Data Ownership and Security (RCR Week-3 Lecture)

1
Data Ownership and Security(RCR Week-3 Lecture)

• Delia Y. Wolf, MD, JD, MSCI
• Associate Dean,
• Regulatory Affairs Research Compliance
• Harvard School of Public Health
• Email dywolf_at_hsph.harvard.edu
• February 14, 2014

2
Case 1

• For his dissertation project in psychology,
  Antonio is studying new approaches to strengthen
  memory. He can apply these techniques to create
  interactive Web-based instructional modules. He
  plans to test these modules with students in a
  general psychology course, for which he is a
  teaching assistant. He expects that student
  volunteers who use the modules will subsequently
  perform better on examinations than other
  students. He hopes to publish the results in a
  conference proceeding on research in learning,
  because he plans to apply for an academic
  position after he completes the doctorate.
• Should Antonio seek IRB approval for his project?
  (Hint what are the two questions you would ask
  in order to determine whether IRB approval is
  necessary?)
• If the answer to question 1 is yes, what type of
  IRB review would be appropriate?
• Can this protocol be exempted? Why or why not?
• Do student volunteers need to give formal
  informed consent? If so, what information needs
  to be included in the consent document?

3
Case 2

• Two weeks into the new semester, the Professor in
  Marys course on Family Health gives the class a
  special assignment that was not on the course
  syllabus. Over the next week, everyone in the
  class is to talk with three classmates, who are
  not in the course, about the way their families
  deal with medical emergencies and chronic
  illness. Next week they should come to class
  prepared to report on their interviews. The
  Professor will then gather information collected
  by all the students and may write a paper on the
  topic. The Professor indicates in order to
  protect classmates privacy no names should be
  mentioned during discussion.
• The assignment makes Mary uneasy. In her
  Responsible Conduct of Research (RCR) course last
  semester, she learned about regulations
  pertaining to the use of human participants in
  research. Mary believes that the assignment
  should be reviewed by the IRB.
• When Mary raises her concerns with the Professor,
  the Professor assures her that her informal
  conversations with classmates are not research
  and therefore not subject to any regulations.
  When Mary reminds him that his potential
  publication may contribute to generalizable
  knowledge, his response is that even if this
  assignment meets the definition of research, it
  can be exempt because no names will be recorded,
  and therefore, no IRB review is necessary.
• Is the Professors last statement correct?
• Is this course assignment research?
• If IRB review is required, should each student
  submit an application to the IRB? Why or why not?
  
• Can this course assignment be exempt? If so,
  under which category? If not, will it meet one of
  the categories for expedited review?

4
Topics to be Covered

• Data ownership
• Data collection
• Data protection
• Data sharing
• Data management

5
Data Ownership

• Bayh-Dole Act (Public Law 96-517)
• Sponsored by two senators, Birch Bayh of Indiana
  and Bob Dole of Kansas
• Enacted by the United States Congress on December
  12, 1980
• Governing intellectual property arising from
  federal government-funded research
• Allows for the transfer of exclusive control over
  many government funded inventions to universities
  and businesses for the purpose of further
  development and commercialization

6
Data Ownership (cont.)

• Sponsors/funders
• Government
• Grants the institution receives funds owns and
  controls the data
• Contracts government owns and controls the
  data
• Private companies usually seeks to retain the
  right to the commercial use of data
• Charitable organization /foundations retain or
  give away ownership rights depending on their
  interests.

6
7
Data Ownership (cont.)

• Points to consider
• Distinguish between grants and contracts
• Research institutions usually claims ownership
  rights over data collected with support awarded
  to the institution
• Be familiar with institutional policies
• Who owns the data I am collecting?
• What rights do I have to publish the data?
• Does collecting these data impose any obligations
  on me?
• Do not enter into agreements without approval
  from the institution

7
8
Ownership of Biological Materials

• Moore v. Regents of the University of California
• Moore was treated for hairy cell leukemia by Dr.
  Golde at UCLA Medical Center from 1976 and 1983
• Test results revealed that Moores cells would be
  useful for genetic research, but Golde did not
  inform Moore of his plans to use the cells for
  research
• A cell line was established from Moores
  T-lymphocytes sometime before 1979
• On January 6, 1983, UCLA applied for a patent on
  the cell line, listing Gold and Quan as inventors
• USPO issued patent on March 20, 1984

