Who has responsibility for safeguarding the privacy of research participants?

Protecting privacy is a shared responsibility among researchers, REBs, and the institution hosting the research. Researchers design and conduct the study with privacy in mind—obtaining informed consent that clearly explains data use, minimizing data collection, de-identifying data where possible, and implementing secure data handling, storage, and access controls. REBs review the plan to identify privacy risks and ensure appropriate safeguards are in place, often requiring conditions or modifications before approval. The institution provides the governance framework, policies, and resources—such as privacy officers, data management and IT security infrastructure, training, and formal data-sharing agreements—to support and enforce privacy protections across the research enterprise. Funders may set privacy expectations as part of funding criteria, but they do not directly manage day-to-day privacy protections.