Data Ownership and Security (RCR Week-5 Lecture)

1. Data Ownership and Security(RCR Week-5 Lecture) Delia Y. Wolf, MD, JD, MSCI Assistant Dean, Regulatory Affairs & Research Compliance Director, Human Research Administration Assistant Professor, Health Policy and Management Harvard School of Public Health Email: dywolf@hsph.harvard.edu October 5, 2012

2. Finding of Research Misconduct There must be significant departure from accepted practices of the relevant research community The misconduct must have been committed intentionally, knowingly, or recklessly The allegation must be proven by preponderance of the evidence 2

3. Topics to be Covered • Data ownership • Data collection • Data protection • Data sharing • Data management

4. Data Ownership • Bayh-Dole Act (Public Law: 96-517) • Sponsored by two senators, Birch Bayh of Indiana and Bob Dole of Kansas • Enacted by the United States Congress on December 12, 1980 • Governing intellectual property arising from federal government-funded research • Allows for the transfer of exclusive control over many government funded inventions to universities and businesses for the purpose of further development and commercialization

5. Data Ownership (cont.) • Sponsors/funders • Government • Grants – the institution receives funds owns and controls the data • Contracts – government owns and controls the data • Private companies – usually seeks to retain the right to the commercial use of data • Charitable organization /foundations – retain or give away ownership rights depending on their interests. 5

6. Data Ownership (cont.) • Points to consider • Distinguish between grants and contracts • Research institutions usually claims ownership rights over data collected with support awarded to the institution • Be familiar with institutional policies • Who owns the data I am collecting? • What rights do I have to publish the data? • Does collecting these data impose any obligations on me? • Do not enter into agreements without approval from the institution 6

7. Ownership of Biological Materials • Moore v. Regents of the University of California • Moore was treated for hairy cell leukemia by Dr. Golde at UCLA Medical Center from 1976 and 1983 • Test results revealed that Moore’s cells would be useful for genetic research, but Golde did not inform Moore of his plans to use the cells for research • A cell line was established from Moore’s T-lymphocytes sometime before 1979 • On January 6, 1983, UCLA applied for a patent on the cell line, listing Gold and Quan as inventors • USPO issued patent on March 20, 1984 7

8. Ownership of Biological Materials • Moore v. Regents of the University of California • In 1983, Moore was given a consent form indicated “I (do, do not) voluntarily grant to the University of California all rights I, or my heirs, may have in any cell line or any other potential product which might be developed from the blood and/or bone marrow obtained from me” • Moore refused to sign the form and eventually turned over to an attorney, who the discovered the patent • After patent was issued in 1984,UCLA and Golde negotiated agreements with Genetic Institute for commercial development, Golde became a paid consultant and acquired 75,000 shares of stock 8

9. Ownership of Biological Materials • Moore v. Regents of the University of California • Moore filed a lawsuit naming Golde, Quan, the Regents, Genetics Institute, and Sandoz Pharmaceuticals as defendants • Moore complaint stated thirteen causes of action, including conversion, lack of informed consent, breach of fiduciary duty and intentional infliction of emotional distress • The court found that Moore had no property rights to his discarded cells or any profits made from them • The court concluded that the researcher did have an obligation to obtain informed consent, and to disclose financial interested in the cells harvested from Moore 9

10. Ownership of Biological Materials • Washington University v. Catalona • Dr. Catalona, highly respected urologist and urologic surgeon, as well as a well-established prostate cancer researcher at Washington University in St. Louis • While at WU, Dr. Catalona was instrumental in establishing the Biorepository for the collection and storage of biological research materials • More than 30,000 research participants enrolled in prostate cancer research • In 2003, Dr. Catalona left for Northwestern University and to continue his prostate cancer research • In February 2003, Dr. Catalona sent a “Medical consent & Authorization” form to about 60,000 research participants 10

11. Ownership of Biological Materials • Washington University v. Catalona • About 6000 recipients signed the form and returned it to Dr. Catalona • The University sought a declaratory judgment that it owned the biological specimens • In March 2006, the District Court concluded that the University owned the research specimens. Dr. Catalona and the eight research participants appealed • The Court held that Wash. U “owns the biological materials and neither Dr. Catalona nor any contributing individual has any ownership or proprietary right in the disputed biological materials.” 11

12. DHHS Draft Guidance “All future research that uses your samples may lead to the development of new products, you will not receive any payments for these new products.” “By agreeing to this use, you are giving up all claims to any money obtained by the researchers from commercial or other use of these specimens.” “I voluntarily and freely donate any and all blood, urine, and tissue samples to the [name of research institution] and hereby relinquish all property rights, title, and interests I may have in these samples.” 12

