Privacy and Confidentiality
1. In seeking reimbursement for expenses related to incentives offered to research participants, how can researchers meet their financial obligations of submitting evidence of incentive distribution without compromising participants' confidentiality?
Researchers have an ethical duty of confidentiality to participants which includes safeguarding their information (Article 5.1). Researchers must also satisfy their institutional financial reporting requirements for the use of funds to pay for incentives to participants. To satisfy both obligations, researchers may submit a coded list of participants who received incentives. This would offer a degree of privacy protection for participants while providing an acceptable audit trail for the use of funds. The code (e.g., a sealed envelope containing participant initials or signatures, and dates and amounts of incentive distribution) can be made available upon request to third-party auditors. An acceptable audit trail should also include the researcher's application to the REB, detailing the incentive plan (amount of incentive, number of participants, method of distribution), the REB's letter approving the ethical acceptability of the research, receipts for purchase of non-monetary incentives, an attestation by the researcher (and/or anyone else involved in the distribution of incentives) as to the number of participants who received incentives (including dates and circumstances), and, where appropriate, the aforementioned coded list. This is consistent with guidance in TCPS 2 that requires relevant documentation of REB records to be accessible for legitimate reasons including "when necessary to assist internal and external audits." (See Article 6.17).
Participants' identifying information, signed receipts and other forms of proof of receipt of incentives that have the potential to identify them as participants must be safeguarded by researchers in a location separate from participants' data, or where required by the institution, equally protected by staff with responsibility for safeguarding financial information (see Article 5.4).
In the event that the institution requires researchers to provide documentation that includes identifiable information about individual participants, this should be reflected in the consent process so that prospective participants can be informed about who has access to their identifying information (see Article 3.2).
Further details related to financial administration can be found in the Tri-Agency Guide on Financial Administration.
2. What is the nature and extent of institutions' responsibilities under Article 5.1 to "support their researchers in maintaining promises of confidentiality" where complying with legal obligations would conflict with those promises?
Key elements of this interpretation have been integrated into TCPS 2 (2018) - Application of Article 5.1
For the purposes of clarity, the main question has been broken down into five components:
- What are the responsibilities of researchers, REBs and institutions with respect to privacy and confidentiality?
Researchers, REBs and institutions share the responsibility for protecting participant confidentiality. Researchers' responsibilities include safeguarding participant information and anticipating any reasonably foreseeable disclosure requirements. Researchers must "avoid being put in a position of becoming informants for authorities or leaders of organizations." See Article 5.1 and Article 5.2.
REBs' responsibilities include reviewing the ethical acceptability of the research protocol, including any privacy and confidentiality commitments. See Article 5.3 and Article 6.1.
Institutions are responsible for creating and maintaining a supportive research environment, establishing appropriate institutional security safeguards, training researchers and REBs regarding best privacy practices and implementing policies, procedures or guidelines that guide and support researchers and REBs in protecting participant confidentiality. See Article 5.1, Article 5.4, Article 6.2, Article 6.7 and the Agreement on the Administration of Agency Grants and Awards by Research Institutions.
- Why are institutions required to support researchers?
The researcher conducts research under the auspices of the institution. The REB is appointed by the institution as its vehicle for reviewing research projects to ensure their ethical acceptability. In granting its approval for a study, the REB triggers the responsibility of the institution to support researchers in their commitment to protect participant confidentiality. See Article 6.1 and Article 6.2). Use of an alternative model of REB review (e.g., delegating review to an external REB) does not relieve the institution of this responsibility. Institutions that have adopted alternative review models remain responsible for the ethical acceptability and ethical conduct of research undertaken within their jurisdictions or under their auspices (Article 8.1).
- What are the institution's responsibilities when there is a conflict between ethics and legal obligations?
In some circumstances, a third party may seek to compel disclosure of participant information obtained in confidence in a research context, through the force of law (e.g., by subpoena or search warrant). The section on Research Ethics and Law in Chapter 1 of TCPS 2 advises that researchers “should…if necessary, seek independent legal advice to help resolve any conflicts between law and ethics, and guide an appropriate course of action.” Article 5.1 requires institutions to “support their researchers in maintaining promises of confidentiality.” When read together it becomes clear that institutional support includes providing the means for researchers to obtain independent legal advice where such advice is required. For the purposes of this Policy, "legal advice" includes all legal services that a researcher in this situation may require, including representation. In situations where there is an attempt to compel disclosure of confidential participant information by legal means, institutional support consists of providing researchers with financial and other support to obtain the independent legal advice which permits the researcher to make an informed decision as to whether to disclose or to resist disclosure of confidential participant information. If resisting disclosure is warranted, institutional support includes the independent legal advice, which makes that resistance possible, or ensuring that such support is provided.
- Why is it important for the researcher to obtain independent legal advice?
