Confidentiality and Privacy Policy
International Medical Journal of Health (IMJH)
ISSN: 2395-6291 | COPE Member | GDPR Compliant | Protecting Your Privacy
Our Commitment to Confidentiality
IMJH is committed to protecting the confidentiality of all manuscripts, reviewer identities, author information, and personal data throughout the editorial process. This policy outlines our comprehensive approach to information security and privacy protection, aligned with COPE guidelines, GDPR requirements, and international data protection standards.
View our confidentiality principles →Confidentiality Policy Navigation
1 Core Confidentiality Principles
Foundational Principles
IMJH's confidentiality policy is built on six core principles derived from COPE guidelines and international data protection standards: confidentiality, integrity, availability, transparency, accountability, and lawfulness.
Confidentiality
Information is accessible only to authorized individuals for legitimate purposes.
Integrity
Information is accurate, complete, and protected from unauthorized modification.
Availability
Information is accessible to authorized users when needed for editorial processes.
Transparency
Clear communication about how information is collected, used, and protected.
Accountability
Clear responsibility for data protection with designated officers and audit trails.
Lawfulness
All data processing complies with applicable laws and regulatory requirements.
Scope of Confidentiality Policy:
This policy applies to all manuscripts, reviewer reports, author information, editorial communications, personal data, and any other confidential information handled by IMJH, its editorial board, reviewers, and staff.
2 Manuscript Confidentiality
Absolute Confidentiality Requirement
Unpublished manuscripts are the confidential property of the authors. IMJH and its reviewers treat all submitted manuscripts as strictly confidential documents.
Confidentiality DOs
- Access limited to editors, editorial staff, and assigned reviewers
- Secure handling through encrypted submission system
- Timely deletion of manuscript files after publication or rejection
- Immediate reporting of any accidental disclosure to editorial office
- Confidentiality agreements signed by all editorial staff and board members
Confidentiality DON'Ts
- No discussion of manuscripts with unauthorized individuals
- No sharing of manuscript files via personal email or unsecured platforms
- No use of unpublished data for personal research or competitive advantage
- No disclosure of manuscript status to unauthorized third parties
- No retention of manuscript copies after review completion
Pre-Publication Stage
Submission to Decision: Manuscripts are accessible only to editors, editorial office staff, and assigned peer reviewers.
Under Revision: Authors may share their manuscripts with co-authors and acknowledged contributors only.
Accepted Manuscripts: Confidential until official publication date and time.
Post-Publication Stage
Published Articles: Confidentiality no longer applies; content is publicly available under CC BY-NC license.
Reviewer Reports: Remain confidential unless reviewer consents to open peer review.
Editorial Communications: Remain confidential between parties unless required for investigation.
COPE Position on Manuscript Confidentiality:
"Any manuscripts received for review must be treated as confidential documents. They must not be shown to or discussed with others except as authorized by the editor." - COPE Ethical Guidelines for Peer Reviewers
3 Reviewer Identity Protection
Double-Blind Peer Review
IMJH operates a double-blind peer review model:
- Reviewers do not know the identities of the authors
- Authors do not know the identities of the reviewers
- Reviewer identities are never revealed to authors without explicit consent
- Author identities are removed from manuscripts before reviewer assignment
Reviewer Anonymity Protections
- Reviewer database is securely encrypted and access-restricted
- Reviewer comments are anonymized before transmission to authors
- Reviewer identities are protected even after publication
- Opt-in recognition only with explicit reviewer consent via Publons/ORCID
- No disclosure to funding agencies or institutions without legal requirement
Reviewer Confidentiality Obligations
By accepting a review invitation, reviewers agree to:
- Maintain strict confidentiality of the manuscript
- Not disclose their review activity or manuscript content
- Not attempt to identify authors during the review process
- Not share the review with unauthorized colleagues
- Delete all manuscript files after completing the review
Publons/ORCID Recognition
Reviewers may choose to have their reviews credited:
- Opt-in only: No automatic publication of reviewer identity
- Privacy controls: Reviewers choose anonymous or named credit
- Verification: IMJH verifies review activity without disclosing manuscript details
Reviewer recognition never compromises double-blind integrity during the active review process.
