info
Khôi Ròm - 1:12 AM -
金沢大学
研究における個人に関わる情報の取り扱い/Handling Personal Information in Research_HSR [TEXT]
English Modules
Drafted date: 2016.3.31
Last update: 2018.4.5
Last update: 2018.4.5
Handling Personal Information in Research
< Material provided by >
APRIN, Association for the Promotion of Research Integrity
APRIN, Association for the Promotion of Research Integrity
Contents
- Introduction
- Rules Regarding the Handling of Personal Information in Japan
- The Definition of Personal Information
- (1) Types of Information That Can Identify an Individual
- (2) Personal Information in Various Forms
- (3) Anonymization
- (4) The Difference Between Using Abbreviations and Anonymization
- (5) Genetic Personal Information
- (6) Information Relating to a Deceased Person
- Using Information Obtained for Medical Care in Research
- The Rights of Human Subjects
- Responsibilities of Research Institutions
- Responsibilities of Researchers
- Providing Personal Information to a Third Party
- Everyone Who Is Involved in Research Must Fulfill the Obligations of Confidentiality
Handling Personal Information in Research
Introduction
P 1/14
An individual’s medical data or information relating to their physical or mental state, normally used to provide medical care for them, is sometimes required for research. In such cases, if the information is not kept confidential, it may lead to serious problems affecting the individual’s personal, professional or legal status, not to mention personal distress. Therefore, there are special requirements for the handling of such information when it is to be used in research.
Physicians have long been obligated to protect patients’ health information. That is, physicians should keep patients’ personal information confidential, as the disclosure of such information can be damaging to the patient. Fulfilling this obligation was simpler when a patient and a physician were the only individuals involved in the patient’s care. However, nowadays, multiple professionals need to be involved to provide better health care to patients. What makes this possible is the sharing of information on patients not only among physicians but also with various other categories of health care professionals. At the same time, research is now integrated into medical practice settings, with some patients agreeing to have their medical information used in research, such as for the development of a new therapeutic method or agent.
These changes have caused a shift in how information is managed in medical settings, and it is now understood that patients and research subjects should make decisions on this themselves. This is represented by the idea of a right to “informational self-determination”; that is, a patient or subject has a right to decide what information about him- or herself — generally referred to as “personal information” — should be communicated to others and under what circumstances. This idea was the basis for changes in Japanese laws, regulations, and administrative guidelines regarding the handling of personal information. The basic rule that researchers should keep in mind is that the use of personal health information is permitted only when a patient or subject explicitly consents to the use of their information for a specific study.
Human subjects research cannot be completed without the participation of people, which requires public trust. In order to develop that trust, everyone who engages in research must handle the personal information of every individual participant appropriately.
This obligation to respect the research participants’ rights to determine the use of their personal information is extended to anyone who conducts human subject research in medical and other settings. In this module, we will discuss important principles and steps when handling personal information in research.
Physicians have long been obligated to protect patients’ health information. That is, physicians should keep patients’ personal information confidential, as the disclosure of such information can be damaging to the patient. Fulfilling this obligation was simpler when a patient and a physician were the only individuals involved in the patient’s care. However, nowadays, multiple professionals need to be involved to provide better health care to patients. What makes this possible is the sharing of information on patients not only among physicians but also with various other categories of health care professionals. At the same time, research is now integrated into medical practice settings, with some patients agreeing to have their medical information used in research, such as for the development of a new therapeutic method or agent. These changes have caused a shift in how information is managed in medical settings, and it is now understood that patients and research subjects should make decisions on this themselves. This is represented by the idea of a right to “informational self-determination”; that is, a patient or subject has a right to decide what information about him- or herself — generally referred to as “personal information” — should be communicated to others and under what circumstances. This idea was the basis for changes in Japanese laws, regulations, and administrative guidelines regarding the handling of personal information. The basic rule that researchers should keep in mind is that the use of personal health information is permitted only when a patient or subject explicitly consents to the use of their information for a specific study.
Human subjects research cannot be completed without the participation of people, which requires public trust. In order to develop that trust, everyone who engages in research must handle the personal information of every individual participant appropriately.
This obligation to respect the research participants’ rights to determine the use of their personal information is extended to anyone who conducts human subject research in medical and other settings. In this module, we will discuss important principles and steps when handling personal information in research.
