This is an Eval Central archive copy, find the original at evalacademy.com.
This article is rated as:
How often have you said the phrase “your information will be kept confidential”? “Confidential” and “anonymous” are words we use quite a bit in the evaluation world. But do you know what they actually mean? Let’s explore some of these concepts.
Confidentiality is when personally identifying information is collected but is not linked to the individual’s responses; in other words, the personally identifying information is kept separately. Confidentiality can be maintained through password-protected files and/or through proper record storage and destruction. Maintaining confidentiality is also a key consideration in reporting.
Anonymity is when the data collection process does not collect any personally identifiable information. Anonymity is when there is no opportunity to link responses back to a specific individual.
If you are interviewing an individual or conducting a focus group, your data collection cannot be anonymous. If you are sending out a link to an online survey that collects no identifying information, then you have anonymity.
Personally Identifying Information
Notice this phrase pops up in both of those definitions? This phrase, sometimes shortened to PII, unfortunately doesn’t have a standard definition. It means different things to different organizations, in different policies or legislation, and across different sectors.
Generally, it is understood to mean any singular datum or group of data that could identify an individual. It may be obvious that a name is personally identifying, but many other demographic or profile data depend on the context. For example, age can be identifying if you are collecting data from a sample with an average age of 50, but one participant is 87. Gender may be identifying if your sample is predominately one gender.
Combinations of data can also lead to identification. For example, perhaps in your sample, organizational role is not identifying – you have lots of program leads and coordinators, but if you include duration of time employed and role together you may identify that newly hired coordinator, or the program lead whose been in the organization longer than the rest.
Most countries or jurisdictions have policies or laws around the protection of personally identifying information. Here in Canada where Eval Academy is based we have PIDEDA: The Personal Information Protection and Electronic Documents Act. In the United States HIPAA (Health Insurance Portability and Accountability Act) is a well-known regulation.
Staff roles within an organization is a common one I come across that is potentially identifying.
Difference between legal confidentiality and ethical confidentiality
For an evaluation, the question of confidentiality or anonymity is ethical, not legal. It is our duty to put in extra effort to preserve confidentiality, having thought of the ethical risks of data breaches. This is not the same as lawyer-client confidentiality.
Some professions have bodies or policies that guide if and when confidential information can be disclosed: think psychologists, physicians, or lawyers. Unfortunately, as of yet, evaluators do not have this, and yet we are often working with vulnerable populations who may disclose a number of concerning matters to us.
Given that there are no official rules, what you do about disclosing information is ultimately up to you and your organization or client. It is prudent to anticipate potentially risky scenarios. Here are some scenarios you may want to consider:
If a participant shares or discloses a risk to themselves (e.g., plans of suicide): if you believe the situation is an emergency, you may choose to call emergency services, like 911, and disclose the information you have.
If a participant discloses non-emergent risks about problems with mental health or behaviour: you may wish to have a list of local resources available to you that you could share. Your resource list may include things like housing options, the food bank, a crisis line, and other mental health supports or social support agencies relevant to your population.
Of course, a person may disclose criminal activity or other abuses. You will need to rely upon your own discretion to determine if there is anybody at urgent risk and what to do in these situations.
In non-emergent cases, and depending on the resources available to you, seeking consent to disclose information is always a good choice:
“What I’d like to do is share [details, e.g., name and phone number] with [description of where it will be shared, e.g., our social worker], so that [describe intent]. Is that ok?”
If they decline, you should not disclose any details. If consent is given, when you disclose confidential information, ensure you are only sharing information relevant to the reason for disclosure, and ensure the disclosure is through confidential channels.
Check out our Tips for Conducting Interviews infographic and our posts about consent for extra guidance here.
How to maintain Confidentiality
Most organizations have a records storage and retention policy. It is your duty to be familiar with them regarding confidential information. A storage policy will guide you on how and where to store specific types of information. Importantly, you should also be aware of who else has access to that storage location and if they should have access to any confidential information. A retention policy will likely categorize the type of record, how long it will be kept for, and how it will be destroyed. These policies can be referenced in your data collection introductions, for example:
“Information you share will be kept for [X years] on a password-protected server owned by [organization]. After [X years] we delete all copies.”
Some other places to consider confidentiality:
Transcription: you could not include names in transcription, thus when the recording is deleted, the transcript has (less) personally identifying information
File naming: ensure you don’t name recordings, transcripts or notes using personally identifying information, e.g., “Beth Smith’s Interview”
In reporting: Using quotes can add such rich information to your reporting, but quotes should be considered from the lens of confidentiality, and where possible use Member Checking to ensure explicit consent
The key here is to be a good data steward, which includes ethical data collection, transparency in the use of data, sound data management (storage, retention, destruction) and reporting that maintains confidentiality.