Informational privacy, confidentiality and data security in research involving human subjects
Confidentiality represents the duty to protect the privacy rights of individuals and groups. Confidentiality allows for an authorized person to disclose information in certain contexts, while the information remains protected, and its uses remain limited by an obligation to maintain confidentiality. Therefore, privacy represents the right to control sharing of one’s own personal information, while confidentiality represents the corresponding duty that researchers and other controllers and processors of personal data have to protect that personal information from unauthorized access and use. Anonymized or de-identified biological samples collected from patients are often perceived as adequate to be used in any number of studies without further patient consent, given the fact that no personally identifiable information is connected to such biologic samples. However, genetic information stored in DNA is one of the most precise identifiers that can be linked to a particular living being. In similar ways, information that uniquely describes proteins, metabolites or individual combinations and traits of microbial biotopes that populate our skin or the interior of our nose, oral cavity, pharynx, or intestines, can be linked to a specifically identified individual. Therefore, a wider concept of informational privacy is required, to cover the concept of privacy in research involving human subjects. Information and data security are the means by which access to individually identifiable information is coded, encrypted and controlled, thereby protecting confidential information from unauthorized use. Limited data sharing places restrictions on the use of data to those that are authorized, or for which patient authorization exists under regulations regarding privacy, confidentiality and data security, such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States (US), or the General Data Protection Regulation (GDPR) in the European Union (EU).