Handling Personal Information in Research
Rules Regarding the Handling of Personal Information in Japan
P 2/14
In Japan, the general rules for handling personal information are provided in Chapters I to III of the Act on the Protection of Personal Information (hereinafter the “Personal Information Protection Act”), which was enacted in 2003. The provisions of Articles 6* and 8** of this Act are the basis of the ethical guidelines established by the administrative authorities in connection with medical research.
Obligations that research institutions engaging in medical research should fulfill in handling personal information are provided for in the following laws and regulations, whose applicability depends on the institution’s establishing body.
At the same time, various ethical guidelines for medical research established by administrative agencies set out uniform rules with which all researchers should comply, to avoid hindering the exchange of research samples and information among multiple institutions engaging in collaborative research. The two main sets of guidelines are:
These guidelines do not provide for any penalties because they are not legally binding. However, in practice, compliance with these guidelines is one of the requirements for receiving government-funded research grants. If researchers violate these guidelines, they could be subject to sanctions such as revocation of the project’s adoption or withdrawal of funding, along with the suspension of their eligibility to apply for research grants. In this respect, these guidelines are, in effect, binding on researchers. To learn more about the details of and guidance on these guidelines as well as other related guidelines, refer to the websites of the Ministry of Health, Labour and Welfare (MHLW) and the Ministry of Education, Culture, Sports, Science and Technology (MEXT).
Fundamentally, case reporting is regarded not as research activity but as medical practice based on the relationship between a physician and a patient, and therefore is exempt from these guidelines. However, in response to the Personal Information Protection Act, the MHLW published and has been calling for compliance with the “Guidance for the Appropriate Handling of Personal Information by Medical and Health Care Providers”. It is paramount that individuals who handle personal information give due consideration to the protection of personal information.
* Article 6:
The government shall, considering the nature and utilization method of personal information, take necessary…action so as to be able to take discreet action for protecting personal information that especially requires ensuring the strict implementation of its proper handling in order to seek enhanced protection of an individual’s rights and interests…
**Article 8:
The central government shall provide information, develop guidelines to ensure the proper and effective implementation of action to be taken by a business operator etc., and take other necessary action in order to support... activities undertaken by a Japanese citizen, or a business operator etc. in relation to seeking the proper handling of personal information.
The government shall, considering the nature and utilization method of personal information, take necessary…action so as to be able to take discreet action for protecting personal information that especially requires ensuring the strict implementation of its proper handling in order to seek enhanced protection of an individual’s rights and interests…
**Article 8:
The central government shall provide information, develop guidelines to ensure the proper and effective implementation of action to be taken by a business operator etc., and take other necessary action in order to support... activities undertaken by a Japanese citizen, or a business operator etc. in relation to seeking the proper handling of personal information.
Obligations that research institutions engaging in medical research should fulfill in handling personal information are provided for in the following laws and regulations, whose applicability depends on the institution’s establishing body.
National universities, etc.: Act on the Protection of Personal Information Held by Incorporated Administrative Agencies, etc.
National government organs: Act on the Protection of Personal Information Held by Administrative Organs
Prefectural or municipal universities, etc.: Ordinances on the protection of personal information established by the local governments that established the respective universities or institutions
Private universities: Act on the Protection of Personal Information
National government organs: Act on the Protection of Personal Information Held by Administrative Organs
Prefectural or municipal universities, etc.: Ordinances on the protection of personal information established by the local governments that established the respective universities or institutions
Private universities: Act on the Protection of Personal Information
At the same time, various ethical guidelines for medical research established by administrative agencies set out uniform rules with which all researchers should comply, to avoid hindering the exchange of research samples and information among multiple institutions engaging in collaborative research. The two main sets of guidelines are:
Ethical Guidelines for Human Genome/Gene Analysis Research
Ethical Guidelines for Medical and Health Research Involving Human Subjects
Ethical Guidelines for Medical and Health Research Involving Human Subjects
These guidelines do not provide for any penalties because they are not legally binding. However, in practice, compliance with these guidelines is one of the requirements for receiving government-funded research grants. If researchers violate these guidelines, they could be subject to sanctions such as revocation of the project’s adoption or withdrawal of funding, along with the suspension of their eligibility to apply for research grants. In this respect, these guidelines are, in effect, binding on researchers. To learn more about the details of and guidance on these guidelines as well as other related guidelines, refer to the websites of the Ministry of Health, Labour and Welfare (MHLW) and the Ministry of Education, Culture, Sports, Science and Technology (MEXT).
