Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ethical Conduct of Human Research

190 views

Published on

Dr Jeff Christiansen's presentation at eRA 2017 workshop on Research Integrity and Ethics in the Cloud

Published in: Education
  • Be the first to comment

  • Be the first to like this

Ethical Conduct of Human Research

  1. 1. Ethical Conduct of Human Research Risks to research participants Benefits to research participants and society Legislation protecting participants Mitigation of Risks to participants, researchers and infrastructure providers . . . Jeff Christiansen
  2. 2. Experience QCIF • Health and Life Sciences Program Manager • UQ, Griffith, other QLD Universities Intersect • med.data.edu.au National Manager • NSW Cancer Institute’s Biobanking Stakeholder Network • USyd, UoN, UNSW, WSU, Ingham Institute, Kid’s Research Institute, Kolling Institute, Children’s Medical Research Institute, Westmead Institute for Medical Research, Garvan Institute, NHMRC Clinical Trials Centre, Cancer Council NSW, Centenary Institute, Melanoma Institute, Children’s Cancer Institute
  3. 3. Human Research National Statement on Ethical Conduct in Human Research (2007) (Updated May 2015) • Human research is conducted with or about people, or their data or tissue • taking part in surveys, interviews or focus groups; • undergoing psychological, physiological or medical testing or treatment; • being observed by researchers; • researchers having access to their personal documents or other materials; • the collection and use of their body organs, tissues or fluids or their exhaled breath; • access to their information as part of an existing published or unpublished source or database.
  4. 4. Risks and Benefits • National Statement on Ethical Conduct in Human Research (2007) (Updated May 2015) • Risk: a potential for harm, discomfort or inconvenience. It involves: • the likelihood that a harm (or discomfort or inconvenience) will occur; and • the severity of the harm, including its consequences. • Harms: • physical harms: including injury, illness, pain; • psychological harms: including feelings of worthlessness, distress, guilt, anger or fear related, for example, to disclosure of sensitive or embarrassing information, or learning about a genetic possibility of developing an untreatable disease; • devaluation of personal worth: including being humiliated, manipulated or in other ways treated disrespectfully or unjustly; • social harms: including damage to social networks or relationships with others; discrimination in access to benefits, services, employment or insurance; social stigmatisation; and findings of previously unknown paternity status; • economic harms: including the imposition of direct or indirect costs on participants; • legal harms: including discovery and prosecution of criminal conduct.
  5. 5. Risks and Benefits • National Statement on Ethical Conduct in Human Research (2007) (Updated May 2015) • Benefits: Research is ethically acceptable only when its potential benefits justify any risks involved in the research. • Who decides? • researchers, who need to identify, gauge, minimise and manage any risks involved in their project; • institutions, in deciding the appropriate level of ethical review for research projects; • Human Research Ethics Committees (HRECs) and other ethical review bodies in reviewing research proposals and making judgements on whether risks are justified by potential benefits; • participants’ through their perceptions of the risks and benefits. These perceptions are a factor to be considered by review bodies in deciding whether the risks are justified by the benefits.
  6. 6. Sensitive Information Information that could cause harm to an individual if used inappropriately • Cth Privacy Act (1988) regulates how personal information is handled in Australia
  7. 7. Sensitive Information Cth Privacy Act (1988) definitions • Personal information …information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable. • Sensitive information … information or an opinion about an individual’s racial or ethnic origin; political opinions; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual orientation or practices; criminal record that is also personal information; or … health information, genetic information or biometric information about an individual.
  8. 8. Cth Privacy Act (1988) Schedule 1: Australian Privacy Principles • APP 1 — Open and transparent management of personal information • APP 2 — Anonymity and pseudonymity • APP 3 — Collection of solicited personal information • APP 4 — Dealing with unsolicited personal information • APP 5 — Notification of the collection of personal information • APP 6 — Use or disclosure of personal information • APP 7 — Direct marketing • APP 8 — Cross-border disclosure of personal information • APP 9 — Adoption, use or disclosure of government related identifiers • APP 10 — Quality of personal information • APP 11 — Security of personal information • APP 12 — Access to personal information • APP 13 — Correction of personal information
