data ownership and security (rcr week-3 lecture) delia y. wolf, md, jd, msci associate dean,...
Post on 16-Jan-2016
217 Views
Preview:
TRANSCRIPT
Data Ownership and Security(RCR Week-3 Lecture)
Delia Y. Wolf, MD, JD, MSCI
Associate Dean, Regulatory Affairs & Research ComplianceHarvard School of Public Health
Email: dywolf@hsph.harvard.edu
February 14, 2014
Case 1 For his dissertation project in psychology, Antonio is studying new
approaches to strengthen memory. He can apply these techniques to create interactive Web-based instructional modules. He plans to test these modules with students in a general psychology course, for which he is a teaching assistant. He expects that student volunteers who use the modules will subsequently perform better on examinations than other students. He hopes to publish the results in a conference proceeding on research in learning, because he plans to apply for an academic position after he completes the doctorate. Should Antonio seek IRB approval for his project? (Hint: what are the two
questions you would ask in order to determine whether IRB approval is necessary?)
If the answer to question #1 is yes, what type of IRB review would be appropriate?
Can this protocol be exempted? Why or why not? Do student volunteers need to give formal informed consent? If so, what
information needs to be included in the consent document?
2
Case 2 Two weeks into the new semester, the Professor in Mary’s course on Family Health
gives the class a special assignment that was not on the course syllabus. Over the next week, everyone in the class is to talk with three classmates, who are not in the course, about the way their families deal with medical emergencies and chronic illness. Next week they should come to class prepared to report on their interviews. The Professor will then gather information collected by all the students and may write a paper on the topic. The Professor indicates in order to protect classmates’ privacy; no names should be mentioned during discussion.
The assignment makes Mary uneasy. In her Responsible Conduct of Research (RCR) course last semester, she learned about regulations pertaining to the use of human participants in research. Mary believes that the assignment should be reviewed by the IRB. When Mary raises her concerns with the Professor, the Professor assures her that her informal
conversations with classmates are not research and therefore not subject to any regulations. When Mary reminds him that his potential publication may contribute to “generalizable knowledge,” his response is that even if this assignment meets the definition of research, it can be exempt because no names will be recorded, and therefore, no IRB review is necessary.
Is the Professor’s last statement correct? Is this course assignment research? If IRB review is required, should each student submit an application to the IRB? Why or why not? Can this “course assignment” be exempt? If so, under which category? If not, will it meet one of the
categories for expedited review?
3
4
Topics to be Covered
Data ownership
Data collection
Data protection
Data sharing
Data management
Data Ownership Bayh-Dole Act (Public Law: 96-517)
Sponsored by two senators, Birch Bayh of Indiana and Bob Dole of Kansas
Enacted by the United States Congress on December 12, 1980
Governing intellectual property arising from federal government-funded research
Allows for the transfer of exclusive control over many government funded inventions to universities and businesses for the purpose of further development and commercialization
5
Data Ownership (cont.) Sponsors/funders
Government Grants – the institution receives funds owns and
controls the data Contracts – government owns and controls the
data Private companies – usually seeks to retain
the right to the commercial use of data Charitable organization /foundations – retain
or give away ownership rights depending on their interests.
6
Data Ownership (cont.) Points to consider
Distinguish between grants and contracts Research institutions usually claims ownership
rights over data collected with support awarded to the institution
Be familiar with institutional policies Who owns the data I am collecting? What rights do I have to publish the data? Does collecting these data impose any obligations on
me?
Do not enter into agreements without approval from the institution
7
Ownership of Biological Materials Moore v. Regents of the University of California
Moore was treated for hairy cell leukemia by Dr. Golde at UCLA Medical Center from 1976 and 1983
Test results revealed that Moore’s cells would be useful for genetic research, but Golde did not inform Moore of his plans to use the cells for research
A cell line was established from Moore’s T-lymphocytes sometime before 1979
On January 6, 1983, UCLA applied for a patent on the cell line, listing Gold and Quan as inventors
USPO issued patent on March 20, 1984
8
Ownership of Biological Materials Moore v. Regents of the University of California
In 1983, Moore was given a consent form indicated “I (do, do not) voluntarily grant to the University of California all rights I, or my heirs, may have in any cell line or any other potential product which might be developed from the blood and/or bone marrow obtained from me”
Moore refused to sign the form and eventually turned over to an attorney, who the discovered the patent
After patent was issued in 1984,UCLA and Golde negotiated agreements with Genetic Institute for commercial development, Golde became a paid consultant and acquired 75,000 shares of stock
9
Ownership of Biological Materials Moore v. Regents of the University of California
Moore filed a lawsuit naming Golde, Quan, the Regents, Genetics Institute, and Sandoz Pharmaceuticals as defendants
Moore complaint stated thirteen causes of action, including conversion, lack of informed consent, breach of fiduciary duty and intentional infliction of emotional distress
The court found that Moore had no property rights to his discarded cells or any profits made from them
The court concluded that the researcher did have an obligation to obtain informed consent, and to disclose financial interested in the cells harvested from Moore
10
Ownership of Biological Materials Washington University v. Catalona
Dr. Catalona, highly respected urologist and urologic surgeon, as well as a well-established prostate cancer researcher at Washington University in St. Louis
While at WU, Dr. Catalona was instrumental in establishing the Biorepository for the collection and storage of biological research materials
More than 30,000 research participants enrolled in prostate cancer research
In 2003, Dr. Catalona left for Northwestern University and to continue his prostate cancer research
In February 2003, Dr. Catalona sent a “Medical consent & Authorization” form to about 60,000 research participants
11
Ownership of Biological Materials Washington University v. Catalona
About 6000 recipients signed the form and returned it to Dr. Catalona
The University sought a declaratory judgment that it owned the biological specimens
In March 2006, the District Court concluded that the University owned the research specimens. Dr. Catalona and the eight research participants appealed
The Court held that Wash. U “owns the biological materials and neither Dr. Catalona nor any contributing individual has any ownership or proprietary right in the disputed biological materials.”
