chesapeake irb: a guide to research data protection and resources
TRANSCRIPT
Human Connection >>> Technology Driven
Address: 6940 Columbia Gateway Drive, Suite 110 Columbia, MD 21046-3403
Telephone: +1.410.884.2900 Web: www.chesapeakeirb.com Email: [email protected]
A Guide to Research Data Protection and Resources
6940 Columbia Gateway Drive, Suite 110 Phone: +1.410.884.2900 Columbia, MD 21046-3403 Web: www.chesapeakeirb.com
Ellen Kelso, CIP, Executive Director, Strategic Development Telephone: +1.410.884.2900 Email: [email protected] Web: www.chesapeakeirb.com Ellen Kelso joined Chesapeake IRB as part of the acquisition of Goodwyn IRB in 2014. Ms. Kelso has over 30 years of experience in the pharmaceutical industry. She spent the first half of her career with Eli Lilly and Company, serving in clinical operations and both domestic and international regulatory affairs.
In 1998 she founded Goodwyn IRB and was its executive leader until becoming part of the Chesapeake IRB organization. For the last decade and a half she has worked with top internationally respected bioethicists combining their expertise, academic perspective and knowledge with industry best practice, quality and management systems. Her experience includes human subject protections; leading project teams; managing worldwide regulatory strategies; designing regulatory compliance systems; and establishing electronic document, content management, and publication processes. Ms. Kelso is a sought after speaker and contributor to all topics related to research ethics and human subject protections with an emphasis on her knowledge of emerging human subject, industry trends and use of technology to enhance the research process. She serves on the Drug Information Association Program Planning Committee as well as with the Clinical Trials Transformation Initiative. Ms. Kelso holds a BS in Microbiology and Molecular Biology from Indiana University and has completed numerous professional and management training and development programs.
Human Connection >>> Technology Driven
About the Author
Data Protection Plan
A Data Protection Plan (including processes for destroying identifiable, confidential data not intended to be maintained) is an essential part of any overall research program that is reviewed by the IRB. The level of protection needed depends on the type of research and sensitivity of the data. To help researchers and IRBs in planning and review of research plans, here is an analysis of threats to data and various methods that can be used in various combinations to achieve desired, appropriate level of protection.
6940 Columbia Gateway Drive, Suite 110 Phone: +1.410.884.2900 Columbia, MD 21046-3403 Web: www.chesapeakeirb.com
Human Connection >>> Technology Driven
Accidental Disclosure
6940 Columbia Gateway Drive, Suite 110 Phone: +1.410.884.2900 Columbia, MD 21046-3403 Web: www.chesapeakeirb.com
Human Connection >>> Technology Driven
Potential Threat • Result of sloppy data
management procedures • Errors by the research staff • Failure to follow procedures • Disclosure of site location by
funder or by the subjects, themselves
Confidentiality Assuring Techniques 1. Keep data with personal identifiers in secured files. 2. Control (restrict) access and maintain adequate physical security of the data with specified procedures. 3. Educate the entire research team in the importance of confidentiality and in standard procedures about data confidentiality. 4. Destroy all identifiable, confidential data not intended to be maintained as stipulated in the standard operating procedures. 5. Be careful of what is given to subjects to keep, lest it be found by others.
Malicious Disclosure
6940 Columbia Gateway Drive, Suite 110 Phone: +1.410.884.2900 Columbia, MD 21046-3403 Web: www.chesapeakeirb.com
Human Connection >>> Technology Driven
Potential Threat • Theft • Unauthorized transfer of data by
disgruntled staff or others seeking financial gain
• Breach of computer systems security
Confidentiality Assuring Techniques 1. Develop policies that prohibit the unauthorized use, transfer and release of data and rigorously implement them 2. Require identification of the persons authorized to access the data for each access. 3. Ensure that network/internet enabled workstations have firewall and are security enabled to prevent unauthorized access. 4. Store data on secure servers with firewalls user authorization to protect data from unauthorized access. 5. Encrypt data during transmission (and also storage if access to computer upon which it resides is not sufficiently protected,) 6. Keep any removable media that holds data
or copies of data in a secure compartment when not in use. Encrypt the data on the removable media.
Compulsory Disclosure
6940 Columbia Gateway Drive, Suite 110 Phone: +1.410.884.2900 Columbia, MD 21046-3403 Web: www.chesapeakeirb.com
Human Connection >>> Technology Driven
Potential Threat • Result of legal action or Court
Order
Confidentiality Assuring Techniques 1. Implement regulatory or statutory nondisclosure protections (e.g. Certificate of Confidentiality) Holders of a “Certificate of Confidentiality” may not be compelled in federal, state, criminal, legislative, or other proceedings to identify individual research subjects.
Certificates of Confidentiality Individuals and agencies conducting research on particularly sensitive topics may apply to the Department of Health and Human Services for a government guarantee of immunity from judicial subpoena or request by other authorities. This is common for research involving sexual attitudes, preferences and practices, controlled substances, illegal conduct and mental health and other topics where public disclosure of identities and the information they provide could cause great harm to respondents. It is not necessary for a researcher to be federally funded, but the research protocol must have been approved by an Institutional Review Board. Once approved by DHHS, investigators can assure respondents protection from subpoena.
