Data Ownership and Security(RCR Week-5 Lecture)

Delia Y. Wolf, MD, JD, MSCIAssistant Dean, Regulatory Affairs & Research ComplianceDirector, Human Research AdministrationAssistant Professor, Health Policy and ManagementHarvard School of Public Health

Email: dywolf@hsph.harvard.edu

October 5, 2012

Finding of Research Misconduct There must be significant departure

from accepted practices of the relevant research community

The misconduct must have been committed intentionally, knowingly, or recklessly

The allegation must be proven by preponderance of the evidence

2

3

Topics to be Covered Data ownership

Data collection

Data protection

Data sharing

Data management

Data Ownership Bayh-Dole Act (Public Law: 96-517)

Sponsored by two senators, Birch Bayh of Indiana and Bob Dole of Kansas

Enacted by the United States Congress on December 12, 1980

Governing intellectual property arising from federal government-funded research

Allows for the transfer of exclusive control over many government funded inventions to universities and businesses for the purpose of further development and commercialization

4

Data Ownership (cont.) Sponsors/funders

Government Grants – the institution receives funds owns and

controls the data Contracts – government owns and controls the

data Private companies – usually seeks to retain

the right to the commercial use of data Charitable organization /foundations – retain

or give away ownership rights depending on their interests.

5

Data Ownership (cont.) Points to consider

Distinguish between grants and contracts Research institutions usually claims ownership

rights over data collected with support awarded to the institution

Be familiar with institutional policies Who owns the data I am collecting? What rights do I have to publish the data? Does collecting these data impose any obligations on

me? Do not enter into agreements without approval

from the institution

6

Ownership of Biological Materials Moore v. Regents of the University of California

Moore was treated for hairy cell leukemia by Dr. Golde at UCLA Medical Center from 1976 and 1983

Test results revealed that Moore’s cells would be useful for genetic research, but Golde did not inform Moore of his plans to use the cells for research

A cell line was established from Moore’s T-lymphocytes sometime before 1979

On January 6, 1983, UCLA applied for a patent on the cell line, listing Gold and Quan as inventors

USPO issued patent on March 20, 1984

7

Ownership of Biological Materials Moore v. Regents of the University of California

In 1983, Moore was given a consent form indicated “I (do, do not) voluntarily grant to the University of California all rights I, or my heirs, may have in any cell line or any other potential product which might be developed from the blood and/or bone marrow obtained from me”

Moore refused to sign the form and eventually turned over to an attorney, who the discovered the patent

After patent was issued in 1984,UCLA and Golde negotiated agreements with Genetic Institute for commercial development, Golde became a paid consultant and acquired 75,000 shares of stock

8

Ownership of Biological Materials Moore v. Regents of the University of California

Moore filed a lawsuit naming Golde, Quan, the Regents, Genetics Institute, and Sandoz Pharmaceuticals as defendants

Moore complaint stated thirteen causes of action, including conversion, lack of informed consent, breach of fiduciary duty and intentional infliction of emotional distress

The court found that Moore had no property rights to his discarded cells or any profits made from them

The court concluded that the researcher did have an obligation to obtain informed consent, and to disclose financial interested in the cells harvested from Moore

9

Ownership of Biological Materials Washington University v. Catalona

Dr. Catalona, highly respected urologist and urologic surgeon, as well as a well-established prostate cancer researcher at Washington University in St. Louis

While at WU, Dr. Catalona was instrumental in establishing the Biorepository for the collection and storage of biological research materials

More than 30,000 research participants enrolled in prostate cancer research

In 2003, Dr. Catalona left for Northwestern University and to continue his prostate cancer research

In February 2003, Dr. Catalona sent a “Medical consent & Authorization” form to about 60,000 research participants

10

Ownership of Biological Materials Washington University v. Catalona

About 6000 recipients signed the form and returned it to Dr. Catalona

The University sought a declaratory judgment that it owned the biological specimens

In March 2006, the District Court concluded that the University owned the research specimens. Dr. Catalona and the eight research participants appealed

The Court held that Wash. U “owns the biological materials and neither Dr. Catalona nor any contributing individual has any ownership or proprietary right in the disputed biological materials.”

11

DHHS Draft Guidance “All future research that uses your samples may

lead to the development of new products, you will not receive any payments for these new products.”

“By agreeing to this use, you are giving up all claims to any money obtained by the researchers from commercial or other use of these specimens.”

“I voluntarily and freely donate any and all blood, urine, and tissue samples to the [name of research institution] and hereby relinquish all property rights, title, and interests I may have in these samples.”