  9. 9. Cth Privacy Act (1988) Use of personal/sensitive information in research • If an individual consents to the use of their personal/sensitive information for research purposes, the Privacy Act does not apply
  10. 10. Consent National Statement on Ethical Conduct in Human Research (2007) (Updated May 2015) • In the research context, consent should be a voluntary choice, and should be “informed” – i.e. based on sufficient information and adequate understanding of both the proposed research and the implications of participation in it: • any alternatives to participation; • how the research will be monitored; • provision of services to participants adversely affected by the research; • contact details of a person to receive complaints; • contact details of the researchers; • how privacy and confidentiality will be protected; • the participant’s right to withdraw from further participation at any stage, along with any implications of withdrawal, and whether it will • be possible to withdraw data; • the amounts and sources of funding for the research; • the likelihood and form of dissemination of the research results, including publication; • any expected benefits to the wider community;
  11. 11. Cth Privacy Act (1988) If an individual does not consent, the use of personal and sensitive information may still be possible for the purposes of research. The Privacy Act s95 and s95A guidelines provide a framework for HRECs and researchers to weigh the public interest in the use of the health information for research against the individuals’ interest in privacy. The approving HREC holds responsibility for determining if information should be disclosed for research purposes. Privacy Act S95 guidelines (2014) • apply to the collection, use or disclosure of health information by Commonwealth agencies for research where it is impracticable to seek consent from the individual(s) involved Privacy Act S95A Guidelines (2014) • apply to the collection, use or disclosure of health information by the private sector for research where it is impracticable to seek consent from the individual(s) involved. NOTE: s95 and s95A guidelines do not apply to State managed public health organisations, including public hospitals, arguably the richest source of health information.
  12. 12. State and Territory Privacy Legislation Jurisdiction Public Sector (including Public Health Organisation (PHO)s and State Health Agencies) Private Sector (Health) Private Sector (General) ACT Information Privacy Act 2014 (ACT) (ACT Public Sector Agencies) Health Records (Privacy and Access) Act 1997 Privacy Act 1988 (Clth) Health Records (Privacy and Access) Act 1997 Privacy Act 1988 (Clth) NSW Privacy and Personal information Protection Act 1998 Health Records and Information Privacy Act 2002 - Health records held by NSW Government agencies (including public hospitals) Privacy Act 1988 (Clth) Privacy Act 1988 (Clth) NT Note: no health specific privacy legislation Information Act (2002) (NT) – Applies to NT Government Organisations including PHOs. Privacy Act 1988 (Clth) Privacy Act 1988 (Clth) QLD Note: no health specific privacy legislation Information Privacy Act 2009 (Qld) Information Standards 42 (general) & 42A (health) Public Health Act 2005 Chapter 6, Part 4, Division 2, s281 – s284 (access to confidential information held by QLD Health Privacy Act 1988 (Clth) Privacy Act 1988 (Clth) SA There is no legislation that specifically addresses privacy in South Australia. The South Australian Department of the Premier and Cabinet, however, has issued an administrative instruction requiring its government agencies to comply with a set of Information Privacy Principles (IPPs) based on the IPPs in the Commonwealth Privacy Act118 Privacy Act 1988 (Clth) Privacy Act 1988 (Clth) TAS Note: no health specific privacy legislation Personal Information and Protection Act 2004 (Tas) applies to the Tasmanian Public Sector, including the University of Tasmania Privacy Act 1988 (Clth) Privacy Act 1988 (Clth) VIC Privacy and Data Protection Act 2014 Health Records Act 2001 (Vic) Privacy Act 1988 (Clth) Privacy Act 1988 (Clth) WA There is no legislation that specifically addresses privacy in Western Australia Privacy Act 1988 (Clth) Confidentiality of Health Information Committee Privacy Act 1988 (Clth)