Fundamentally, case reporting is regarded not as research activity but as medical practice based on the relationship between a physician and a patient, and therefore is exempt from these guidelines. However, in response to the Personal Information Protection Act, the MHLW published and has been calling for compliance with the “Guidance for the Appropriate Handling of Personal Information by Medical and Health Care Providers”. It is paramount that individuals who handle personal information give due consideration to the protection of personal information.
Handling Personal Information in Research
The Definition of Personal Information
P 3/14
(1) Types of Information That Can Identify an Individual
Personal information is information about an individual which contains a name, date of birth or any other description that allows others to identify the individual or which contains an individual identification code. An individual identification code is a new concept introduced in the 2015 amendment to the Personal Information Protection Act. There are two types of code: a code relating to an individual’s bodily feature; and a code relating to a number assigned to the individual.
In addition to the government-issued Individual Number, known colloquially as “My Number,” examples of personal information include full-face photographic images, address details, phone numbers, e-mail addresses, health insurance identification numbers, driver’s license numbers, credit card numbers, and medical record numbers. Even if a single piece of information does not on its own directly identify an individual (such as a date of birth), it is considered personal information if that piece of information enables the identification of the specific individual when crosschecked with other information (researchers should be very careful when handling personal information, such as avoiding the use of initial letters of names in case reports). Many of these examples are found in daily life but are capable of identifying an individual.
In order to clarify the definition of personal information, the new concept of an “individual identification code” has been introduced. Information containing such a code falls within the scope of personal information even when it is not accompanied by any other information. Examples of an individual identification code include [i] codes into which a bodily feature of a specific individual has been converted for use by computers, such as DNA sequences and face, iris, and voiceprint data, and [ii] codes assigned to a specific individual in documents such as a passport number or driver’s license number, or for the purpose of using services. Personal information which could cause unfair discrimination or prejudice to a specific individual (e.g. the individual’s race, creed, social status, medical history, criminal record, or fact of having been a victim of crime) has been defined as “special care-required personal information” (that is to say, sensitive personal information)
Handling Personal Information in Research
P 4/14
(2) Personal Information in Various Forms
Personal information is recorded and stored in various forms including but not limited to the following:- 1)
- Medical records, operative notes, nursing notes, test data, images, referral forms, prescriptions, documents with information about the patients or their family members, such as family registers and documents with details of their occupation or position, and the aforementioned individual identification codes.
- 2)
- PCs, USB flash drives, memory cards, CDs, etc.
These make data highly portable, but allowing personal information out of the facility is, in principle, prohibited. Information must be securely stored under lock and key. Likewise, steps must be taken to guard against unauthorized access to personal information stored on electronic media. - 3)
- Test samples collected from patients and healthy individuals
Blood, DNA and other kinds of test samples can be the source of various information not in the scope of the original purpose of collection; thus, they are regarded as personal information. - 4)
- Research participants’ remarks and statements
Remarks and statements made when disclosing sensitive information in the course of participating in research should also be treated as personal information. As a researcher, you must be aware that you yourself hold information and must not discuss the information that you have obtained when communicating in your own home, in a public place or on the Internet.
Handling Personal Information in Research
P 5/14
(3) Anonymization
To protect a subject’s personal information, it is important to anonymize that information. There are two methods of anonymization: a method that retains information able to identify a specific individual when required (including a deceased individual) and a method that makes it impossible to identify a specific individual from the information. In the past, the Japanese guidelines called the former method “linkable anonymization” and the latter “unlinkable anonymization.” However, following the amendment to the Personal Information Protection Act, the Ethical Guidelines for Medical and Health Research Involving Human Subjects have been partially revised (on February 28, 2017, with revisions entering into force on May 30, 2017) to introduce new concepts such as an individual identification code and anonymously processed information, and accordingly, to discontinue the use of the terms “linkable/unlinkable.” Under the revised guidelines, anonymization is positioned as a security measure to ensure that a specific individual cannot easily be identified from information. Based on this, processing to ensure that information cannot identify a specific individual is now referred to as complete anonymization.
Information can also be anonymized in a manner that will enable identification of a specific individual later when necessary. This is done by assigning codes (such as a set of numbers) while retaining a means of connecting the data back to a specific individual, such as a reference table listing the codes and individuals’ names. In this case, such reference tables must be strictly managed and, of course, must not be made available to any person other than those involved in the study. One possible approach is to store anonymized data and reference tables at a separate research institution.