Prohibited: Author Identification Attempts
Reviewers must not attempt to identify authors by searching for the manuscript title, searching databases for author names, or using any other method to circumvent the double-blind process. Such attempts constitute a breach of confidentiality and may result in removal from the reviewer database.
5 Editorial Office Confidentiality
Editor & Staff Obligations
- Confidentiality agreements signed by all editors and editorial staff
- Annual training on data protection and confidentiality policies
- Access revocation immediately upon role termination
- No personal device use for manuscript processing
- Clean desk policy for physical documents
Editorial Board Confidentiality
- Board members have access only to manuscripts they handle
- Confidential discussions at editorial board meetings remain internal
- Manuscript information not shared outside board deliberations
- Conflict of interest recusal includes confidentiality obligations
Editorial Confidentiality Agreement
"I understand that all manuscripts submitted to IMJH, reviewer reports, editorial communications, and related information are strictly confidential. I agree to protect this confidentiality, access information only as necessary for my editorial duties, and never use unpublished information for personal advantage. I will report any suspected confidentiality breaches immediately to the Editor-in-Chief."
— Required oath for all IMJH editors and editorial staff
6 Data Security & Storage
Secure Data Centers
ISO 27001 certified, SOC 2 Type II compliant, 24/7 monitoring
Encryption
AES-256 at rest, TLS 1.3 in transit, encrypted backups
Access Control
Multi-factor authentication, role-based permissions, audit logging
Security Measures Summary
| Security Measure | Implementation |
|---|---|
| Authentication | Multi-factor authentication required for all editorial accounts |
| Password Policy | Minimum 12 characters, complexity requirements, 90-day rotation |
| Data Encryption | AES-256 encryption for all stored data; TLS 1.3 for data in transit |
| Backup | Daily encrypted backups, geographically redundant storage, 30-day retention |
| Audit Logging | All access to manuscript and personal data logged, reviewed quarterly |
| Vulnerability Scanning | Weekly automated scans, quarterly penetration testing |
7 GDPR & International Compliance
GDPR Compliance Statement
IMJH fully complies with the General Data Protection Regulation (GDPR) (EU) 2016/679 for all personal data of individuals within the European Union.
GDPR Principles
- Lawfulness, fairness, transparency - Clear privacy notices and consent mechanisms
- Purpose limitation - Data collected only for specified editorial purposes
- Data minimization - Only necessary information collected
- Accuracy - Mechanisms for data correction and updates
- Storage limitation - Defined retention periods and deletion protocols
- Integrity and confidentiality - Robust security measures
- Accountability - Documented compliance records
International Data Transfers
IMJH operates globally and transfers data internationally for editorial processing. We ensure:
- Standard Contractual Clauses for EU data transfers
- Adequacy decisions respected where applicable
- Binding Corporate Rules for internal transfers
- Privacy Shield compliance (where applicable)
Data controllers remain responsible for ensuring adequate protection regardless of geographic location.
Legal Bases for Processing
Contractual Necessity:
Manuscript submission and peer review (Article 6(1)(b))
Legal Obligation:
Archiving, fraud prevention, regulatory compliance (Article 6(1)(c))
Legitimate Interests:
Editorial decisions, reviewer recognition, journal improvement (Article 6(1)(f))
Consent:
Marketing communications, optional data sharing (Article 6(1)(a))
8 Breach Notification Protocol
Immediate Action Required
Any suspected or actual confidentiality breach must be reported immediately to the Data Protection Officer and Editor-in-Chief.
