The National Academies Press

Currently Skimming:

3 Protecting Privacy and Conἀdentiality: Sharing Digital Representations of Biological and Social Data
Pages 41-54

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 41... ... , there is an inherent conflict between confidentiality and data access: the obligation to protect con fidentiality pushes data disseminators to restrict access, whereas researchers' demands push them to share highly detailed data. Balancing these conflicting demands can be complicated, especially for large surveys that combine biologi cal and social data. Read the entire page →
From page 42... ... Broadly speaking, confidentiality risks are of two types: identification dis closure risk and attribute disclosure risk. Identification disclosure occurs when an intruder learns that information on a targeted individual is in a particular shared file; if this happens, it may be possible for the intruder to determine which of the records in the file belongs to the targeted individual by examin ing the demographic or other variables. Read the entire page →
From page 43... ... What is important in the context of this report is that disclosure risk increases as more variables are added, and the risk of identification disclosure is greater with combined data than with any single type of data. Suppose, for example, that an individual is nearly identifiable from a combination of demographic variables that are publicly available; this would be the case, for instance, if only a small number of people matched those particular characteristics. Read the entire page →
From page 44... ... Finally, while much of the research on identifiability has involved genomic data, similar risks can be expected for other highly detailed and high-dimensional data, such as proteomic and metabolomic data.2 Given ongoing rapid technology advances and the likelihood that electronic health records will become commonplace in the next few years, it is possible that these data will be avail able to intruders in the near future. APPROACHES TO SHARINg BIOLOgICAL AND SOCIAL DATA The literature on data sharing describes two broad approaches to protect ing the confidentiality of individuals whose records appear in data collections: restricting access and restricting data. Read the entire page →
From page 45... ... virtual data enclaves. Licensing To obtain data with little or no redaction other than removal of direct identifiers such as names and addresses or geocodes, researchers sign a licens ing agreement not to use the data for malicious purposes, such as identifying individuals and subsequently taking injurious actions based on those identi fications. Read the entire page →
From page 46... ... In one effort to contribute to solving problems with licensing, the NIH-sponsored Data Sharing for Demographic Research Project at the Inter-university Consortium for Political and Social Research (ICPSR) pub lished guidance for developing and implementing a restricted-use data contract or license (see http://www.icpsr.umich.edu/DSDR/rduc/ [accessed May 27, 2010] Read the entire page →
From page 47... ... Virtual data enclaves thus allow researchers to access the data without traveling to a secure data enclave. They also avoid some of the disclosure risks posed by licensing researchers to store data on their own machines, such as the accidental loss of CD-ROMs or sharing of data with unapproved investigators or students. Read the entire page →
From page 48... ... Of the restricted access strategies, remote execution systems and data enclaves offer the highest level of protection, but they also impose the greatest limitations on the utility of the data: the former because the types of analyses that can be performed are significantly limited, and the latter because research ers bear a heavy burden in having to travel to the enclave, pay substantial fees, and undergo background checks and proposal approvals. Licensing and virtual data enclaves impose fewer limitations, but the protection they provide depends on researchers abiding by the terms of the license or data use agreement. Read the entire page →
From page 49... ... . To avoid this disadvantage, the HRS began a virtual data enclave program, through which researchers can access data on the HRS server remotely from their own institutions. Read the entire page →
From page 50... ... Placing the SardiNIA data into dbGaP would require approval from the IRB overseeing the study. In their original informed consent forms, the investigators had make the decision during the process of planning for the study and to ensure that consent forms contain the necessary detail to enable the strategy's imple mentation. Read the entire page →
From page 51... ... To archive the InCHIANTI data would require obtaining new consent forms from the participants that specifi cally allowed for placing the data in a public archive. In the case of participants who had since died, it would be possible to place some of their data in an archive because of the wording of the original consent form, but none of their genetic data could be included. Read the entire page →
From page 52... ... Moreover, both rules may be interpreted differently depending on the kind of research in question -- for example, direct human subjects research versus research using leftover biospecimens in a bio repository or biodata stored in a biobank. Generally speaking, biorepositories and biobanks are not considered covered entities under the HIPAA Privacy Rule unless their contents were obtained in research requested and approved by a covered health provider. Read the entire page →
From page 53... ... Second, neither the Common Rule nor the HIPAA Privacy Rule will protect an individual's privacy and identity in the case of a courtordered subpoena requesting personal information, but that level of protection can be provided by a federal Certificate of Confidentiality. genetic Discrimination On March 21, 2008, after 13 years of debate, Congress passed and President Bush signed into law the Genetic Information Nondiscrimination Act. Read the entire page →
From page 54... ... To this end, a number of questions need to be answered: What sort of enforcement scheme should be used? Should digital representations of biological data be turned over to an archive such as the Inter-university Con sortium for Political and Social Research? Read the entire page →

From page 41...

