Research Ethics: Informed Consent, IRB and Data Privacy

Research ethics is the set of principles and procedures that protect the rights, safety, and well-being of human participants in research. It governs how researchers collect data, obtain consent, maintain confidentiality, and report findings. Every study involving human participants requires ethical review, informed consent, and a data protection plan before any data collection begins.

These requirements are not just procedural formalities. A 2025 framework published in PMC for bridging ethical gaps in digital health research identified four technology-relevant elements not currently covered by standard NIH guidance: profit sharing, interim result sharing, public study disclosure, and data removal rights. The study found that shortcomings in informed consent stem more from institutional practices, such as outdated templates or limited IRB awareness, than from the research technologies themselves. A separate 2025 cross-sectional analysis found that a significant proportion of published case reports and case series lack documented ethics committee involvement or informed consent that meets required standards. [1] [2]

This guide explains the core principles of research ethics, covers informed consent requirements, explains the IRB review process, addresses data privacy regulations, and provides examples across disciplines.

Key Takeaways

• Informed consent requires that participants understand what the study involves, what risks exist, and that they can withdraw at any time without penalty. [1]
• Institutional Review Boards (IRBs) review research proposals before data collection to ensure ethical standards are met. Studies cannot begin without IRB approval.
• Data privacy regulations (GDPR, HIPAA) impose legal requirements on how participant data is collected, stored, and shared. Research ethics consent and data protection consent are distinct legal concepts. [3]
• A significant proportion of published studies lack adequate documentation of ethics committee involvement and informed consent. [2]
• AI and big data research are creating new ethical challenges around consent scope, data reuse, and algorithmic transparency that existing frameworks are still adapting to address.

Research ethics protects participants through three core principles: respect for persons (autonomy and informed consent), beneficence (minimizing harm and maximizing benefit), and justice (fair distribution of research burdens and benefits).

What Are Research Ethics?

Research ethics is the branch of applied ethics that governs how research involving human participants is designed, conducted, and reported. It ensures that participants are treated with dignity, that they are not exposed to unnecessary risk, and that their data is handled responsibly.

The modern framework for research ethics is built on three foundational principles established in the Belmont Report (1979): respect for persons, beneficence, and justice. These principles have been adopted and expanded by ethics codes worldwide, including the Declaration of Helsinki, the Common Rule (45 CFR 46) in the United States, and the GDPR in the European Union.

Respect for persons requires that individuals be treated as autonomous agents capable of making their own decisions about participation. It also requires additional protections for individuals with diminished autonomy, such as children, prisoners, or cognitively impaired persons. This principle is operationalized through informed consent.

Beneficence requires that researchers minimize potential harms and maximize potential benefits. It obligates researchers to assess whether the expected knowledge gained justifies the risks participants will face.

Justice requires that the burdens and benefits of research be distributed fairly. Vulnerable populations should not bear a disproportionate share of research risks, and the populations that bear the risks should be among those who benefit from the findings.

Informed Consent

Informed consent is the process through which a potential participant learns about a study and voluntarily decides whether to take part. It is not simply a form to be signed. It is an ongoing dialogue between the researcher and the participant that must begin before data collection and continue throughout the study.

Required Elements of Informed Consent

Every informed consent document must include the following elements:

Purpose of the study. A clear explanation of what the research is about, what questions it aims to answer, and why the participant is being invited to take part.

Procedures. A description of exactly what participation involves, including the time commitment, number of sessions, types of activities (surveys, interviews, physical tests), and any follow-up requirements.

Risks and discomforts. An honest description of any potential physical, psychological, social, or economic risks. This includes risks that are unlikely but possible, such as emotional distress from interview questions about sensitive topics.

Benefits. A description of any direct benefits to the participant and the broader benefits to science or society. Researchers must not overstate potential benefits.

Confidentiality. An explanation of how data will be collected, stored, anonymized, and shared. Participants must know who will have access to their data and for how long it will be retained.

Voluntary participation and withdrawal. A clear statement that participation is voluntary, that the participant can withdraw at any time without penalty, and that withdrawal will not affect their relationship with the institution or any services they receive.

Contact information. Names and contact details for the principal investigator and the IRB or ethics committee, so participants can ask questions or report concerns.

Informed Consent in Practice

Example 1: Survey research. A researcher studying workplace stress distributes an online survey. The consent form appears on the first page of the survey and explains that participation takes approximately 15 minutes, that responses are anonymous, that no identifying information is collected, and that completing the survey constitutes consent. Participants can close the browser at any time to withdraw.