  13. 13. How can risks be reduced for research participants? 1. Removing the identifiability of individual research participants 2. Using an appropriately robust Information Security Framework • Information Governance o Information Security Policy o Clearly defined Roles and Responsibilities • Observing appropriate technical security set-up, o Encryption o User Identify Management o Authentication o Access Control o Secure Audit o General IT Security o etc
  14. 14. Identifiability National Statement on Ethical Conduct in Human Research (2007) (Updated May 2015) • three levels of data identifiability: 1. INDIVIDUALLY IDENTIFIABLE - data from which the identity of a specific individual can reasonably be ascertained (e.g. a name, image, date of birth, global identifier or address). 2. RE-IDENTIFIABLE - data where identifiers have been removed and replaced by a code, but it remains possible to re-identify a specific individual by, for example, using the code or linking different data sets. 3. NON-IDENTIFIABLE - data that have never been labelled with individual identifiers or from which identifiers have been permanently removed, and by means of which no specific individual can be identified. A subset of non-identifiable data are those that can be linked with other data so it can be known that they are about the same data subject, although the person’s identity remains unknown.
  15. 15. Confidentialisation Guidelines for the Disclosure of Secondary Use Health Information for Statistical Reporting, Research and Analysis 2015 National Statistical Service Statistical Information Management Committee • For item level information: removal of identifiers and identifying information • Aggregation of data into groupings (e.g. the number of people with disease X in geographical area Y or age group Z). Note that if this latter approach is used, Data Custodians must bear in mind that in small populations (e.g. patients with a rare condition) they are responsible for minimising the risk of identification and attribute disclosure within these datasets using principles of data minimisation, and address concerns of small denominator populations by: removing and/or modifying personal identifiers, encryption, aggregation of dates, aggregation of variables- age groups, diagnosis related groups, geographic area indicators.
  16. 16. Information Security Frameworks • All help identify the risks to important information and put in place the appropriate controls to help reduce the risk. e.g. ISO/IEC 27001:2013 +27000 series Cth Gov: ASD ISM QLD Gov: IS18
  17. 17. Information Security Frameworks • Requires commitment and involvement from leadership team. • Top management are responsible for the system’s effectiveness and for making sure the whole organisation understands how they contribute to the Information Security Management System, (ISMS). • Creation of a culture whereby the importance of information security is promoted and embraced avoids confusion and provides clarity for all. • Clear roles and responsibilities (within a CSP organisation and tenants, others) • Identification and management of risks • Evaluation of the effectiveness of the controls put in place to manage the risks and making sure they are proportionate to the potential impact on a business. • Australian standard for technical controls: ASD ISM
  18. 18. Information Security Frameworks • Certification to a standard by an Accredited Assessor is possible. e.g. • ASD/iRAP certification for Cloud Service Providers • ISO27000 series certification • Major research infrastructure for human research does not require certification (e.g. PHRN), but does require a robust Information Security Management System. • Without certification, demonstrating security maturity and garnering trust with research partners is more difficult for infrastructure providers.
  19. 19. Information Security Frameworks • Certification to a standard by an Accredited Assessor is possible. e.g. • ASD/iRAP certification for Cloud Service Providers • ISO27000 series certification • Major research infrastructure for human research does not require certification (e.g. PHRN), but does require a robust Information Security Management System. • Without certification, demonstrating security maturity and garnering trust with research partners is more difficult for infrastructure providers.
  20. 20. Summary • Human Research carries a level of risk for research participants • Conducting Human Research Legally and Ethically requires the minimisation of risk • Minimising Risk in Human Research is a joint responsibility • Research Participants • Researchers • Institutions • Human Research Ethics Committees • Data Custodians • Research Collaborators • Infrastructure providers • Risk Management Frameworks can be used to manage the risks and making sure they are proportionate to the potential impacts

×