In the process of anonymizing information while completely eliminating its ability to identify a specific individual, no reference tables are prepared or retained. Consequently, it becomes impossible to cross-check or surmise to whom the personal information belongs. Anonymously processed information, which is discussed below, is classed as this type of information. If the research does not require identification of a specific individual after destroying the link between the individual and their data or specimens, this anonymization process will provide a higher level of security for the protection of personal information.
Handling Personal Information in Research
P 6/14
(4) The Difference Between Using Abbreviations and Anonymization
1) Acronyms or other forms of abbreviation, such as using the initial letters of names, are still considered personal information as long as it allows an individual’s identification. 
2) Anonymization should be regarded as a security measure; information that does not contain someone’s name or address but contains their individual identification code falls within the scope of personal information.Anonymization may be achieved by deleting information that can identify an individual such as a name or date of birth or masking the eyes on facial images from materials to be published in an academic journal or used in a conference presentation. However, since researchers identify themselves and their research institutions in their presentations, patients might realize that a presentation is about their case. Some online academic papers in the field of medical science may contain sensitive information (special care-required personal information). As a basic rule, when publishing an article or making a presentation based on a patient’s case, you must obtain the patient’s consent for using their case records in your publication or presentation.
Handling Personal Information in Research
P 7/14
(5) Genetic Personal Information
The handling of genetic information requires the highest degree of caution. It should be noted that DNA information by itself is regarded as an individual identification code and falls within the scope of personal information.Information obtained from specimens such as human genome/genetic data may contain personal information that is not only relevant to the subjects (donors) who provided the specimens.
Information from the donors may represent characteristics relating to:
- The donor themselves,
- The kin group of the donor,
- The ethnic group of the donor,
- The group of people who have the same disease as the donor, and so forth.
In Japan, the Ethical Guidelines for Human Genome/Gene Analysis Research sets out the responsibilities and roles in management of information relevant to this area of research.
Heads of research institutions such as the provost and the president, have the ultimate responsibilities for the administration and supervision of security and management of personal information. However, the heads of research institutions may delegate these duties to people who have a responsibility of providing direct oversight such as a director of a hospital, dean of a medical school or chief of a research center.
Heads of research institutions must appoint personal information officers for the protection of personal information when handling such in research involving human genome/genetic analysis.
They may also appoint divisional managers to share the duties of management or assistant personnel to perform work under the supervision of these managers. Primary responsibilities of personal information officers include the anonymization of genetic information before the commencement of research involving human genome/genetic analysis and the appropriate management and destruction of reference tables prepared during the anonymization process. Personal information officers and divisional custodians must be chosen among individuals who have a legal obligation (such as that under statutes that apply to qualified medical personnel such as the Medical Practitioners Act, the Penal Code, the National Public Service Acts and the Act of National University Corporations) of not disclosing confidential information known to the individuals in the course of performing their professional duties. Examples of such individuals are physicians, pharmacists, drug distributors, and faculty and staff members of national university corporations. In addition, no personal information custodian or divisional manager is allowed to be a principal investigator or a researcher at the same time.
Even if a specimen obtained from an individual’s body is anonymized, you must treat it as information that is able to identify the individual if you intend to obtain genome data (regarded as an individual identification code) from it.
Handling Personal Information in Research
P 8/14
(6) Information Relating to a Deceased Person
Strictly speaking, rights to personal information are held by a living individual. However, it is desired that information relating to the dead is also handled in a similar manner as for individuals who are living, taking into account the dignity of the deceased and sentiments of the bereaved family. For example, when using specimens or information from a dead patient, consent from the bereaved family should be obtained whenever possible. In addition, if information relating to a deceased person also relates to living individuals such as members of the bereaved family, the information must be treated as personal information of the living in the general sense. For example, genetic information of a person who died of a genetic disease may also constitute the bereaved family’s personal information and the social or economic conditions of the deceased may constitute the personal information of the bereaved family.Handling Personal Information in Research
Using Information Obtained for Medical Care in Research
P 9/14
Patients receive medical care for the treatment of diseases and to maintain health. Using such data in research means using it for a purpose other than the patient’s original intent. Therefore, unless otherwise specified, the use of this data for research purposes requires the patient’s consent. In other words, personal information obtained for the purpose of medical care cannot be used in research without consent from the individual. Following the recent amendment to the Personal Information Protection Act, “medical history” has been added as a type of “special care-required personal information.” Accordingly, personal data such as the name of the disease, information about medical care, and information from health checkups are now considered as “special care-required personal information,” requiring the person’s consent for its acquisition and provision to third parties.