13. Data Collection • Reliable methods • Accuracy • Authorization/Permission • IRB • IACUC • Documentation • Hard-copy data • Electronic data 13

14. Data Protection • Storage • Record retention • Confidentiality and information security • Data from non-Harvard sources • Data use agreement (DUA) that states use limitations and/or protection requirements • Individual researchers do not have the authority to sign DUA on behalf of the institution • Data from Harvard sources • Five data/information security categories • Legal requests – contact OGC • Certificates of confidentiality 14

15. Information Security Categories Level 1: De-identified research information about people and other non-confidential research information Level 2: Benign information about individually identifiable people Level 3: Sensitive information about individually identifiable people Level 4: Very sensitive information about individually identifiable people Level 5: Extremely sensitive information about individually identifiable people 15

16. Level 2 Information • Individually identifiable information, disclosure of which would not ordinarily be expected to result in material harm, but as to which a subject has been promised confidentiality • Example: • Research participant in a study that was exempt by the IRB

17. Level 3 Information • Individually identifiable information, if disclosed, could reasonable be expected to be damaging to a person’s reputation or to cause embarrassment • Example: • Student record

18. Level 4 Information • Individually identifiable High Risk Confidential Information that if disclosed, could reasonably be expected to present a non-minimal risk of civil liability, moderate psychological harm, or material social harm to individuals or groups • Example: • Social security number • Individual financial information • Medical records

19. Level 5 Information • Individually identifiable information that could cause significant harm to an individual if exposed, including serious risk of criminal liability, serious psychological harm or other significant injury, loss of insurability or employability, or significant social harm to an individual or group • Example: • Certain genetic information

20. Data Protection (cont.) Level 1: no specific University requirements Level 2: Password protection Level 3: Must not be directly accessible from the Internet (i.e. email) unless the data is encrypted Level 4: servers must be located only in physically secure facilities under University control Level 5: information must be stored and used only in physically secured rooms controlled by University. No master keys are allowed 20

21. Certificates of Confidentiality • Issued by the National Institutes of Health (NIH) • Protect investigators and institutions from being compelled to release information that could be used to identify research study participants • Allow the investigator and others who have access to research records to refuse to disclose identifying information in any • civil • criminal • administrative • legislative, or other proceeding, whether at the federal, state, or local level

22. Identifying Information • Broadly defined • Not just name, address, social security number, etc. • Includes any item or combination of items that could lead directly or indirectly to the identification of a research participant

23. Eligibility • For IRB-approved research collecting identifying information • If disclosure could have adverse consequences for subjects or damage: • financial standing • employability • insurability, or • reputation • NIH or PHS funding not required

24. Examples • Collecting genetic information • Collecting information on psychological well-being of subjects • Collecting information on sexual attitudes, preferences or practices • Collecting data on substance abuse or other illegal risk behaviors • Studies where participants may be involved in litigation related to exposures under study (e.g., breast implants, environmental or occupational exposures)

25. Requirements • Must tell subjects that Certificate is in effect in Informed Consent form • Must provide fair and clear explanation of Certificate’s protection, including • limitations • exceptions • Must document IRB approval and IRB qualifications • Must provide a copy of the informed consent forms approved by the IRB • PI and Institutional Official must sign application

26. Limitations and Exceptions • Protects data maintained during any time the Certificate is in effect • Protects those data in perpetuity • Does not protect against voluntary disclosure: • child abuse • threat of harm to self or others • reportable communicable diseases • subject’s own disclosure • Must disclose information about subjects for DHHS audit or program evaluation or if required by the Federal Food, Drug, and Cosmetic Act

27. Assurances • Agree to protect against compelled disclosure and to support and defend the authority of the Certificate against legal challenges • Agree to comply with Federal regulations that protect human subjects • Agree to not represent Certificate as endorsement of project by DHHS or NIH or use to coerce participation • Agree to inform subjects about Certificate, its protections and limitations

28. An Important Caveat • Certificates of Confidentiality do not obviate the need for data security • Data security is essential to the protection of research participants’ privacy • Researchers should safeguard research data and findings.   • Unauthorized individuals must not access the research data or learn the identity of research participants

29. Data Sharing NIH believes all data should be considered for data sharing “Data should be made as widely and freely available as possible while safeguarding the privacy of participants, and protecting confidential and proprietary data Data sharing plan required for applications requesting >$500,000/year from NIH 29

30. Data Management • Data monitoring plan in each protocol • Collected data should be open to scrutiny by both investigators and the sponsor • When possible, statistical analysis should be conducted by an independent entity • Stopping rule should be included in the protocol • Study results and data analysis should be shared with the principal investigators as soon as they become available