12

Data Collection Reliable methods Accuracy Authorization/Permission

IRB IACUC

Documentation Hard-copy data Electronic data

13

Data Protection Storage Record retention Confidentiality and information security

Data from non-Harvard sources Data use agreement (DUA) that states use limitations

and/or protection requirements Individual researchers do not have the authority to sign

DUA on behalf of the institution Data from Harvard sources

Five data/information security categories Legal requests – contact OGC Certificates of confidentiality

14

Information Security Categories Level 1: De-identified research information about

people and other non-confidential research information

Level 2: Benign information about individually identifiable people

Level 3: Sensitive information about individually identifiable people

Level 4: Very sensitive information about individually identifiable people

Level 5: Extremely sensitive information about individually identifiable people

15

Level 2 Information Individually identifiable information,

disclosure of which would not ordinarily be expected to result in material harm, but as to which a subject has been promised confidentiality

Example: Research participant in a study that was

exempt by the IRB16

Level 3 Information Individually identifiable information, if

disclosed, could reasonable be expected to be damaging to a person’s reputation or to cause embarrassment

Example: Student record

17

Level 4 Information Individually identifiable High Risk

Confidential Information that if disclosed, could reasonably be expected to present a non-minimal risk of civil liability, moderate psychological harm, or material social harm to individuals or groups

Example: Social security number Individual financial information Medical records

18

Level 5 Information Individually identifiable information that

could cause significant harm to an individual if exposed, including serious risk of criminal liability, serious psychological harm or other significant injury, loss of insurability or employability, or significant social harm to an individual or group

Example: Certain genetic information

19

Data Protection (cont.) Level 1: no specific University requirements Level 2: Password protection Level 3: Must not be directly accessible from the

Internet (i.e. email) unless the data is encrypted Level 4: servers must be located only in

physically secure facilities under University control

Level 5: information must be stored and used only in physically secured rooms controlled by University. No master keys are allowed

20

Certificates of Confidentiality Issued by the National Institutes of Health (NIH) Protect investigators and institutions from being

compelled to release information that could be used to identify research study participants

Allow the investigator and others who have access to research records to refuse to disclose identifying information in any civil criminal administrative legislative, or other proceeding, whether at the federal,

state, or local level21

Identifying Information Broadly defined Not just name, address, social

security number, etc. Includes any item or combination of

items that could lead directly or indirectly to the identification of a research participant

22

Eligibility For IRB-approved research collecting

identifying information If disclosure could have adverse

consequences for subjects or damage: financial standing employability insurability, or reputation

NIH or PHS funding not required 23

Examples Collecting genetic information Collecting information on psychological well-

being of subjects Collecting information on sexual attitudes,

preferences or practices Collecting data on substance abuse or other

illegal risk behaviors Studies where participants may be involved in

litigation related to exposures under study (e.g., breast implants, environmental or occupational exposures)

24

Requirements Must tell subjects that Certificate is in effect in

Informed Consent form Must provide fair and clear explanation of

Certificate’s protection, including limitations exceptions 

Must document IRB approval and IRB qualifications

Must provide a copy of the informed consent forms approved by the IRB

PI and Institutional Official must sign application25

Limitations and Exceptions Protects data maintained during any time the

Certificate is in effect Protects those data in perpetuity Does not protect against voluntary disclosure:

child abuse threat of harm to self or others reportable communicable diseases subject’s own disclosure

Must disclose information about subjects for DHHS audit or program evaluation or if required by the Federal Food, Drug, and Cosmetic Act

26

Assurances Agree to protect against compelled disclosure

and to support and defend the authority of the Certificate against legal challenges

Agree to comply with Federal regulations that protect human subjects

Agree to not represent Certificate as endorsement of project by DHHS or NIH or use to coerce participation

Agree to inform subjects about Certificate, its protections and limitations

27

An Important Caveat Certificates of Confidentiality do not obviate

the need for data security Data security is essential to the protection

of research participants’ privacy Researchers should safeguard research

data and findings.   Unauthorized individuals must not access

the research data or learn the identity of research participants

28

Data Sharing NIH believes all data should be considered

for data sharing “Data should be made as widely and freely

available as possible while safeguarding the privacy of participants, and protecting confidential and proprietary data

Data sharing plan required for applications requesting >$500,000/year from NIH

29

Data Management Data monitoring plan in each protocol Collected data should be open to scrutiny by

both investigators and the sponsor When possible, statistical analysis should be

conducted by an independent entity Stopping rule should be included in the

protocol Study results and data analysis should be

shared with the principal investigators as soon as they become available

30