... , there is an inherent conflict between confidentiality and data access: the obligation to protect con fidentiality pushes data disseminators to restrict access, whereas researchers' demands push them to share highly detailed data. Balancing these conflicting demands can be complicated, especially for large surveys that combine biologi cal and social data.

Read the entire page →

From page 42...

... Broadly speaking, confidentiality risks are of two types: identification dis closure risk and attribute disclosure risk. Identification disclosure occurs when an intruder learns that information on a targeted individual is in a particular shared file; if this happens, it may be possible for the intruder to determine which of the records in the file belongs to the targeted individual by examin ing the demographic or other variables.

Read the entire page →

From page 43...

... What is important in the context of this report is that disclosure risk increases as more variables are added, and the risk of identification disclosure is greater with combined data than with any single type of data. Suppose, for example, that an individual is nearly identifiable from a combination of demographic variables that are publicly available; this would be the case, for instance, if only a small number of people matched those particular characteristics.

Read the entire page →

From page 44...

... Finally, while much of the research on identifiability has involved genomic data, similar risks can be expected for other highly detailed and high-dimensional data, such as proteomic and metabolomic data.2 Given ongoing rapid technology advances and the likelihood that electronic health records will become commonplace in the next few years, it is possible that these data will be avail able to intruders in the near future. APPROACHES TO SHARINg BIOLOgICAL AND SOCIAL DATA The literature on data sharing describes two broad approaches to protect ing the confidentiality of individuals whose records appear in data collections: restricting access and restricting data.

Read the entire page →

From page 45...

... virtual data enclaves. Licensing To obtain data with little or no redaction other than removal of direct identifiers such as names and addresses or geocodes, researchers sign a licens ing agreement not to use the data for malicious purposes, such as identifying individuals and subsequently taking injurious actions based on those identi fications.

Read the entire page →

From page 46...

... In one effort to contribute to solving problems with licensing, the NIH-sponsored Data Sharing for Demographic Research Project at the Inter-university Consortium for Political and Social Research (ICPSR) pub lished guidance for developing and implementing a restricted-use data contract or license (see http://www.icpsr.umich.edu/DSDR/rduc/ [accessed May 27, 2010]

Read the entire page →

From page 47...

... Virtual data enclaves thus allow researchers to access the data without traveling to a secure data enclave. They also avoid some of the disclosure risks posed by licensing researchers to store data on their own machines, such as the accidental loss of CD-ROMs or sharing of data with unapproved investigators or students.

Read the entire page →

From page 48...

... Of the restricted access strategies, remote execution systems and data enclaves offer the highest level of protection, but they also impose the greatest limitations on the utility of the data: the former because the types of analyses that can be performed are significantly limited, and the latter because research ers bear a heavy burden in having to travel to the enclave, pay substantial fees, and undergo background checks and proposal approvals. Licensing and virtual data enclaves impose fewer limitations, but the protection they provide depends on researchers abiding by the terms of the license or data use agreement.

Read the entire page →

From page 49...

... . To avoid this disadvantage, the HRS began a virtual data enclave program, through which researchers can access data on the HRS server remotely from their own institutions.

Read the entire page →

From page 50...

... Placing the SardiNIA data into dbGaP would require approval from the IRB overseeing the study. In their original informed consent forms, the investigators had make the decision during the process of planning for the study and to ensure that consent forms contain the necessary detail to enable the strategy's imple mentation.

Read the entire page →

From page 51...

... To archive the InCHIANTI data would require obtaining new consent forms from the participants that specifi cally allowed for placing the data in a public archive. In the case of participants who had since died, it would be possible to place some of their data in an archive because of the wording of the original consent form, but none of their genetic data could be included.

Read the entire page →

From page 52...

... Moreover, both rules may be interpreted differently depending on the kind of research in question -- for example, direct human subjects research versus research using leftover biospecimens in a bio repository or biodata stored in a biobank. Generally speaking, biorepositories and biobanks are not considered covered entities under the HIPAA Privacy Rule unless their contents were obtained in research requested and approved by a covered health provider.

Read the entire page →

From page 53...

... Second, neither the Common Rule nor the HIPAA Privacy Rule will protect an individual's privacy and identity in the case of a courtordered subpoena requesting personal information, but that level of protection can be provided by a federal Certificate of Confidentiality. genetic Discrimination On March 21, 2008, after 13 years of debate, Congress passed and President Bush signed into law the Genetic Information Nondiscrimination Act.

Read the entire page →

From page 54...

... To this end, a number of questions need to be answered: What sort of enforcement scheme should be used? Should digital representations of biological data be turned over to an archive such as the Inter-university Con sortium for Political and Social Research?

Read the entire page →

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.

3 Protecting Privacy and Conἀdentiality: Sharing Digital Representations of Biological and Social Data Pages 41-54

3 Protecting Privacy and Conἀdentiality: Sharing Digital Representations of Biological and Social Data
Pages 41-54