Example 2: Interview research. A researcher conducting semi-structured interviews about experiences with chronic illness provides a written consent form at the start of each interview. The form explains that the interview will be audio recorded, that transcripts will be de-identified, that the participant can skip any question, and that they can withdraw their data up to two weeks after the interview. The participant signs the form and keeps a copy.

Example 3: Vulnerable populations. A researcher studying decision-making in adolescents obtains assent from participants aged 13 to 17 and written consent from their parents or guardians. The assent form uses age-appropriate language and explains the study in terms the adolescent can understand.

How you plan your data collection methods directly affects your consent requirements. Surveys, interviews, and observation each raise different ethical considerations, and your consent form must address the specific procedures your study uses.

Challenges in Informed Consent

A 2025 analysis from the Harvard Petrie-Flom Center found that traditional informed consent models are increasingly inadequate for AI and big data research because participants cannot meaningfully consent to uses of their data that do not yet exist. When AI models are trained on participant data, the data is incorporated into all future predictions, making it difficult to define the boundaries of consent at the time of collection. [3]

A 2025 review of broad consent practices in healthcare research found that while broad consent (consent to future unspecified research uses) improves efficiency, it raises concerns about whether participants truly understand the scope of what they are agreeing to. [4]

Institutional Review Board (IRB)

An Institutional Review Board (IRB) is an independent committee that reviews research proposals involving human participants to ensure they meet ethical standards. In the United States, IRB review is required by federal regulation (45 CFR 46) for all research involving human subjects that is conducted at institutions receiving federal funding. Most universities and research institutions require IRB review for all human subjects research regardless of funding source.

IRB Review Categories

Exempt review applies to research that involves minimal risk and does not collect identifying information. Common examples include anonymous surveys of adults on non-sensitive topics, observation of public behavior, and analysis of existing de-identified datasets. Even exempt research must be submitted to the IRB for a determination of exempt status.

Expedited review applies to research that involves no more than minimal risk but includes identifiable data or minor procedures. Examples include interviews with adults on non-sensitive topics, collection of non-invasive biological samples (saliva, hair), and research using existing identifiable data. One or two IRB members conduct the review rather than the full board.

Full board review is required for research that involves greater than minimal risk, vulnerable populations (children, prisoners, cognitively impaired individuals), or deception. The full IRB committee reviews the protocol, consent materials, and study procedures. Examples include clinical trials, studies involving invasive procedures, and research with minors.

What the IRB Evaluates

The IRB assesses whether the research design minimizes risks, whether the informed consent process is adequate, whether participant selection is equitable, whether data privacy protections are sufficient, and whether the potential benefits justify the risks. The IRB also reviews the qualifications of the research team and the adequacy of the research setting.

Your research design determines the level of IRB review required. Experimental designs involving randomization and control groups typically require full board review, while observational designs using anonymous surveys may qualify for exempt review.

Data Privacy in Research

Data privacy refers to the legal and ethical obligations researchers have to protect participant information from unauthorized access, disclosure, or misuse. Multiple regulatory frameworks govern data privacy in research, and compliance is both a legal requirement and an ethical obligation.

Key Data Privacy Regulations

GDPR (General Data Protection Regulation). The EU regulation governing the processing of personal data. It requires a lawful basis for data processing, data minimization, purpose limitation, and the right of data subjects to access, correct, and delete their personal data. Research involving EU participants must comply with GDPR regardless of where the researcher is located.

HIPAA (Health Insurance Portability and Accountability Act). The US regulation governing the use of protected health information (PHI) in healthcare and research. HIPAA requires de-identification of health data or a signed authorization from participants before PHI can be used for research.

FERPA (Family Educational Rights and Privacy Act). The US regulation protecting the privacy of student education records. Research using student data from educational institutions must comply with FERPA requirements.

Data Privacy Best Practices

De-identification. Remove all directly identifying information (names, addresses, social security numbers) from datasets. Use unique participant codes instead of names. Store the key linking codes to identities separately from the research data, with restricted access.

Encryption. Encrypt all electronic data, both in storage and in transit. Use institutional-approved encryption software and secure file-sharing platforms. Never transmit identifiable data via unencrypted email.

Access controls. Limit data access to authorized research team members only. Use password-protected files and role-based access controls. Document who has access to what data and review access permissions regularly.

Data retention and destruction. Define how long data will be retained after the study ends. Follow institutional and regulatory requirements for data retention periods. Destroy data securely when the retention period expires.

Secure storage. Store physical data (paper surveys, consent forms) in locked cabinets in restricted-access rooms. Store electronic data on institutional servers with appropriate security measures. Avoid storing research data on personal devices or consumer cloud services.

