20 November 2008
Contact: Maggie De Pano or Jonathan McCall, DCRI Communications

Duke researchers examined a criminal case that reached the North Carolina Court of Appeals and found that federal protections intended to insure the confidentiality of sensitive personal information may not fully protect the privacy of participants in scientific or clinical research.

Laura Beskow, Ph.D, M.P.H., Associate Director of the Duke Translational Medicine Institute’s Ethics, Law & Policy Core; Lauren Dame, J.D., M.P.H., Associate Director of the Duke Institute for Genome Sciences and Policy’s Center for Genome Ethics, Law & Policy; and E. Jane Costello, Ph.D., Professor of Psychology at the Department Psychiatry and Behavioral Sciences, authored the report, which was published in the November 14 issue of Science.

Certificates of Confidentiality, which are authorized by federal law, are meant to protect research subjects by preventing forced disclosure of sensitive personal information that, if made public, could be embarrassing or even harmful. Certificates allow researchers to refuse to disclose identifiable information on research subjects in any legal proceeding; for example, in response to a subpoena.

However, there are few court cases that document the “nearly absolute privacy protection” Certificates are widely believed to offer. In Science, the authors describe a legal case that casts doubt on just how strong those safeguards are.

The case

In a 2004 criminal case, a judge ordered the Duke University Health System (DUHS) to provide research records about a prosecution witness whom the defense lawyer believed had been part of a study of the development of psychiatric disorders in youth. The judge directed that the records remain confidential unless used at a trial or sentencing, but, had the order not been immediately challenged by DUHS, would have allowed them to be read by a number of people involved in the case, including the defendant.

DUHS and the study’s principal investigator objected to this and filed motions for a protective order, citing the protections offered by the Certificate. (They also did not take a position on whether the witness actually was a study participant, as doing so could itself be a breach of privacy.) The judge agreed to modify the earlier decision and granted a protective order, but still required DUHS to maintain a sealed copy of the records until the final resolution of the case.

Although the defendant was tried and convicted, the issue of access to the sealed records came up again when the case was appealed. This time, the judge ordered DUHS to give the records to the defense counsel, so that they could use them to prepare their case. Once again, DUHS argued that the records should remain confidential. The Court of Appeals eventually decided that the records were irrelevant to the case and reversed the earlier order. By this time, however, the research participant’s privacy had been breached, as both defense and prosecution counsel had seen the records.

But perhaps just as importantly, in neither instance did the court rule on whether the Certificate, which should have allowed DUHS to refuse to disclose the records, would have protected confidentiality if the records had been found to be relevant to the case.

Serious implications

The authors stated that this case has serious implications for the privacy of research subjects and for research that relies on investigators’ ability to promise confidentiality, noting that:

The authors concluded their report by encouraging more research on the real-world application and effects of Certificates of Confidentiality, as well as caution when describing the extent of their protections to potential research participants.