8
9
Ownership of Biological Materials

• Moore v. Regents of the University of California
• In 1983, Moore was given a consent form indicated
  I (do, do not) voluntarily grant to the
  University of California all rights I, or my
  heirs, may have in any cell line or any other
  potential product which might be developed from
  the blood and/or bone marrow obtained from me
• Moore refused to sign the form and eventually
  turned over to an attorney, who the discovered
  the patent
• After patent was issued in 1984,UCLA and Golde
  negotiated agreements with Genetic Institute for
  commercial development, Golde became a paid
  consultant and acquired 75,000 shares of stock

9
10
Ownership of Biological Materials

• Moore v. Regents of the University of California
• Moore filed a lawsuit naming Golde, Quan, the
  Regents, Genetics Institute, and Sandoz
  Pharmaceuticals as defendants
• Moore complaint stated thirteen causes of action,
  including conversion, lack of informed consent,
  breach of fiduciary duty and intentional
  infliction of emotional distress
• The court found that Moore had no property rights
  to his discarded cells or any profits made from
  them
• The court concluded that the researcher did have
  an obligation to obtain informed consent, and to
  disclose financial interested in the cells
  harvested from Moore

10
11
Ownership of Biological Materials

• Washington University v. Catalona
• Dr. Catalona, highly respected urologist and
  urologic surgeon, as well as a well-established
  prostate cancer researcher at Washington
  University in St. Louis
• While at WU, Dr. Catalona was instrumental in
  establishing the Biorepository for the collection
  and storage of biological research materials
• More than 30,000 research participants enrolled
  in prostate cancer research
• In 2003, Dr. Catalona left for Northwestern
  University and to continue his prostate cancer
  research
• In February 2003, Dr. Catalona sent a Medical
  consent Authorization form to about 60,000
  research participants

11
12
Ownership of Biological Materials

• Washington University v. Catalona
• About 6000 recipients signed the form and
  returned it to Dr. Catalona
• The University sought a declaratory judgment that
  it owned the biological specimens
• In March 2006, the District Court concluded that
  the University owned the research specimens. Dr.
  Catalona and the eight research participants
  appealed
• The Court held that Wash. U owns the biological
  materials and neither Dr. Catalona nor any
  contributing individual has any ownership or
  proprietary right in the disputed biological
  materials.

12
13
DHHS Draft Guidance

• All future research that uses your samples may
  lead to the development of new products, you will
  not receive any payments for these new products.
• By agreeing to this use, you are giving up all
  claims to any money obtained by the researchers
  from commercial or other use of these specimens.
• I voluntarily and freely donate any and all
  blood, urine, and tissue samples to the name of
  research institution and hereby relinquish all
  property rights, title, and interests I may have
  in these samples.

13
14
Data Collection

• Reliable methods
• Accuracy
• Authorization/Permission
• IRB
• IACUC
• Documentation
• Hard-copy data
• Electronic data

14
15
Data Protection

• Storage
• Record retention
• Confidentiality and information security
• Data from non-Harvard sources
• Data use agreement (DUA) that states use
  limitations and/or protection requirements
• Individual researchers do not have the authority
  to sign DUA on behalf of the institution
• Data from Harvard sources
• Five data/information security categories
• Legal requests contact OGC
• Certificates of confidentiality

15
16
Information Security Categories

• Level 1 De-identified research information about
  people and other non-confidential research
  information
• Level 2 Benign information about individually
  identifiable people
• Level 3 Sensitive information about individually
  identifiable people
• Level 4 Very sensitive information about
  individually identifiable people
• Level 5 Extremely sensitive information about
  individually identifiable people

16
17
Level 2 Information

• Individually identifiable information, disclosure
  of which would not ordinarily be expected to
  result in material harm, but as to which a
  subject has been promised confidentiality
• Example
• Research participant in a study that was exempt
  by the IRB