Ethical considerations also apply when selecting your sampling methods. Ensuring that your participant recruitment strategy does not disproportionately burden vulnerable populations is a direct application of the justice principle.

Ethical Challenges in Modern Research

AI and Machine Learning Research

AI research raises unique ethical questions. When machine learning models are trained on participant data, the data becomes embedded in the model and cannot be easily removed. A 2025 scoping review of ethical approval in mental health research found that studies using AI and machine learning often lack explicit discussion of how informed consent applies to algorithmic training, model reuse, and secondary data applications. Traditional consent models assume a defined study with a clear endpoint, but AI training creates ongoing, evolving uses of data that extend beyond the original study. [5]

Secondary Data Use

Research using existing datasets (medical records, social media data, administrative data) creates ethical grey areas. Participants may have consented to their data being used for clinical care but not for research. Researchers may argue that de-identified data does not require consent, but re-identification risks increase as datasets are linked and analytical methods become more sophisticated.

Online Research

Internet-based research (online surveys, social media analysis, digital experiments) raises questions about what constitutes "public" data, whether terms-of-service agreements substitute for informed consent, and how to protect anonymity when digital footprints can identify participants. Researchers must consider not only legal requirements but also participant expectations about how their data will be used.

Cross-Cultural Research

Ethical standards vary across countries and cultures. What constitutes adequate informed consent in one context may not be appropriate in another. Researchers conducting cross-cultural studies must navigate multiple regulatory frameworks, respect local customs and norms around consent, and ensure that consent processes are culturally sensitive and linguistically accessible.

Common Mistakes and How to Fix Them

Mistake 1: Treating Consent as a One-Time Checkbox

Error: Having participants sign a consent form at the start of the study and never revisiting consent, even when the study procedures change or new risks emerge.

Fix: Treat informed consent as an ongoing process. If study procedures change, re-consent participants. For longitudinal studies, periodically remind participants of their right to withdraw. For studies involving evolving data uses (such as AI training), consider dynamic consent models that allow participants to update their preferences over time.

Mistake 2: Collecting Data Before IRB Approval

Error: Beginning interviews, distributing surveys, or accessing participant records before the IRB has approved the study protocol.

Fix: Submit your IRB application well in advance of your planned data collection start date. Build IRB review time (typically four to eight weeks for full board review) into your research timeline. No data collection of any kind can begin until written IRB approval is received.

Mistake 3: Describing Risks Vaguely

Error: Writing "risks are minimal" in the consent form without specifying what those risks actually are.

Fix: Name the specific risks. If interviews discuss sensitive topics, state that some questions may cause emotional discomfort. If surveys collect identifiable data, explain the risk of confidentiality breach and the measures in place to prevent it. Be specific and honest rather than using generic risk language.

Mistake 4: Storing Data Insecurely

Error: Saving participant data on a personal laptop without encryption, sharing files via consumer email, or using cloud storage without institutional approval.

Fix: Use institutional-approved, encrypted storage solutions. Follow your institution's data security policies. Never store identifiable data on personal devices. Use secure file transfer protocols when sharing data with co-investigators.

Mistake 5: Making Withdrawal Difficult

Error: Telling participants they can withdraw but not providing a clear mechanism for doing so, or continuing to use their data after they have requested withdrawal.

Fix: Provide a clear, accessible withdrawal process. Include contact information and a deadline by which participants can request data withdrawal. Once a participant withdraws, remove their data from the dataset unless the data has already been de-identified and cannot be linked back to them.

Mistake 6: Retaining Data Indefinitely

Error: Keeping identifiable participant data after the study ends without a defined retention period or destruction plan.

Fix: Define a data retention period in your IRB protocol and consent form. Follow institutional and regulatory requirements. Destroy identifiable data securely when the retention period expires. Document the destruction process.

Research Ethics Checklist

• [ ] Ethical principles are followed. Study design reflects respect for persons, beneficence, and justice.
• [ ] IRB approval is obtained. Study protocol, consent materials, and instruments are approved before any data collection.
• [ ] Informed consent is comprehensive. Consent form includes purpose, procedures, risks, benefits, confidentiality, voluntary participation, and contact information.
• [ ] Consent process is ongoing. Participants are re-consented when procedures change and reminded of withdrawal rights throughout the study.
• [ ] Vulnerable populations are protected. Additional safeguards are in place for children, prisoners, cognitively impaired individuals, and other vulnerable groups.
• [ ] Data privacy regulations are followed. Study complies with applicable regulations (GDPR, HIPAA, FERPA) based on participant location and data type.
• [ ] Data is de-identified. Directly identifying information is removed and replaced with participant codes.
• [ ] Data is encrypted and securely stored. Electronic data uses approved encryption, and physical data is stored in locked, restricted-access locations.
• [ ] Access controls are in place. Only authorized team members can access identifiable data.
• [ ] Data retention and destruction plan exists. A defined timeline and secure process for data destruction are documented.

