Proposed Revisions to the Common Rule for the Protection of Human Subjects in the Behavioral and Social Sciences (2014) / Chapter Skim
Currently Skimming:
5 Informational Risk in the Social and Behavioral Sciences
5 Informational Risk in the Social and Behavioral Sciences
Pages 109-134
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 109... ...
For most social and behavioral research, the primary risk is informational. Thus, this report devotes special attention to informational risk and the different forms of information used, harvested, or collected by investigators as they pertain to the Federal Regulations for the Protection of Human Subjects.
|
From page 110... ...
The new category would cover a large proportion of studies in the social and behavioral sciences in which the research procedures themselves involve informational risk, but where that risk is no more than minimal when appropriate data security and protection plans are in place. Chapter 2 dealt specifically with the definition and characteristics of excused research and with issues related to its registration.
|
From page 111... ...
. However, given rapid developments in data production, dissemination, and use, it would be timely and wise for revisions to the Common Rule to be accompanied by investment in some form of organizational or institutional entity dedicated to addressing new types of informational risk and mechanisms of risk reduction.
|
From page 112... ...
Data sharing, which is common in social and behavioral research and is becoming increasingly common in biomedical research, requires specific plans for managing informational risk. While changing circumstances can create new challenges for managing informational risk, the social and behavioral sciences bring decades of experience and built expertise for doing so effectively (Levine et al., 2011; National Research Council, 2003, 2007, 2010)
|
From page 113... ...
As noted earlier, the proposed introduction of an excused category aims to insulate research from overestimation of disclosure risk when risk is no more than minimal or may already be at or near a zero level. From a cost-benefit perspective on optimal regulation, current IRB practice overregulates informational risk.
|
From page 114... ...
Informational risk can be conceptualized as the probability of harm of storing, using, and reporting on research data, multiplied by the magnitude of the harm from unintended release. The measure of harm is not static: there is some evidence that norms associated with informational risk and informed consent are evolving.
|
From page 115... ...
Fortunately, the very same technological change that has led to increased potential for loss of confidentiality and other harms has also led to enormous advances in the tools available to protect confidentiality. For IRBs to meet the goal of enabling valuable social and behavioral research, a more flexible system must be developed that better measures and minimizes informational risk.
|
From page 116... ...
The ANPRM inquires if study subjects would be sufficiently protected from informational risks if investigators were required to adhere to a strict set of data security and information protection standards modeled on the Privacy Rule and Security Rule elements of HIPAA. The guidance offered by HIPAA is neither necessary nor sufficient for several reasons: the disconnect between the two rules, the failure to quantify risk, the failure to take into account the research value of data elements, and the focus on individual rather than group risk.
|
From page 117... ...
Failure to Quantify Risk, Failure to Account for Value of Research, and Failure to Consider Group versus Individual Risk The failure of the HIPAA Privacy Rule to protect social and behavioral research data stems from its approach. It states that data derived from participants can be studied in one of three ways.
|
From page 118... ...
The 18 enumerated features are common to medical records, which HIPAA was designed to regulate, but do not include other potentially identifying data elements that might be present in social and behavioral research data. Conversely, the presence of one or even several of the enumerated elements in isolation from the oth ers may not lead to any significant risk of re-identification in, for example, large population-based samples.
|
From page 119... ...
These can include • planning data protection with the concept of a portfolio approach considering safe people, safe projects, safe data, safe settings, and safe outputs; • utilizing a wide range of statistical methods to reduce risk of disclosure; • consulting resources and data protection models to help research ers and IRBs such as university research data management service groups, individual IT/protection experts, and specialized institu tions such as the ICPSR and NORC at the University of Chicago; • existing standards for data protection promulgated by the National Institute of Standards and Technology (NIST) ; and • developing a future national center to define and certify the levels of information risk of different types of studies and corresponding data protection plans to ensure risks are minimized.
|
From page 120... ...
An appropriate data protection plan outlines the mitigations for lowering the informational risk. It should outline both the physical and logical controls to be implemented -- not just in securing the data but also in ensuring that only authorized users can access them.
|
From page 121... ...
The program includes free database access to unrestricted data, which requires only a user name and password, while restricted-data access requires a legal agreement and proof of following the university-supplied data protection plan.10 These models, combined with the NIST standard for secure information transactions, could be used by the Office for Human Research Protections (OHRP) to illustrate an appropriate foundation for establishing data protection plans for social and behavioral research data.
|
From page 122... ...
. Recommendation 5.2: In light of rapid changes in data of scientific value and in technologies that can be harnessed to reduce or increase informational risk, HHS should consider developing an institutional or organizational entity such as a national center to define and certify the levels of information risk of different types of studies and correspond ing data protection plans to ensure risks are minimized.
|
From page 123... ...
• Work in collaboration with other elements of the Administrative Data Research Network. Another example is the Australian National Data Service (ANDS)
|
From page 124... ...
It could serve as a re source to support improvements in enhancing data protection and addressing informational risk under varying conditions. It could use its convening authority to bring together broad-based experts.
|
From page 125... ...
. Implicit in encouraging data sharing includes encouraging agencies, organizations, and institutions to make accessible administrative records consonant with confidentiality agreements (see, e.g., National Research Council, 2005, 2007)
|
From page 126... ...
information that could increase the likelihood of re-identification. High standards for deidentification and stringent data disclosure tests may reduce informational risk, though certain variables may need to be excluded from public-use data files.
|
From page 127... ...
Addition of new public data in a research activity should be registered but does not require additional review. Combining multiple types of restricted-use data may significantly increase informational risk and so requires approval of the data provider and registration of a new data protection plan.
|
From page 128... ...
Finally, the committee concludes that, in the rapidly changing environment of information and information technology, an ongoing research program is needed to ensure that regulation of informational risk is adequate and appropriate. The following research recommendation is consistent with that of several important NRC reports released over the past 10 years.
|
From page 129... ...
We discuss below issues related to protecting qualitative data and approaches for ensuring that private information acquired is secure. Protection for Primary Data As part of their professional ethics in protecting research participants, fieldworkers and other qualitative researchers are trained to keep their notes and recordings secure.
|
From page 130... ...
This loss is particularly meaningful for qualitative data, which are inherently more personal, in-depth, and developmental. Even when respondent data appear to be anonymized, in some qualitative studies confidentiality may not be achievable because of very small numbers of participants and distinctive community circumstances inextricable from the central research questions.
|
From page 131... ...
The ICPSR website also refers to an archive in the United Kingdom that is specifically dedicated to archiving qualitative data and works with social scientists in developing protection methods that fit these challenging data (Corti et al., 2000)
|
From page 132... ...
. Social and Behavioral Sciences White Paper on Advanced Notice of Proposed Rulemaking (ANPRM)
|
From page 133... ...
: Practical, legal, and ethical issues in archiving qualitative research data. Sociology, 38(1)
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.