12
DHHS Draft Guidance “All future research that uses your samples may
lead to the development of new products, you will not receive any payments for these new products.”
“By agreeing to this use, you are giving up all claims to any money obtained by the researchers from commercial or other use of these specimens.”
“I voluntarily and freely donate any and all blood, urine, and tissue samples to the [name of research institution] and hereby relinquish all property rights, title, and interests I may have in these samples.”
13
Data Collection Reliable methods Accuracy Authorization/Permission
IRB IACUC
Documentation Hard-copy data Electronic data
14
Data Protection Storage Record retention Confidentiality and information security
Data from non-Harvard sources Data use agreement (DUA) that states use limitations
and/or protection requirements Individual researchers do not have the authority to sign
DUA on behalf of the institution
Data from Harvard sources Five data/information security categories Legal requests – contact OGC Certificates of confidentiality
15
Information Security Categories Level 1: De-identified research information
about people and other non-confidential research information
Level 2: Benign information about individually identifiable people
Level 3: Sensitive information about individually identifiable people
Level 4: Very sensitive information about individually identifiable people
Level 5: Extremely sensitive information about individually identifiable people
16
Level 2 Information
Individually identifiable information, disclosure of which would not ordinarily be expected to result in material harm, but as to which a subject has been promised confidentiality
Example: Research participant in a study that was
exempt by the IRB
17
Level 3 Information
Individually identifiable information, if disclosed, could reasonable be expected to be damaging to a person’s reputation or to cause embarrassment
Example: Student record
18
Level 4 Information
Individually identifiable High Risk Confidential Information that if disclosed, could reasonably be expected to present a non-minimal risk of civil liability, moderate psychological harm, or material social harm to individuals or groups
Example: Social security number Individual financial information Medical records
19
Level 5 Information Individually identifiable information that
could cause significant harm to an individual if exposed, including serious risk of criminal liability, serious psychological harm or other significant injury, loss of insurability or employability, or significant social harm to an individual or group
Example: Certain genetic information Criminal record
20
Data Protection (cont.) Level 1: no specific University requirements Level 2: Password protection Level 3: Must not be directly accessible from
the Internet (i.e. email) unless the data is encrypted
Level 4: servers must be located only in physically secure facilities under University control
Level 5: information must be stored and used only in physically secured rooms controlled by University. No master keys are allowed
21
Certificates of Confidentiality Issued by the National Institutes of Health (NIH) Protect investigators and institutions from being
compelled to release information that could be used to identify research study participants
Allow the investigator and others who have access to research records to refuse to disclose identifying information in any civil criminal administrative legislative, or other proceeding, whether at the federal,
state, or local level22
Identifying Information
Broadly defined Not just name, address, social
security number, etc. Includes any item or combination of
items that could lead directly or indirectly to the identification of a research participant
23
Eligibility
For IRB-approved research collecting identifying information
If disclosure could have adverse consequences for subjects or damage: financial standing employability insurability, or reputation
NIH or PHS funding not required
24
Examples Collecting genetic information Collecting information on psychological well-
being of subjects Collecting information on sexual attitudes,
preferences or practices Collecting data on substance abuse or other
illegal risk behaviors Studies where participants may be involved in
litigation related to exposures under study (e.g., breast implants, environmental or occupational exposures)
25
Requirements Must tell subjects that Certificate is in effect in
Informed Consent form Must provide fair and clear explanation of
Certificate’s protection, including limitations exceptions
Must document IRB approval and IRB qualifications
Must provide a copy of the informed consent forms approved by the IRB
PI and Institutional Official must sign application26
Limitations and Exceptions Protects data maintained during any time the
Certificate is in effect Protects those data in perpetuity Does not protect against voluntary disclosure:
child abuse threat of harm to self or others reportable communicable diseases subject’s own disclosure
Must disclose information about subjects for DHHS audit or program evaluation or if required by the Federal Food, Drug, and Cosmetic Act
27
Assurances Agree to protect against compelled disclosure
and to support and defend the authority of the Certificate against legal challenges
Agree to comply with Federal regulations that protect human subjects
Agree to not represent Certificate as endorsement of project by DHHS or NIH or use to coerce participation
Agree to inform subjects about Certificate, its protections and limitations
28
An Important Caveat Certificates of Confidentiality do not obviate
the need for data security Data security is essential to the protection
of research participants’ privacy Researchers should safeguard research
data and findings. Unauthorized individuals must not access
the research data or learn the identity of research participants
29
Data Sharing NIH believes all data should be considered
for data sharing “Data should be made as widely and freely
available as possible while safeguarding the privacy of participants, and protecting confidential and proprietary data
Data sharing plan required for applications requesting >$500,000/year from NIH
30
Data Management Data monitoring plan in each protocol Collected data should be open to scrutiny by
both investigators and the sponsor When possible, statistical analysis should be
conducted by an independent entity Stopping rule should be included in the
protocol Study results and data analysis should be
shared with the principal investigators as soon as they become available
31
top related