for which the personal data will be used,
• How the personal data will be controlled, accessed, disclosed, and de- identified,
• Limits on the use, disclosure and retention of the personal data ,
• Any anticipated secondary uses of identifiable data from the research,
• Any anticipated linkage of personal data gathered in the research with other data about research participants, whether those data are contained in public or personal records,
• Whether consent for access to, or the collection of personal data from participants is required,
• How consent is managed and documented,
• If and how prospective research participants will be informed of the research,
• How prospective research participants will be recruited,
• The administrative, technical, and physical safeguards and practices in place to protect the personal data including de-identification strategies and managed linkages to identifiable data ,
• Participants’ ability to withdraw personal information or any study data (or limitations to do so and why),
• How accountability and transparency in the management of personal data will be ensured.

5.1.3    The REB must find that there are adequate provisions to protect the privacy interests of participants before approving the research.

5.2    Receipt, Use and Disclosure of PI

5.2.1    The REB Chair, REB members and the REB Office Personnel are bound by confidentiality agreements signed prior to commencement of their duties.

5.2.2    The REB does not intentionally collect PI.

5.2.3    Subject to consent, as applicable, the REB is permitted to access PI for the purposes of the review, the approval, the ongoing monitoring, and/or the auditing of the conduct of the research.

5.2.4    The REB office must adopt reasonable safeguards and ensure that there is training for REB Office Personnel to protect PI from unauthorized access.

5.2.5    REB members or REB Office Personnel may consult with the REB Chair or designee if they are uncertain about the appropriate use or disclosure of PI.

5.2.6    Suppose any PI is received inadvertently in the REB office (e.g., disclosed by a Researcher). In that case, appropriate notification must take place and any corrective action that is required, including, if applicable, notification to the appropriate Organizational Official. The facts surrounding the breach, the appropriate steps taken to manage the breach, remedial activities to address the breach and the outcome will be documented. The PI will be destroyed securely as per the organizational policies and procedures.

5.2.7    If there is an internal breach involving the use or dissemination of PI, the REB Chair or designee will be notified. If applicable, notification of the appropriate Organizational Official and a determination will be made promptly regarding a corrective action plan. This process may include submitting a protocol deviation form or an adverse event, notification, containment, investigation and remediation, and strategies for prevention. Remedial actions may include contacting the participants to inform them of the breach and the corrective action plan. The facts surrounding the breach, the appropriate steps taken to manage the breach and the outcome will be documented. The PI will be destroyed securely as per the organizational policies and procedures.

5.2.8    If there is an external breach involving using or disseminating Personal Information , the REB Chair or designee will be notified. If applicable, notification of the appropriate Organizational Official and a determination will be made promptly regarding a corrective action plan. This process may include submitting a protocol deviation form or an adverse event, notification, containment, investigation and remediation, and strategies for prevention. Remedial actions may include contacting the participants to inform them of the breach and the corrective action plan. The facts surrounding the breach, the appropriate steps taken to manage the breach and the outcome will be documented. The PI will be destroyed securely as per the organizational policies and procedures.

5.2.9    At the discretion of the REB Chair or designee, in consultation with the organization, the provincial privacy office (or equivalent) may be notified.

6.0 REFERENCES

See References.