Statistical Disclosure
6940 Columbia Gateway Drive, Suite 110 Phone: +1.410.884.2900 Columbia, MD 21046-3403 Web: www.chesapeakeirb.com
Human Connection >>> Technology Driven
Potential Threat • Logical use or analyses of data
to identify cases that are infrequent or rare, or unique patterns of characteristics which, when associated with data from other sources lead to subject identification.
Confidentiality Assuring Techniques 1. Implement established Methods to prevent statistical disclosure. American Statistical Association. The American Statistical Association has a Web site specifically devoted to Privacy, Confidentiality, and Data Security
Direct Identifiers
6940 Columbia Gateway Drive, Suite 110 Phone: +1.410.884.2900 Columbia, MD 21046-3403 Web: www.chesapeakeirb.com
Human Connection >>> Technology Driven
Variables Endangering Confidentiality Direct Identifiers obtained during collection of data: Names, Addresses, Identification Numbers
Confidentiality Assuring Techniques 1. Remove Direct Identifiers (Anonymization) at the earliest opportunity. 2. Use “Honest Brokers”: An honest broker is a disinterested party that, in this context de-identifies data but codes it so that it can be re-identified. Only the coded data is provided to the investigator. The investigator can never link the data with an individual or an address.
Indirect Identifiers
6940 Columbia Gateway Drive, Suite 110 Phone: +1.410.884.2900 Columbia, MD 21046-3403 Web: www.chesapeakeirb.com
Human Connection >>> Technology Driven
Variables Endangering Confidentiality Indirect identifiers might be used in combination with other variables or in conjunction with a public record to identify an individual (detailed geography: state, county, census tract of residence; organizations to which respondent belongs; occupation; place of birth; dates of events; income,) etc. A determined interloper with enough money and time can use software to re-identify data. Risk depends on whether it would be worth anyone’s effort to go to such extremes to possibly re-identify one or more of the subjects.
Confidentiality Assuring Techniques Such indicators should be reviewed by investigator and a judgment made about the effect of retaining such items. If a variable might act as an indirect identifier (and thus could compromise the confidentiality of the subject), the investigator should recode the variable when preparing the dataset: 1. Removal – eliminate it entirely 2. Bracket – combine categories of a variable 3. Top-coding – group upper range to eliminate outliers 4. Collapse or combine - merge concepts in two or more variables by creating a new summary variable
Direct / Indirect Identifiers Central Important to a Study
6940 Columbia Gateway Drive, Suite 110 Phone: +1.410.884.2900 Columbia, MD 21046-3403 Web: www.chesapeakeirb.com
Human Connection >>> Technology Driven
Variables Endangering Confidentiality • Multilevel Studies of Hierarchical
Data collected about places, organizations, households,
• Exact event dates and birth dates (often useful for time-dependent analysis like survival or event history analyses)
• Geo-Coded Information • Qualitative Narrative Interview
(contains many references to people, places, events, associations, organizations, family relationships)
• Longitudinal Panel (not difficult at the end but during the follow up period need to maintain linkage and locator identifiers which makes it vulnerable during operational phase)
Confidentiality Assuring Techniques Such indicators should be reviewed by investigator and a judgment made about the effect of retaining such items. If a variable might act as an indirect identifier (and thus could compromise the confidentiality of the subject), the investigator should recode the variable when preparing the dataset: 1. Removal: Eliminate it entirely 2. Bracket: Combine categories of a variable 3. Top-Coding: Group upper range to eliminate outliers 4. Collapse or Combine: Merge concepts in two or more variables by creating a new summary variable
Data Sharing
6940 Columbia Gateway Drive, Suite 110 Phone: +1.410.884.2900 Columbia, MD 21046-3403 Web: www.chesapeakeirb.com
Human Connection >>> Technology Driven
Data Sharing As part of the research enterprise, researchers are encouraged to make their research data available to other scientists. This is often done in the form of public use files. The researcher is responsible for ensuring that shared data are protected.
Occasionally identifiable records are transferred to another investigator for additional analyses (in accordance with IRB approval of such restricted use) In such circumstances, secondary users must agree to protect the confidentiality of data even when it is shared or transferred. Confidentiality Assuring Techniques 1. Communicate explicitly the data protection plan that needs to be in place by secondary users 2. Determine whether the original consent agreement limited the use of the data in future studies 3. Obtain a written and binding agreement from the recipient that the data are bound by all of the conditions governing its original collection
Contact Information
6940 Columbia Gateway Drive, Suite 110 Phone: +1.410.884.2900 Columbia, MD 21046-3403 Web: www.chesapeakeirb.com
Ruth Boulter, Vice President, Business Development Telephone: +1.410.884.2900 Email: [email protected] Web: www.chesapeakeirb.com Ruth Boulter brings over 25 years of executive sales management experience to Chesapeake IRB. She is leading the organization’s sales and marketing efforts to provide targeted solutions to our global clients in pharma, biotech and CRO.
Prior to joining Chesapeake, Ms. Boulter served as Executive Director, Global Business Lead, CNS Research, InVentiv Health Clinical where she managed strategic global client relationships and provided sales training and development to the global sales team. Ms. Boulter has held responsible sales and marketing roles with Procter & Gamble, Baxter Healthcare, and leading global CROs – Quintiles, PharmaNet, and i3 Research. Ms. Boulter earned a BA in Communications from the Pennsylvania State University and has completed numerous professional sales and management training and development programs.
Human Connection >>> Technology Driven