Validate This With Papers (2 Minutes)

Before finalizing your ethics protocol, review how published studies in your field have handled informed consent, IRB review, and data privacy. This confirms that your approach meets disciplinary standards.

Step 1: Search for recent studies that used similar methods with similar populations. Note how they described their ethics approval, consent process, and data protection measures in the methodology section.

Step 2: Open two or three relevant papers. Look at the ethics statements for the level of IRB review obtained, the consent procedures described, and any data privacy measures reported. Reviewing how other studies in your field structure their research design helps you identify which ethical considerations are standard for your methodology.

Step 3: Use an Essay Title Generator to explore how ethics-focused research papers frame their titles, which can help you position your own study's ethical framework within the existing literature.

This takes about two minutes and ensures your ethics protocol aligns with established practices in your field.

Conclusion

Research ethics is not an administrative hurdle. It is the foundation of trustworthy research. Every study involving human participants requires informed consent that is comprehensive, ongoing, and culturally appropriate. Every study requires IRB review before data collection begins. Every study requires a data privacy plan that complies with applicable regulations and protects participant information from collection through destruction.

As AI, big data, and digital research methods create new ethical challenges, the core principles remain the same: respect for persons, beneficence, and justice. Traditional consent models are adapting to accommodate ongoing data uses, dynamic consent, and algorithmic transparency. Researchers who build ethical considerations into their study design from the beginning, rather than treating them as an afterthought, produce more credible research and maintain the trust that makes future research possible.

Frequently Asked Questions

What is informed consent in research?

Informed consent is the process through which a potential participant learns about a study's purpose, procedures, risks, benefits, and confidentiality protections, and then voluntarily decides whether to participate. It requires that consent be given freely, without coercion, and that participants understand they can withdraw at any time without penalty. Informed consent is both an ethical requirement and a legal obligation.

What does an IRB do?

An Institutional Review Board (IRB) is an independent committee that reviews research proposals involving human participants to ensure they meet ethical standards. The IRB evaluates whether risks are minimized, whether consent is adequate, whether participant selection is fair, and whether data privacy protections are sufficient. No data collection can begin without IRB approval.

What is the difference between exempt, expedited, and full board IRB review?

Exempt review applies to minimal-risk research with no identifying data (anonymous surveys, public observation). Expedited review applies to minimal-risk research with identifiable data (interviews with adults, non-invasive samples). Full board review is required for greater-than-minimal-risk research or studies involving vulnerable populations (clinical trials, research with children, studies using deception).

How does GDPR affect research?

GDPR requires a lawful basis for processing personal data, data minimization, purpose limitation, and participant rights including access, correction, and deletion. Research involving EU participants must comply with GDPR regardless of where the researcher is located. Research ethics consent and GDPR data protection consent are distinct legal requirements that may need to be addressed separately.

Can I use publicly available data without consent?

It depends on the context and regulatory framework. Publicly available data (social media posts, government statistics) may not require individual consent, but ethical considerations still apply. Researchers must consider whether participants had a reasonable expectation of privacy, whether the data can identify individuals, and whether the research could cause harm. IRB review is still recommended for research using publicly available data about identifiable individuals.

What happens if I violate research ethics guidelines?

Consequences can include suspension or termination of the study, loss of IRB approval, retraction of published papers, institutional sanctions, loss of research funding, and in severe cases, legal prosecution. Violations also damage participant trust and harm the reputation of the research institution and the broader research community.

References

1. Alifia, R. R., Sadeghi, M., Eluru, M., Jafari, M., & Grando, M. A. (2025). Bridging ethical gaps in digital health research: A framework for informed consent aligned with NIH guidance. BMC Medical Ethics.
2. Valešić, M., Čivljak, M., & Puljak, L. (2025). Informed consent and ethics committee involvement in case reports and case series: Cross-sectional meta-research study. BMC Medical Ethics.
3. Emma Kondrup. (2025). Informed consent, redefined: How AI and big data are changing the rules. Harvard Law School.
4. Starekova, J., & Schweitzer, M. E. (2025). Broad consent in healthcare research: What is efficient, what is right? Journal of Magnetic Resonance Imaging.
5. Cilar Budler, L., & Stiglic, G. (2025). Ethical approval and informed consent in mental health research: A scoping review. AI & Society.

Emma Kondrup