When researchers face situations where their ethical duty of participant confidentiality and legal obligation to disclose confidential participant information cannot be reconciled, the purpose of independent legal advice is to advise them on the personal consequences of a possible decision to respect ethical principles rather than legal obligations. Such legal advice should be independent of any advice to the institution.
- How can the institution fulfill its responsibilities?
In situations where there is an attempt by legal means to compel disclosure of confidential participant information, TCPS 2 requires institutions to provide researchers with financial and other support to obtain independent legal advice or to ensure that such support is provided.
As with other areas of guidance, TCPS 2 sets out general guidelines and each institution establishes policies or procedures that implement those guidelines in a manner that is suited to its own individual needs and resources. Institutions should consider whether research being conducted under its auspices or within its jurisdiction is likely to put researchers in a position where they may experience tension between the ethical duty to maintain participant confidentiality and the legal obligation of disclosure of confidential participant information. Where that likelihood exists, the institution should establish policies, procedures or guidelines that explain how it will fulfill its responsibilities to support its researchers. They should include an explanation of the nature and the scope of the support, a mechanism to determine the level of support in individual cases, the source of funding (e.g., dedicated fund, insurance, agreement with professional association) and any other relevant criteria. The institution should establish such policies, procedures or guidelines in collaboration with its researchers.
Article 5.1 states: “Institutions shall support their researchers in maintaining promises of confidentiality.” When there is a conflict between researchers’ ethical duty of participant confidentiality and a legal obligation of disclosure of confidential participant information, institutions must provide financial and other support for researchers to obtain independent legal advice or ensure that such support is provided. Institutions should establish policies, procedure or guidelines that explain how they will provide that support.
3. Is it ethically acceptable to conduct research on an anonymous basis if it may foreseeably trigger legal reporting obligations?
It is ethically acceptable to conduct research that may foreseeably trigger legal reporting obligations on an anonymous basis if it is the only way that participants will consider participating in the research and provide honest responses. If it allows identification of participants, it is unlikely that research could be conducted effectively on such matters as sexual abuse, violence, reportable infectious diseases, and other topics that may foreseeably trigger legal reporting obligations. Important knowledge and insights from research would consequently be foregone.
TCPS 2 acknowledges that researchers may face situations where they experience a tension between the requirements of the law and the guidance of the ethical principles of TCPS 2. The Policy advises that "in such situations, researchers should strive to comply with the law in the application of ethical principles" (see Chapter 1, Section C, Research Ethics and Law). While the research should not be designed to avoid an obligation to report, neither should it necessarily be structured in such a way as to make the researcher an investigator on behalf of the authorities. As TCPS 2 states "Researchers shall avoid being put in a position of becoming informants for authorities or leaders of organizations" (Application of Article 5.2)
An ethical balance must be struck between, on the one hand, the goals of protecting privacy and obtaining honest responses and, on the other hand, concern that some of the participants may be in need of protection or that they may present a threat to themselves or to others. An appropriate ethical balance could be achieved for example by giving participants the option to identify themselves to researchers. Participants may be informed that they are not required to identify themselves for the purpose of research, but they may do so if they wish. It should be made clear to participants that if they include their identifying information in the consent process, and the data collected reveal they are being abused or analyses reveal a reportable infectious disease for example, that researchers must, by law, share this information with the responsible authorities. If participants are experiencing abuse, neglect or otherwise want to reach out for help, this option allows them to do so.
As part of the consent process, researchers should also consider providing information about services available to participants who are experiencing harm, are harming others, or are at imminent risk of harming others. Participants could be informed about services available to provide counselling and assistance in abusive situations. If participants choose not to identify themselves, information about those services would give participants an alternate way to seek assistance.
4. What is the difference between 'anonymous' and 'non-identifiable' information as defined in TCPS 2?
'Anonymous information' and 'non-identifiable information' have different definitions for the purposes of TCPS 2. Anonymous information is "information [that] never had identifiers associated with it … and the risk of identification of individuals is low or very low" (Chapter 5, Section A). TCPS 2 defines information as non-identifiable "if it does not identify an individual, for all practical purposes, when used alone or combined with other available information … The assessment of whether information is identifiable is made in the context of a specific research project" (Chapter 5, Section A).
An important distinction between the two definitions is that 'anonymous' is a type of information that does not change relative to a specific research project, while the assessment of whether information is 'non-identifiable' may differ depending on the context of a specific research project. For example, the secondary use of coded information may identify individuals in research projects where the researcher has access to the key that links the participants' codes with their names. However, the same coded information may be assessed as non-identifiable in research projects where the researcher does not have access to the key.
In general, research that relies exclusively on secondary use of anonymous information is exempt from REB review (Article 2.4). Research that relies exclusively on secondary use of non-identifiable information generally requires REB review. However, consent is not required for this type of research (Article 5.5B).
- Date modified: