A slide deck in answer to the question: If funders require their awardees to share data, will they be placing them in an untenable position with their IRBs? Presented Dec. 6, 2016, at Funders' Forum co-sponsored by the Center for Open Science and the Health Research Alliance (https://cos.io/decemberforum2016/#overview).
1. Michelle N. Meyer, PhD JD
Assistant Professor
Associate Director, Research Ethics
Center for Translational Bioethics & Health Care Policy
Geisinger Health System
www.michellenmeyer.com
IRBS, ETHICS
& DATA
SHARING
3. Federal “Common Rule”
• Federally conducted or funded human subjects research
(HSR)
• HSR conducted at institution that “checked the box” on
its FWA
• HSR conducted at institution w/policy of subjecting all
HSR to IRB review
6. Tell awardees to stop promising to
destroy data
“After the study is
completed, videotapes will
be destroyed personally by
the investigator with a
sledgehammer.”
7. Tell awardees to stop promising not to
share
“Only our research
team will see your
data.”
8. Tell awardees to stop promising not to
share
“Your data will only
be shared with
competent
researchers.”
9. Tell awardees to tell participants data is
shared
Informed consent
• What is an archive/data repository?
• Why is it important to share data?
• With whom will data be shared?
• How will data be protected?
• How might my data be used?
• Broad consent
• How do I know my data will be used ethically?
• Do I have a choice in whether my data is shared?
• No: Participation is voluntary; sharing is not
• Yes: Tiered sharing
12. IRB-Approved Consent Language
DATA: Data are stored electronically. Your name is not
stored with your data, but kept in a separate log file. The
data will be archived in a publically accessible electronic
repository at GitHub (github.com). Researchers will have
access to your data though always on an anonymous
basis, that is, without your name or any identifying
markers attached to it.
Researcher: Jeff Rouder
Institution: University of Missouri
15. Successful IRB Application Language
Researcher: Sean Murphy
Institution: University of Melbourne
Source: http://bit.ly/2g5iYWV (Github)
16. Remaining concerns: No consent to
shareConsent is silent.
Secretary’s Advisory Committee on Human Research
Protections (SACHRP) considerations (July 20, 2011)*:
• Could the secondary research reasonably be understood to fall
w/in scope of original research as described in consent?
• Does the secondary research impose new or significantly greater
risks (including privacy risks) not described in the initial consent?
• Are there known concerns of the study population(s) about the
proposed new use?
Consent promises not to share
• Tough, but sometimes okay (and not Common Rule violation!)
* http://bit.ly/2h2b68g (see Part III, FAQ #3 & Part II.I)
17. Successful IRB Study Amendment Language
Researcher: Jessie Sun
Institution: University of Melbourne
Source: http://bit.ly/2gfm4pJ (Dropbox)
18. Remaining concerns: True consent
impossible
Claim:
Broad consent to unknown future
uses of research data can never
be truly informed consent
20. Governor Weld (1997)
Sweeney, L. k-anonymity: a model for protecting privacy. International Journal on Uncertainty, Fuzziness
and Knowledge-based Systems, 10 (5), 2002; 557- 570.
Barth-Jones, DC ., The 'Re-Identification' of Governor William Weld's Medical Information: A Critical Re-
Examination of Health Data Identification Risks and Privacy Protections, Then and Now (July 2012),
http://ssrn.com/abstract=2076397
29. • Don’t promise or guarantee anonymity
• But recognize that risk of re-identification is often hyped
• Properly executed HIPAA de-identification is quite useful
Remaining concerns: Re-
identification risk
30. Governor Weld (1997)
Estimated odds of being re-
identified on basis of:
DOB, 5-digit zip, sex: 87%
(Sweeney, theoretical estimate)
HIPAA safe harbor
Year of birth, 3-digit zip, sex: .04%
(Sweeney, 2007 NCVHS testimony)
31. • Don’t promise or guarantee anonymity
• But recognize that risk of re-identification is often hyped
• Properly executed HIPAA de-identification is quite useful
• Risk = magnitude x probability, including not only technical ability
but also incentives (see Brad Malin’s game theoretical analysis)
• And recognize that our data aren’t as revealing about us
as we sometimes thing
Remaining concerns: Re-
identification risk
34. Arguably, data sharing isn’t the IRB’s
business
Data sharing isn’t “research”
“Research means a systematic investigation, including
research development, testing and evaluation, designed to
develop or contribute to generalizable knowledge.”
— 45 CFR 46.102(d)
35. Arguably, data sharing isn’t the IRB’s
business
Secondary research w/“non-identifiable”
data doesn’t involve “human subjects”
Human subject means a living individual about whom an
investigator…obtains
(1) Data through intervention or interaction with the individual, or
(2) Identifiable private information.
“identity of the subject is or may readily be ascertained by the
investigator or associated with the information”
“information about behavior that occurs in a context in which an
individual can reasonably expect that no observation or recording is
taking place, & information which has been provided for specific
purposes by an individual & which the individual can reasonably expect
will not be made public (e.g., medical record)”
— 45 CFR 46.102(f)
36. Arguably, data sharing isn’t the IRB’s
business
Breaking consent promises to participants
isn’t a Common Rule violation (!)
Because non-identifiable data don’t involve
“human subjects”
Secretary’s Advisory Committee on Human Research Protections (SACHRP), July 20,
2011, ttp://bit.ly/2h2b68g