Breach Response Protocol
Immediate Containment
Isolate affected systems, revoke access, preserve evidence
Within 1 hourAssessment & Investigation
Determine scope, affected data, root cause, risk assessment
Within 24 hoursNotification
Affected individuals, supervisory authorities, partners
Within 72 hoursRemediation & Prevention
Implement fixes, update policies, staff retraining
OngoingNotification Requirements
GDPR Notification (EU):
- Supervisory authority notification within 72 hours
- Affected individuals notified without undue delay
- High-risk breaches require individual communication
Other Jurisdictions:
- Compliance with local breach notification laws
- Contractual notification requirements
- COPE reporting for ethical breaches
9 Third-Party Service Providers
Data Processing Agreements
IMJH engages third-party service providers for essential journal operations. All providers are subject to:
- Written Data Processing Agreements compliant with GDPR Article 28
- Confidentiality obligations contractually binding
- Security audits of provider infrastructure
- Sub-processor notification and objection rights
- Data deletion certification upon contract termination
Current Service Providers
| Service Provider | Service | Data Accessed | Location |
|---|---|---|---|
| ScholarOne Manuscripts | Submission & peer review system | Manuscripts, author/reviewer data | USA (Virginia) |
| CrossRef | DOI registration, citation linking | Metadata, ORCID iDs | USA (multiple) |
| Amazon Web Services | Cloud hosting, data storage | All journal data (encrypted) | Global (EU, US, Asia) |
| iThenticate/Turnitin | Plagiarism screening | Manuscript text | USA (California) |
| Publons/Clarivate | Reviewer recognition | Reviewer identity (opt-in) | UK, USA |
10 Data Retention & Secure Disposal
Retention Periods
| Published articles | Permanent |
| Rejected manuscripts | 2 years after final decision |
| Reviewer reports | 5 years after publication/rejection |
| Author correspondence | 5 years after last contact |
| Reviewer activity logs | 5 years after last review |
| System logs | 30 days (aggregated thereafter) |
| Financial records | 7 years (legal requirement) |
Secure Disposal Methods
- Electronic data: Cryptographic erasure, secure overwriting (DoD 5220.22-M)
- Physical documents: Cross-cut shredding (DIN Level P-4)
- Backup tapes: Physical destruction or certified degaussing
- Hard drives: Degaussing or physical destruction
- Cloud data: Certified deletion with provider verification
All data disposal is documented and certified for compliance purposes.
11 Your Rights & Access Requests
Data Subject Rights
- Right to be informed
Clear privacy notices - Right of access
View your personal data - Right to rectification
Correct inaccurate data - Right to erasure
'Right to be forgotten'
- Right to restrict processing
Limit how data is used - Right to data portability
Receive data in usable format - Right to object
Opt-out of processing - Rights related to automation
No solely automated decisions
Submit a Data Request
To exercise your data protection rights:
We will respond to all verified requests within 30 days (GDPR requirement).
Identity Verification
To protect your privacy, we require verification of identity before processing data subject requests. Acceptable verification includes: official institutional email matching our records, government-issued ID, or secure electronic signature. Verification documents are used only for identity confirmation and deleted immediately after request processing.
12 Contact Data Protection Officer
Data Protection Officer
Dr. Anjali Sharma, PhD, CIPP/E
Certified Information Privacy Professional
Contact Information
Primary: info@imjhealth.org
Secondary: info.imjh@gmail.com
Subject: "FAO: Data Protection Officer - [Inquiry Topic]"
Response Commitment
All privacy and confidentiality inquiries acknowledged within 24 hours. Formal data subject requests processed within 30 days.
Supervisory Authority
If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with your local data protection authority.
EU Representative:
IMJH EU Data Representative
Attn: Data Protection
123 Avenue des Sciences, 75014 Paris, France
UK Representative:
IMJH UK Data Representative
Attn: Privacy Office
45 Bloomsbury Square, London WC1A 2LY, United Kingdom
Our Commitment to Your Privacy
IMJH is dedicated to maintaining the highest standards of confidentiality and data protection. We continuously review and enhance our privacy practices to ensure compliance with evolving regulations and to protect the trust you place in us.
Data Protection Officer
For privacy concerns, data subject requests, or breach reporting.
info@imjhealth.org info.imjh@gmail.com24-hour acknowledgment | 30-day response
Confidentiality at a Glance
Quick Reference
COPE Guidelines
IMJH follows COPE guidance on confidentiality:
IMJH fully complies with the General Data Protection Regulation (EU) 2016/679.
Report a Breach
Immediately report any suspected confidentiality breach:
Email:
Subject: "URGENT - Security Breach Report"