However, depending on the details and methods of research, information obtained for medical care may be used for research without consent of the person by following the opt-out procedure if certain requirements are satisfied (for example, in an observational study that uses existing materials only).
Case reports are an example of the use of information for a purpose other than the patient’s original intent. If a case report falls under the category of research, the patient’s consent must be obtained. Determination as to whether or not such personal information is subject to review by the IRB is made based on such criteria as the number of cases presented, the procedures involved (e.g. simple summing or involving complex statistical processing), the place of disclosure (e.g. in the facility of the institution or at an academic conference) and the intended audience (e.g. medical personnel within the institution or a wide range of people including the general public and researchers). If a determination cannot be made easily, one should speak to members of the Research Ethics Review Board in their respective facility.
In the case of research, if information to be handled has been anonymized in a manner that prevents identification of a specific individual and does not contain any individual identification codes, it is not deemed personal information and thus, the patient’s consent is not required. On the other hand, most of the time, case reports are prepared by the physician or the department that provided care for the patient, thus, there is fundamental difficulty in performing anonymization. Researchers should pay full attention to this point, because it may be relatively easy to identify a specific individual by linking information contained in a presentation of a case report, such as the name of the reporter and the symptoms of the patient, with other information.
However, depending on the details and methods of research, information obtained for medical care may be used for research without consent of the person by following the opt-out procedure if certain requirements are satisfied (for example, in an observational study that uses existing materials only).
Case reports are an example of the use of information for a purpose other than the patient’s original intent. If a case report falls under the category of research, the patient’s consent must be obtained. Determination as to whether or not such personal information is subject to review by the IRB is made based on such criteria as the number of cases presented, the procedures involved (e.g. simple summing or involving complex statistical processing), the place of disclosure (e.g. in the facility of the institution or at an academic conference) and the intended audience (e.g. medical personnel within the institution or a wide range of people including the general public and researchers). If a determination cannot be made easily, one should speak to members of the Research Ethics Review Board in their respective facility.
In the case of research, if information to be handled has been anonymized in a manner that prevents identification of a specific individual and does not contain any individual identification codes, it is not deemed personal information and thus, the patient’s consent is not required. On the other hand, most of the time, case reports are prepared by the physician or the department that provided care for the patient, thus, there is fundamental difficulty in performing anonymization. Researchers should pay full attention to this point, because it may be relatively easy to identify a specific individual by linking information contained in a presentation of a case report, such as the name of the reporter and the symptoms of the patient, with other information.Handling Personal Information in Research
The Rights of Human Subjects
P 10/14
Individuals who participate in research (or their representatives who give proxy consent) have the right to decide what information about them should be communicated and under what circumstances. In order for this right to be correctly exercised, researchers must handle their personal information carefully, and human subjects are entitled to the following privacy rights:
Given the value of research materials, including personal information, researchers frequently want to use them for future research plans other than the one on which they are currently working, before the details of the future plans are determined. When a research plan is actually established, they should provide the research subject with the necessary information, to give the subject the opportunity to refuse to make their personal information available for research purposes. Until then, while the information is in the possession of the researchers, the research subject has a right to be provided with as much information as possible regarding any future research plans in which their personal information may be utilized.
At the same time, the research subject’s request based on these rights does not always need to be satisfied. For example, a third party provision may be made without the subject’s consent. For details, see “Providing Personal Information to A Third Party”.
- To have researchers maintain confidentiality of their personal information; this right can be exercised even after the retirement of the researchers who participated in a study;
- To receive adequate information about the handling of their personal information, including anonymization;
- To know the name of the person or institution that is responsible for the management of personal information;
- To know the content of personal information being stored, and how the information is stored and destroyed;
- To know the purpose of the use, method of use, users, and period of use of the personal information;
- To be provided with information and asked for consent if the purpose of use or other matters are to be changed from those for which they already gave consent;
- To request the correction, suspension of use, or destruction of personal information at any time;
- To forbid researchers from providing this information to a third party without consent; and
- To receive an appropriate response to any complaints concerning any of the above.
Given the value of research materials, including personal information, researchers frequently want to use them for future research plans other than the one on which they are currently working, before the details of the future plans are determined. When a research plan is actually established, they should provide the research subject with the necessary information, to give the subject the opportunity to refuse to make their personal information available for research purposes. Until then, while the information is in the possession of the researchers, the research subject has a right to be provided with as much information as possible regarding any future research plans in which their personal information may be utilized. At the same time, the research subject’s request based on these rights does not always need to be satisfied. For example, a third party provision may be made without the subject’s consent. For details, see “Providing Personal Information to A Third Party”.