18
Level 3 Information

• Individually identifiable information, if
  disclosed, could reasonable be expected to be
  damaging to a persons reputation or to cause
  embarrassment
• Example
• Student record

19
Level 4 Information

• Individually identifiable High Risk Confidential
  Information that if disclosed, could reasonably
  be expected to present a non-minimal risk of
  civil liability, moderate psychological harm, or
  material social harm to individuals or groups
• Example
• Social security number
• Individual financial information
• Medical records

20
Level 5 Information

• Individually identifiable information that could
  cause significant harm to an individual if
  exposed, including serious risk of criminal
  liability, serious psychological harm or other
  significant injury, loss of insurability or
  employability, or significant social harm to an
  individual or group
• Example
• Certain genetic information
• Criminal record

21
Data Protection (cont.)

• Level 1 no specific University requirements
• Level 2 Password protection
• Level 3 Must not be directly accessible from the
  Internet (i.e. email) unless the data is
  encrypted
• Level 4 servers must be located only in
  physically secure facilities under University
  control
• Level 5 information must be stored and used only
  in physically secured rooms controlled by
  University. No master keys are allowed

21
22
Certificates of Confidentiality

• Issued by the National Institutes of Health (NIH)
• Protect investigators and institutions from being
  compelled to release information that could be
  used to identify research study participants
• Allow the investigator and others who have access
  to research records to refuse to disclose
  identifying information in any
• civil
• criminal
• administrative
• legislative, or other proceeding, whether at the
  federal, state, or local level

23
Identifying Information

• Broadly defined
• Not just name, address, social security number,
  etc.
• Includes any item or combination of items that
  could lead directly or indirectly to the
  identification of a research participant

24
Eligibility

• For IRB-approved research collecting identifying
  information
• If disclosure could have adverse consequences for
  subjects or damage
• financial standing
• employability
• insurability, or
• reputation
• NIH or PHS funding not required

25
Examples

• Collecting genetic information
• Collecting information on psychological
  well-being of subjects
• Collecting information on sexual attitudes,
  preferences or practices
• Collecting data on substance abuse or other
  illegal risk behaviors
• Studies where participants may be involved in
  litigation related to exposures under study
  (e.g., breast implants, environmental or
  occupational exposures)

26
Requirements

• Must tell subjects that Certificate is in effect
  in Informed Consent form
• Must provide fair and clear explanation of
  Certificates protection, including
• limitations
• exceptions 
• Must document IRB approval and IRB qualifications
• Must provide a copy of the informed consent forms
  approved by the IRB
• PI and Institutional Official must sign
  application

27
Limitations and Exceptions

• Protects data maintained during any time the
  Certificate is in effect
• Protects those data in perpetuity
• Does not protect against voluntary disclosure
• child abuse
• threat of harm to self or others
• reportable communicable diseases
• subjects own disclosure
• Must disclose information about subjects for DHHS
  audit or program evaluation or if required by the
  Federal Food, Drug, and Cosmetic Act

28
Assurances

• Agree to protect against compelled disclosure and
  to support and defend the authority of the
  Certificate against legal challenges
• Agree to comply with Federal regulations that
  protect human subjects
• Agree to not represent Certificate as endorsement
  of project by DHHS or NIH or use to coerce
  participation
• Agree to inform subjects about Certificate, its
  protections and limitations

29
An Important Caveat

• Certificates of Confidentiality do not obviate
  the need for data security
• Data security is essential to the protection of
  research participants privacy
• Researchers should safeguard research data and
  findings.  
• Unauthorized individuals must not access the
  research data or learn the identity of research
  participants

30
Data Sharing

• NIH believes all data should be considered for
  data sharing
• Data should be made as widely and freely
  available as possible while safeguarding the
  privacy of participants, and protecting
  confidential and proprietary data
• Data sharing plan required for applications
  requesting gt500,000/year from NIH

30
31
Data Management

• Data monitoring plan in each protocol
• Collected data should be open to scrutiny by both
  investigators and the sponsor
• When possible, statistical analysis should be
  conducted by an independent entity
• Stopping rule should be included in the protocol
• Study results and data analysis should be shared
  with the principal investigators as soon as they
  become available