9.2 Confidentiality, Privacy, and Data Protection

Protecting people while using information well

Health education work runs on information: survey responses, attendance logs, screening referrals, interview notes, coalition minutes, evaluation datasets, and school or clinical records. Article IV obligates specialists to deliver education with integrity, respecting confidentiality and the dignity of all people. The exam wants you to use data for legitimate program purposes while controlling risk.

Three terms are tested and frequently confused. Pin them down:

A single item may use one word, but the strongest answer usually addresses all three. When a sign-in sheet with phone numbers is left in a hallway, that is a confidentiality breach caused by a security failure that violates participants' privacy.

Plan privacy before the first data point

Good privacy practice begins at design, not at the breach. Before collecting anything, a CHES should answer six questions: what is truly needed, why, who will see it, how it is stored, how long it is kept, and how it will be reported. Collecting extra identifiers because they might be useful later is data over-collection — a classic wrong answer.

Data minimization and minimum necessary access are the two rules that resolve most items.

• A volunteer making reminder calls needs names and phone numbers — not full survey responses.
• A partner writing a newsletter needs aggregate outcomes — not the raw file.
• A program evaluator needs the dataset — but stored on a permissioned shared drive, never a personal email account.

Consent language must be understandable. Participants should know the purpose, whether participation is voluntary, what is collected, how it will be used, and any limits to confidentiality. School (FERPA), workplace, clinical (HIPAA), tribal, and research (IRB) settings add their own laws and approvals — the exam does not ask you to memorize statutes; it asks you to follow applicable policy and consult the right authority.

Reporting without re-identifying

Aggregate data are safer than individual records, but small numbers re-identify people. A report stating that "one pregnant teen in a rural high school completed the program" can identify that participant with no name attached. Detailed quotes do the same through context. The fix is small-cell suppression: combine or suppress any cell small enough to expose an individual.

Breach response, in order

1. Contain the exposure — retrieve and secure the file.
2. Notify the supervisor or privacy officer per policy.
3. Document what happened, when, and what data were involved.
4. Determine required notifications to affected people or regulators.

Deleting evidence, staying silent, or privately warning only a friend are wrong answers. "No harm was intended" does not cure a breach — ethical practice is judged on foreseeable risk.

Candidate score confidentiality

NCHEC treats CHES score information as confidential. An employer, school, or supervisor does not receive official scores by casual request; release requires the candidate's authorization or legal direction. This reinforces the broader rule: convenience is never a reason to release protected information. Confidentiality is not a barrier to evaluation — it is a design requirement for trustworthy evaluation.

Scenario Review Checklist

• Identify the relevant CHES Area of Responsibility and the privacy/confidentiality/security layer.
• Apply minimum necessary and data minimization.
• Check for small-cell re-identification before reporting.
• Reject options that disclose by convenience, skip policy, or ignore foreseeable risk.

Applying the rules across common settings

The exam moves the same confidentiality logic across different settings, and the right answer shifts with the governing rule. You do not need statute citations, but you should recognize that the setting raises a layer of protection.

• Schools: the Family Educational Rights and Privacy Act (FERPA) protects student education records. A CHES running a school program shares student-level data only with authorized school officials who have a legitimate educational interest, and obtains parental consent (or eligible-student consent at 18) where required.
• Clinical or coalition partners handling health records: the Health Insurance Portability and Accountability Act (HIPAA) protects individually identifiable health information held by covered entities. A community partner cannot hand a CHES a roster of patients' diagnoses simply because both work on a grant.
• Research and evaluation: an Institutional Review Board (IRB) reviews studies involving human subjects; consent must describe purpose, voluntariness, risks, and confidentiality limits.

A second exam favorite is the technology breach. Texting a spreadsheet of identifiers to a personal phone, using an unsecured public Wi-Fi network to upload data, leaving a laptop unlocked, or emailing participant lists to a personal account are all security failures. The strong answer encrypts or password-protects files, uses permissioned organizational storage, and limits who holds access.

A third is secondary use: data collected for one purpose are repurposed for another (marketing, a new study, a partner's mailing list) without consent. The ethical default is that data are used for the stated purpose; new uses need new authorization. When you see a request to reuse data "since we already have it," treat it as a confidentiality flag and choose the option that returns to consent and the minimum-necessary principle rather than the convenient reuse.