Overview of Data Privacy and Security

This section contains a variety of types of information about relevant regulations and guidance for implementing studies using human subjects, human data and/or human specimens. Given the evolving conditions and rules surrounding studies using genetic and genomic datasets, we aim to provide an up-to-date resource about the current state of the field relating to consenting, privacy, and data management. However, as this field is changing rapidly, if there are changes not reflected here, please email sciwiki to highlight issues for additional review.

The Fred Hutch Policy on IRB Review of Genomic Data Sharing Policies can be found here. This policy provides an overview of Fred Hutch requirements and pathways for submitting for review proposals including genomic data.

Consenting and the IRB

Informed consent is a cornerstone of the ethical conduct of research involving humans. A goal of informed consent is to ensure that subjects are aware of the risks and potential benefits of proposed research and to make an informed and voluntary decision about participating in a research study. Unlike the risks presented by many biomedical research protocols considered by IRBs, the risks involved with genetic information can reach beyond the boundary of physical injury, and also include risks of social and psychological harm. This section highlights some of the issues and resources available to address the unique issues associated with consenting and human specimen/genomics research.

Data Privacy and Security

Every effort must be made to protect the identity of participants when human subjects, specimens or data are involved in a research project. In most instances, sharing data should be possible without compromising the confidentiality of participants, but if there are circumstances where data needs to be restricted due to the inability to protect confidentiality, this should be fully addressed in the data management and sharing plan. This section addresses various aspects of data privacy and security including data that originates from human subjects or specimens.

Compliance and Legal Agreements

When sharing data, there are additional issues that might arise regarding appropriate use of those data. This section provides information about how to obtain the relevant legal agreements involved when compliance with data use restrictions is required for a project.

De-Identification of Specimens and Data

De-identification generally refers to the removal of 18 identifiers as listed in HIPAA regulation 45 CFR 164.514(b). However, de-identification also means that in addition to the removal of these identifiers, the risk of re-identification, including applying methods which utilize publicly available data, is very small. Even without the 18 identifiers, individual-level genomics data could potentially identify an individual. Therefore, de-identification of genomics data also heavily relies on additional methods of privacy and security, such as adherence to strong data use limitations and practices, and strict security policy. In this section we address more specific approaches to address the need for de-identification of specimens and datasets for translational genomics studies.

Data Sharing and Public Repository Deposition

Data Sharing in the realm of genomics and large scale datasets has highlighted some specific new challenges and possibilities. The sharing of large scale research data has potential to strengthen academic medical research, the practice of medicine, and the integrity of the clinical trial system. Some benefits are obvious: when researchers have access to complete data, they can answer new questions, explore different lines of analysis, and more efficiently conduct large-scale analyses across trials or projects. However, our evolving collective understanding of data sharing practices when large-scale datasets are involved can tend to result in an unnecessary burden on the research(ers) that is actually both counterproductive and may not necessarily make the patient or researcher any safer. This section can help guide decision making and actions to successfully share and manage research data to allow for the most productivity and facilitation of the original research itself while balancing the data privacy and security needs of those involved.