Handling Personal Information in Research
Responsibilities of Research Institutions
P 11/14
In order to protect the research subject’s aforementioned rights, the government requires institutions engaging in research activities to take on the responsibility for security control and supervision in terms of personal information. Examples of specific measures that research institutions should take include the following.
1) Measures relating to equipment and facilities
1) Measures relating to equipment and facilities
- Prevent theft of electronic devices and media that store personal information, and prevent information leakage resulting from the transport of these devices and media from one location to another
- Establish areas where personal information is handled, and control access to these areas
- Destroy electronic media and delete information after use
- Control access to information; institute authorization, identification and recording of the persons who access information; and prevent unauthorized access
- Security for information systems
- Develop internal organizations and clarify their responsibility and authority
- Establish rules for handling personal information and measures against information leakage, and implement these rules and measures
- Ascertain the situation regarding the handling of personal information
- Establish confidentiality clauses in employment contracts and service contracts, and implement them
- Implement education and training for researchers, etc.
- the disclosure would be detrimental to third parties;
- the disclosure would be in violation of laws or regulations; or
- the disclosure would involve huge expense or infringe the legitimate rights of the research institution.
Handling Personal Information in Research
Responsibilities of Researchers
P 12/14
Researchers have a responsibility to act in a manner that ensures the proper exercise of the aforementioned rights of research subjects, under the control and supervision of their research institution. In the course of carrying out research, researchers must not obtain personal information by deceit or other improper means, and in principle, they must not handle personal information obtained in the course of carrying out research beyond the extent for which they have obtained consent from the research subjects in advance. Anonymously processed information
Amid this situation, particular attention is focusing on anonymously processed information. Anonymously processed information is personal information processed to meet the criteria for anonymization processing; more specifically, it is personal information processed into digital data so that it can no longer identify a specific individual, while allowing the information to be searched easily. It is expected that anonymously processed information will be used in the medical care field as well in the future, following the introduction of a system for accrediting business operators to take responsibility for anonymously processed medical care information and the management and provision of such information. Such operators would be called “certified medical data anonymization agencies.”Handling Personal Information in Research
Providing Personal Information to a Third Party
P 13/14
As a general rule, consent should be obtained prior to sharing personal information with a third party. However, there are a few special cases that do not require consent from the subject. If you intend to provide existing specimens and information to other research institutions for research purposes, please refer to the relevant administrative guidelines.
- Provision of the specimens/information is stipulated in law (For example, when called as a witness in a trial. In this case, the person has an obligation to testify under oath; however, because of the legal obligation of confidentiality, physicians or the like may legally refuse to testify);
- Provision due to the need to protect the life, health or property of a person, where there is difficulty in obtaining consent from the subject;
- Provision due to a particular need to improve public health or promote the healthy development of children, where there is difficulty in obtaining the subject’s consent; and
- Provision in the course of a public servant’s performing administrative duties, where obtaining the subject’s consent would actually impede those duties (such as checking the specimen/information against a suspect under criminal investigation).
Handling Personal Information in Research
Everyone Who Is Involved in Research Must Fulfill the Obligations of Confidentiality
P 14/14
Human subjects communicate with a variety of people during their participation in research, including medical students, interns and other administrative personnel who are not under confidentiality obligations under statutes such as the Penal Code, the Medical Practitioners Act and the National and Local Public Service Acts. However, such personnel are also obligated to maintain the confidentiality of subjects’ personal information. Also, many such personnel are under contractual obligation to maintain the confidentiality of subjects’ personal information in agreements executed when receiving education or training or before starting their jobs. If any of these people discloses or divulges personal information without a justifiable cause, they may be subject to civil liabilities and/or disciplinary actions, even though their acts were not within the scope of the Penal Code or administrative penalties in Japan. If there are concerns about unexpected leakage of information or data loss, this must be promptly reported to the research institution and the PI.
Handling Personal Information in Research
This module is adapted for the APRIN research community from “Research and HIPAA Privacy Protection” (Author: Reid Cushman) kindly offered by the CITI Program of BRANY (Biomedical Research Alliance of New York). Adaption was carried out by the APRIN supporting experts in accordance with the various pertinent laws and guidelines, whose names are listed elsewhere.
